locked
Getting the Username from a certificate RRS feed

  • Question

  • If during windows logon certificates are being used to log in users, is there a way to retrieve the username of a particular user if I'm only supplied with a certificate (*.cer file) ?
    The OS must be making a translation from certificate to Username during logon. How could I do that programmatically?
    • Moved by Helen Zhao Wednesday, July 11, 2012 6:04 AM (From:Visual C++ General)
    Tuesday, July 10, 2012 10:45 AM

All replies

  • Hi crogger,

    you can use CryptoAPI for that task:

    1) call CertCreateCertificateContext to create a certificate context from an encoded certificate

    2) get the subject name from the certificate by using CertGetNameString

    3) If you need additional certificate properties, call CertGetCertificateContextProperty


    Here is the reference for CryptoAPI, including certificate management:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa380252(v=vs.85).aspx


    Check some examples here:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa388156(v=vs.85).aspx

     

    Tuesday, July 10, 2012 11:39 AM
  • Does the value CN in the certificate's subject field be necessarily identical to a user's username? I mean, is there some kind of database with mappings which I could query?
    Tuesday, July 10, 2012 12:30 PM
  • The CN 'should' be the same as the user name. Also the Certificate can contain the user principal name (UPN) in the certificate subject alternative name (SAN), you can use that in order to compare it with the SAM Account Name.

    Not sure what is the task you're trying to perform, don't want to misguide you.

    Tuesday, July 10, 2012 1:46 PM
  • Hi crogger,

    According to your description, I'd like to move this thread to "Application Security for Windows Desktop Forum" for better support.

    Thanks for your understanding and active participation in the MSDN Forum.
    Best regards,


    Helen Zhao [MSFT]
    MSDN Community Support | Feedback to us

    Wednesday, July 11, 2012 6:04 AM
  • Thx Helen for moving the thread to a more suitable forum.

    I've had instances where the Certificate's CN name does not exactly match the user's account name, so there must be another way since the OS is already doing the aforementioned mapping.

    Wednesday, July 11, 2012 9:12 AM
  • Is there a way to query the Active Directory and retrieve the user name somehow?
    Monday, July 16, 2012 8:08 AM