Skip to content

Latest commit

 

History

History
374 lines (365 loc) · 10.3 KB

product-behavior.md

File metadata and controls

374 lines (365 loc) · 10.3 KB

This document provides Policy Module behavior depending on incoming request and module configuration.

SID Policy Module enforces its logic only when the following pre-conditions are met:

  • Native/Underlying policy module does not deny request. If deny is requested by native policy module, the request is denied. This behavior cannot be changed.
  • Template is offline template, i.e. accepts subject from incoming request. If template builds subject from Active Directory, SID Policy Module forwards native policy module result back to CA and do not evaluate/modify original request.

The following table provides information about columns used in subsequent tables, their descriptions and applicable values:

Column name Description Possible values
CSR has SID Ext Specifies whether incoming request contains SID extension.
  • Yes
  • No
CSR has SID in SAN Specifies whether incoming request contains SID value as part of SAN extension. See SAN URI for Certificate Strong Mapping for KB5014754 for more information.
  • Yes
  • No
Trusted SID Policy Specifies Trusted SID policy configuration. This setting applies when incoming request matches any Template/Requester map entry.
  • * — any setting
  • PassThrough
  • Pending
  • Suppress
  • Deny
Untrusted SID Policy Specifies Untrusted SID policy configuration. This setting applies when incoming request doesn't match any Template/Requester map entry.
  • * — any setting
  • PassThrough
  • Pending
  • Suppress
  • Deny
Request Result Specifies the request issuance result
  • Native — native/underlying policy module result (Issue, Pending).
  • Pending — overrides native/underlying policy module result and put request into pending state.
  • Deny — overrides native/underlying policy module result and deny the request
SID Extension Specifies the SID extension state in resulting certificate
  • * — does not apply, request is denied.
  • Unchanged — SID extension from request (if presented) is passed as is to issued certificate.
  • Overwrite — SID extension value from request is discarded and overwritten by this policy module.
  • Disable — forcibly disables (removes) SID extension in request.
SAN Extension Specifies the SAN extension state in issued certificate
  • * — does not apply, request is denied.
  • Unchanged — SAN extension from request (if presented) is passed as is to issued certificate.
  • Truncate — modifies SAN extension in incoming request by removing SID value (URL name type) name. If SID value is the only entry in SAN extension, SAN extension is forcibly disabled.

Behaviors

This section provides Policy Module behavior depending on incoming request request conditions and module configuration given that incoming CSR passed global pre-conditions.

Request does not match any Template/Requester map entry

In this case, Untrusted SID Policy setting is enforced as follows:

Req has SID Ext Req has SID in SAN Untrusted SID Policy Request Result SID Extension SAN Extension
No No * Native Unchanged Unchanged
Yes No PassThrough Native PassThrough Unchanged
No Yes PassThrough Native Unchanged PassThrough
Yes Yes PassThrough Native PassThrough PassThrough
Yes No Pending Pending PassThrough Unchanged
No Yes Pending Pending Unchanged PassThrough
Yes Yes Pending Pending PassThrough PassThrough
Yes No Suppress Native Disable Unchanged
No Yes Suppress Native Unchanged Truncate
Yes Yes Suppress Native Disable Truncate
Yes No Deny Deny * *
No Yes Deny Deny * *
Yes Yes Deny Deny * *

Request matches at least one entry in Template/Requester map table and target principal was not resolved

SID Policy Module attempts to find target identity from the incoming request's SAN extension. If template subject is user, then at least one UPN entry in SAN extension is expected. If template subject is machine (computer), then at least one entry of type of dnsName name type is expected. In both cases, only first occurrence of matching name type is evaluated.

The following table outlines the SID Policy Module behavior when target identity was not resolved for whatever reason. The behavior is identical to a table in previous section with the only difference that Trusted SID Policy configuration is evaluated.

CSR has SID Ext CSR has SID in SAN Trusted SID Policy Request Result SID Extension SAN Extension
No No * Native Unchanged Unchanged
Yes No PassThrough Native PassThrough Unchanged
No Yes PassThrough Native Unchanged PassThrough
Yes Yes PassThrough Native PassThrough PassThrough
Yes No Pending Pending PassThrough Unchanged
No Yes Pending Pending Unchanged PassThrough
Yes Yes Pending Pending PassThrough PassThrough
Yes No Suppress Native Disable Unchanged
No Yes Suppress Native Unchanged Truncate
Yes Yes Suppress Native Disable Truncate
Yes No Deny Deny * *
No Yes Deny Deny * *
Yes Yes Deny Deny * *

Request matches at least one entry in Template/Requester map table and target principal was successfully resolved

This section outlines SID Policy Module behavior when all conditions are successfully passed and target identity. In this case, SID extension value in request is discarded and overwritten by a SID value retrieved from Active Directory.

CSR has SID in SAN Request Result SID Extension SAN Extension
No Native Overwrite Unchanged
Yes Native Overwrite Truncate