|
Home > Archive > IIS Server Security > January 2007 > Cannot get Cert authentication with directory service mapping to work
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Cannot get Cert authentication with directory service mapping to work
|
|
|
| Hi
I've setup an IIS 6 server (on Win2K3 server) to do 2-way SSL using
cert-based authentication with smart cards.
On the IIS web site, I have these settings:
* Anonymous access - disabled
* Integrated Windows authentication -- enabled
* Require client certs - enabled
* Client certificate mapping -- disabled
* Windows Directory Service Mapper - enabled
At the client side (on both WinXP and Vista), I am using a smartcard that
has a legit MS CA issued cert that I have been able to use for smartcard
logon. This cert was issued off a "smartcard user" template. The XP/Vista
client and the IIS server all belong to the same AD domain and shares the
same CA.
When I visit the abovementioned web-site,
1. I got a certificate prompt, whereupon I selected the abovementioned cert.
2. I was prompted for a PIN (by the smartcard CSP).
3. I entered the correct PIN.
4. I expected to be successfully logged-into the web site at this point, but
instead I next saw a Username/Password prompt.
5. I inspected the logs at IIS, but cannot find any error/reason why the
certificate login was not accepted.
To narrow down the problem, I enabled "client certificate mapping" and
imported the above certificate into IIS. In this case, I was able to login
successfully with my cert to access the web site.
So, the problem must lie somewhere with the automatic mapping of the cert to
AD credentials. Unfortunately, I cannot find any error logs anywhere that
would help me troubleshoot.
Does anyone have any advice on this?
Thanks and regards,
CM Low
| |
|
|
OK. Thanks! Your suggestion seems to solve the specific problem I
mentioned.
I was looking at "integrated authentication" because I was eventually going
to put some ASP pages on the web site that would execute some processes
using user's own AD privilleges (rather than as some generic "IUSR_..."
account). I'm still curious as to why what I did earlier did not work.
Best Regards,
CM
"ohaya" <ohaya@cox.net> wrote in message
news:e5hS6v3PHHA.4124@TK2MSFTNGP06.phx.gbl...[vbcol=seagreen]
> Hi,
>
> I think the problem may be that you have "Integrated Windows
> Authentication" enabled plus the require client certs, plus anonymous is
> disabled.
>
> Instead, try:
>
> Integrated Windows Authentication - unchecked
> Anonymous - checked
>
> I'm not sure about the DS mapping, haven't looked at that lately, but what
> that would do, when it works, is log you "into" IIS as the mapped domain
> user. If I recall, for this to work, your users also all have to have the
> userPrincipalName attribute populated in AD, and the Subject in the client
> cert has to be formatted in a certain way (again, it's been awhile, so
> take that last part with a "grain of salt").
>
> Jim
>
>
>
> C Low wrote:
|
|
|
|
|