Microsoft KB Archive/258048

= Windows 2000 Certificate Services and X.500 Compliant Certificate Authorities =

Article ID: 258048

Article Last Modified on 2/27/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q258048



SUMMARY
This article describes the situation where a client presents a certificate issued by an X.500-compliant Certificate Authority (CA) to a Windows 2000 server.



MORE INFORMATION
The Windows 2000 Active Directory is based upon X.500, but does not implement the full Directory Access Protocol (DAP) described by the X.500 standard. Instead, clients use the Lightweight Directory Access Protocol (LDAP) to use the Active Directory. Additionally, Windows 2000 uses only a subset of the naming attributes for a directory object defined in RFC# 2253: Lightweight Directory Access Protocol (v3):UTF-8 String Representation of Distinguished Names.

The LDAP naming attributes used by Windows 2000 Active Directory are:

Other naming attributes that are defined by RFC 2253, while not used by Active Directory, are supported by the Microsoft LDAP protocol implementation. These other naming attributes include "o" for Organization name and "c" for country/region name. If a client presents a certificate to Windows 2000 that was issued by a non-Windows 2000 CA, then the CRL Distribution Point (CDP) field may contain an LDAP path that contains the unused naming attributes discussed above (for example, LDAP://ServerName/CN=crlDate,O=xyz,C=US). As long as a full LDAP URL is used (the LDAP:// prefix is included), the CDP field path be processed. If the field instead contains a raw X.500 name (for example, CN=crlDate,O=xyz,C=US), then certificate validation does not work because Windows 2000 cannot convert a raw X.500 name into an LDAP URL.

Keywords: kbinfo kbnetwork KB258048

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.