IIS Server Security - Re: Cannot get Cert authentication with directory service mapping

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > January 2007 > Re: Cannot get Cert authentication with directory service mapping





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Re: Cannot get Cert authentication with directory service mapping
ohaya

2007-01-24, 1:46 am

Hi,

I think the problem may be that you have "Integrated Windows
Authentication" enabled plus the require client certs, plus anonymous is
disabled.

Instead, try:

Integrated Windows Authentication - unchecked
Anonymous - checked

I'm not sure about the DS mapping, haven't looked at that lately, but
what that would do, when it works, is log you "into" IIS as the mapped
domain user. If I recall, for this to work, your users also all have to
have the userPrincipalName attribute populated in AD, and the Subject in
the client cert has to be formatted in a certain way (again, it's been
awhile, so take that last part with a "grain of salt").

Jim



C Low wrote:
> Hi
>
> I've setup an IIS 6 server (on Win2K3 server) to do 2-way SSL using
> cert-based authentication with smart cards.
>
> On the IIS web site, I have these settings:
>
> * Anonymous access - disabled
> * Integrated Windows authentication -- enabled
> * Require client certs - enabled
> * Client certificate mapping -- disabled
> * Windows Directory Service Mapper - enabled
>
> At the client side (on both WinXP and Vista), I am using a smartcard that
> has a legit MS CA issued cert that I have been able to use for smartcard
> logon. This cert was issued off a "smartcard user" template. The XP/Vista
> client and the IIS server all belong to the same AD domain and shares the
> same CA.
>
> When I visit the abovementioned web-site,
>
> 1. I got a certificate prompt, whereupon I selected the abovementioned cert.
> 2. I was prompted for a PIN (by the smartcard CSP).
> 3. I entered the correct PIN.
> 4. I expected to be successfully logged-into the web site at this point, but
> instead I next saw a Username/Password prompt.
> 5. I inspected the logs at IIS, but cannot find any error/reason why the
> certificate login was not accepted.
>
> To narrow down the problem, I enabled "client certificate mapping" and
> imported the above certificate into IIS. In this case, I was able to login
> successfully with my cert to access the web site.
>
> So, the problem must lie somewhere with the automatic mapping of the cert to
> AD credentials. Unfortunately, I cannot find any error logs anywhere that
> would help me troubleshoot.
>
> Does anyone have any advice on this?
>
>
> Thanks and regards,
>
> CM Low
>
>
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com