Authentication Mechanism Assurance

With Auth Mech Assurance enabled, what if a users Certificate Linked Group
is provided access to a resource and the user is also a member of a normal
domain group which is restricted access to the same resource. Let me give an
ex.

UserA - Member of: Auth Mech Assurange Group (linked to certificate)
- Member of sales group (normal domain group)

Resource - \\Server1\HR Folder

Permissions - Modify permissions to Auth Mech Assurance group
- Read permission to sales group

When the userA logs in using smart card what is effective access right?
Modify/ Read?

When UserA logs on with a smartcard or cert, his access token will have an
additional group(s) associated with the logon that is tied to the smartcard
or cert, thereby granting UserA additional access. So when UserA logs on
without the cert/card they will have read only access, but will have
read/write with the cert/card.

http://technet.microsoft.com/en-us/l...47(WS.10).aspx

For example, assume a user named Tom has a smart card with a certificate
that was issued from a certificate issuance policy named Top Secret. If
authentication mechanism assurance is used to map certificates issued from
the Top Secret certificate issuance policy to provide membership in a
universal group named Top Secret Users, when Tom logs on using his smart
card, he receives an additional group membership indicating that he is a
member of Top Secret Users. Resource administrators can set permissions on
resources so that only members of Top Secret Users are granted access. This
means that when Tom logs on using his smart card, he can access resources
that grant access to Top Secret Users, but he cannot access those resources
when he logs on without using the smart card (for example, by typing a user
name and password).

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Venkat" <> wrote in message
news:%...
> With Auth Mech Assurance enabled, what if a users Certificate Linked Group
> is provided access to a resource and the user is also a member of a normal
> domain group which is restricted access to the same resource. Let me give
> an ex.
>
> UserA - Member of: Auth Mech Assurange Group (linked to certificate)
> - Member of sales group (normal domain group)
>
> Resource - \\Server1\HR Folder
>
> Permissions - Modify permissions to Auth Mech Assurance group
> - Read permission to sales group
>
> When the userA logs in using smart card what is effective access right?
> Modify/ Read?
>

Thanks Paul!

How abt an explict Deny for a normal domain group of which Tom is a member
of and a write access to the top secret group?

So when tom logs in using smart card will he be able to access the resource?

"Paul Bergson [MVP-DS]" <> wrote in message
news:...
> When UserA logs on with a smartcard or cert, his access token will have an
> additional group(s) associated with the logon that is tied to the
> smartcard or cert, thereby granting UserA additional access. So when
> UserA logs on without the cert/card they will have read only access, but
> will have read/write with the cert/card.
>
> http://technet.microsoft.com/en-us/l...47(WS.10).aspx
>
> For example, assume a user named Tom has a smart card with a certificate
> that was issued from a certificate issuance policy named Top Secret. If
> authentication mechanism assurance is used to map certificates issued from
> the Top Secret certificate issuance policy to provide membership in a
> universal group named Top Secret Users, when Tom logs on using his smart
> card, he receives an additional group membership indicating that he is a
> member of Top Secret Users. Resource administrators can set permissions on
> resources so that only members of Top Secret Users are granted access.
> This means that when Tom logs on using his smart card, he can access
> resources that grant access to Top Secret Users, but he cannot access
> those resources when he logs on without using the smart card (for example,
> by typing a user name and password).
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.
> "Venkat" <> wrote in message
> news:%...
>> With Auth Mech Assurance enabled, what if a users Certificate Linked
>> Group is provided access to a resource and the user is also a member of a
>> normal domain group which is restricted access to the same resource. Let
>> me give an ex.
>>
>> UserA - Member of: Auth Mech Assurange Group (linked to certificate)
>> - Member of sales group (normal domain group)
>>
>> Resource - \\Server1\HR Folder
>>
>> Permissions - Modify permissions to Auth Mech Assurance group
>> - Read permission to sales group
>>
>> When the userA logs in using smart card what is effective access right?
>> Modify/ Read?
>>
>
>

The way I understand it, deny will supercede even if granted with the card.

--
Paul Bergson
MVP - Directory Services
MCITP - Enterprise Administrator
MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
2008, Vista, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewGroups. This
posting is provided "AS IS" with no warranties and confers no rights.
"Venkat" <> wrote in message
news:%...
> Thanks Paul!
>
> How abt an explict Deny for a normal domain group of which Tom is a member
> of and a write access to the top secret group?
>
> So when tom logs in using smart card will he be able to access the
> resource?
>
> "Paul Bergson [MVP-DS]" <> wrote in message
> news:...
>> When UserA logs on with a smartcard or cert, his access token will have
>> an additional group(s) associated with the logon that is tied to the
>> smartcard or cert, thereby granting UserA additional access. So when
>> UserA logs on without the cert/card they will have read only access, but
>> will have read/write with the cert/card.
>>
>> http://technet.microsoft.com/en-us/l...47(WS.10).aspx
>>
>> For example, assume a user named Tom has a smart card with a certificate
>> that was issued from a certificate issuance policy named Top Secret. If
>> authentication mechanism assurance is used to map certificates issued
>> from the Top Secret certificate issuance policy to provide membership in
>> a universal group named Top Secret Users, when Tom logs on using his
>> smart card, he receives an additional group membership indicating that he
>> is a member of Top Secret Users. Resource administrators can set
>> permissions on resources so that only members of Top Secret Users are
>> granted access. This means that when Tom logs on using his smart card, he
>> can access resources that grant access to Top Secret Users, but he cannot
>> access those resources when he logs on without using the smart card (for
>> example, by typing a user name and password).
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCITP - Enterprise Administrator
>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>> Microsoft's Thrive IT Pro of the Month - June 2009
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewGroups. This
>> posting is provided "AS IS" with no warranties and confers no rights.
>> "Venkat" <> wrote in message
>> news:%...
>>> With Auth Mech Assurance enabled, what if a users Certificate Linked
>>> Group is provided access to a resource and the user is also a member of
>>> a normal domain group which is restricted access to the same resource.
>>> Let me give an ex.
>>>
>>> UserA - Member of: Auth Mech Assurange Group (linked to certificate)
>>> - Member of sales group (normal domain group)
>>>
>>> Resource - \\Server1\HR Folder
>>>
>>> Permissions - Modify permissions to Auth Mech Assurance group
>>> - Read permission to sales group
>>>
>>> When the userA logs in using smart card what is effective access right?
>>> Modify/ Read?
>>>
>>
>>
>
>

I beleive that be the case too.

Thanks Paul!

"Paul Bergson [MVP-DS]" <> wrote in message
news:...
> The way I understand it, deny will supercede even if granted with the
> card.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCITP - Enterprise Administrator
> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
> 2008, Vista, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewGroups. This
> posting is provided "AS IS" with no warranties and confers no rights.
> "Venkat" <> wrote in message
> news:%...
>> Thanks Paul!
>>
>> How abt an explict Deny for a normal domain group of which Tom is a
>> member of and a write access to the top secret group?
>>
>> So when tom logs in using smart card will he be able to access the
>> resource?
>>
>> "Paul Bergson [MVP-DS]" <> wrote in message
>> news:...
>>> When UserA logs on with a smartcard or cert, his access token will have
>>> an additional group(s) associated with the logon that is tied to the
>>> smartcard or cert, thereby granting UserA additional access. So when
>>> UserA logs on without the cert/card they will have read only access, but
>>> will have read/write with the cert/card.
>>>
>>> http://technet.microsoft.com/en-us/l...47(WS.10).aspx
>>>
>>> For example, assume a user named Tom has a smart card with a certificate
>>> that was issued from a certificate issuance policy named Top Secret. If
>>> authentication mechanism assurance is used to map certificates issued
>>> from the Top Secret certificate issuance policy to provide membership in
>>> a universal group named Top Secret Users, when Tom logs on using his
>>> smart card, he receives an additional group membership indicating that
>>> he is a member of Top Secret Users. Resource administrators can set
>>> permissions on resources so that only members of Top Secret Users are
>>> granted access. This means that when Tom logs on using his smart card,
>>> he can access resources that grant access to Top Secret Users, but he
>>> cannot access those resources when he logs on without using the smart
>>> card (for example, by typing a user name and password).
>>>
>>> --
>>> Paul Bergson
>>> MVP - Directory Services
>>> MCITP - Enterprise Administrator
>>> MCTS, MCT, MCSE, MCSA, MCP, Security +, BS CSci
>>> 2008, Vista, 2003, 2000 (Early Achiever), NT4
>>> Microsoft's Thrive IT Pro of the Month - June 2009
>>>
>>> http://www.pbbergs.com
>>>
>>> Please no e-mails, any questions should be posted in the NewGroups.
>>> This
>>> posting is provided "AS IS" with no warranties and confers no rights.
>>> "Venkat" <> wrote in message
>>> news:%...
>>>> With Auth Mech Assurance enabled, what if a users Certificate Linked
>>>> Group is provided access to a resource and the user is also a member of
>>>> a normal domain group which is restricted access to the same resource.
>>>> Let me give an ex.
>>>>
>>>> UserA - Member of: Auth Mech Assurange Group (linked to certificate)
>>>> - Member of sales group (normal domain group)
>>>>
>>>> Resource - \\Server1\HR Folder
>>>>
>>>> Permissions - Modify permissions to Auth Mech Assurance group
>>>> - Read permission to sales group
>>>>
>>>> When the userA logs in using smart card what is effective access right?
>>>> Modify/ Read?
>>>>
>>>
>>>
>>
>>
>
>