ADSS Server & MS Active Directory integration

Posted by Wahaj Khan on Sep 18, 2013 2:28:00 PM

ADSS Server v4.8+ supports clever integration with Active Directory and other LDAP-compliant directories, enabling seamless and automatic management of each user’s digital certificate, including generation, revocation and re-issuance.

ADSS Server and MS Active Directory integration benefits

This integration brings benefits for business applications such that each user can have easy access to a high trust key and digital certificate held within ADSS Server. Additionally, these can be used to create digital signatures on business documents and data.

Other Ascertia products, such as ADSS Client SDK (DotNet) and the ADSS Connector for SharePoint, make it easy to add digital signature creation and verification services to internal applications such as SharePoint and Dynamics or other ERP, CRM and ECM applications.

Simply by adding a user to Active Directory, they authenticate themselves to servers and applications within a domain and also immediately have a digital signature key and certificate made available to them.

When a user leaves, the Active Directory is updated and the user’s credential are automatically removed from the ADSS Server.

The advantage of using centrally held keys and certificates is that users can now sign wherever they are and whatever device they are on. The business world is becoming more heterogeneous with Windows, Mac, iPad and other tablets, and devices being used for document/ data review and approval.

ADSS Server & MS Active Directory integration key features:

The Active Directory Integration with ADSS Server provides these key services:

    1. Creation of user specific keys and digital certificates 
      The ADSS Server certification service can be configured to poll one or more Active Directory and/or LDAP directories and pull all objects of type 'Users'. These details are then used to handle key generation and digital certificate issuance for each user.

      The digital certificate’s subject common name (cn=) is set to the user's common name directory attribute. A unique certificate alias is generated based on the user's smeaccountname directory attribute and appended with the domain configured, for example {smeaccountname}

    2. Digital certificate re-issuance 
      The ADSS Server regularly checks all the issued digital certificates, and determines if any change in the common name directory attribute has occurred. If a change is found then it revokes the previously issued certificate, and issues a new one.

    3. Digital certificate revocation 
      The ADSS Server automatically scans the configured Active Directory and/or LDAP directories, to check if any of its known users have been deleted by checking the isDeleted directory attribute. If a user has been deleted then their digital certificate is immediately revoked.

      The ADSS Server also checks if any user directory accounts are marked as inactive by checking the userAccountControl directory attribute. If any inactive users are found then their digital certificate status is changed to suspended. If on a later scan a user's directory account is marked active, then the certificate has its status set to good.

This seamless Active Directory integration feature makes it very easy for SharePoint and Dynamics and other Windows applications, to gain access to high-trust credentials so that users can digitally sign documents and data. Without such security, there can be little trust in data and document authenticity, integrity or status.