|
Home > Archive > IIS Server Security > July 2004 > Question regarding certificate mapping
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Question regarding certificate mapping
|
|
| Kent Tegels 2004-07-29, 5:54 pm |
| Forgive me if this question is something I already know, but I think
there's a mismatch between my expectations and reality. Wouldn't be
the first time *that* happened, of course.
I've successfully got certificate server set up, and I've got account
mapping going. But when a user with a certificate accesses a vdir so
configured, they are getting prompted for credentials. That's not
what I expected: I was thinking that the certificate would be all
they would need.
So I'm looking for confirmation: even if the certificate mapping is
working correctly, should the users be prompted to login? If that's
the case, its it safe to say that the having the certificate
requirement is essentially just a third credentially requirement?
If so, fine -- so be it. If not, what should my next troubleshooting
step be?
I'm happy to RTFM if somebody can point me to a good M to F'n R. 
Thanks!
Kent Tegels
SQL Sever Express Blog (Good for FAQs): http://tinyurl.com/6r4gb
SQL Server Express BOL (The docs you need): http://tinyurl.com/4ctjx
Kent's Blog: http://www.tegels.org/
| |
| Jochen Ruhland 2004-07-29, 5:54 pm |
| Hi,
"Kent Tegels" <kent@tegels.org> schrieb:
> I've successfully got certificate server set up, and I've got account
> mapping going.
via AD or via direct config?
> So I'm looking for confirmation: even if the certificate mapping is
> working correctly, should the users be prompted to login?
it depends ... does the useraccount that is mapped to the cert have access
to the files in question?
> If so, fine -- so be it. If not, what should my next troubleshooting
> step be?
check the W3-logfile and activate logging on all possible fields.
Jochen
| |
| Kent Tegels 2004-07-29, 5:54 pm |
| Jochen Ruhland wrote:
> via AD or via direct config?
Direct config, AD isn't an option here. At least not immediately or
easily.
is
[vbcol=seagreen]
[vbcol=seagreen]
> it depends ... does the useraccount that is mapped to the cert have
access
> to the files in question?
Yes.
> check the W3-logfile and activate logging on all possible fields.
Nothing helpful there.
Danke,
Kent Tegels
SQL Sever Express Blog (Good for FAQs): http://tinyurl.com/6r4gb
SQL Server Express BOL (The docs you need): http://tinyurl.com/4ctjx
Kent's Blog: http://www.tegels.org/
| |
| Jochen Ruhland 2004-07-30, 5:51 pm |
| Hi,
"Kent Tegels" <kent@tegels.org> schrieb:
> Nothing helpful there.
you should at least see a 403-error when you try to access the file. What
username is listed there? Enable auditing for that file and check eventlog.
Jochen
| |
| Kent Tegels 2004-07-30, 5:51 pm |
| I've dug myself out of this. Turns out that I didn't allow anonymous
access and the user in question didn't have DACLs were they should.
Once I started allowing anonymous but required certificates and gave
the anonmyous ASP.NET process to directory, it all started working
and the the impersonation process I wanted to achieve turned out fine.
Thanks!
Kent Tegels
SQL Sever Express Blog (Good for FAQs): http://tinyurl.com/6r4gb
SQL Server Express BOL (The docs you need): http://tinyurl.com/4ctjx
Kent's Blog: http://www.tegels.org/
|
|
|
|
|