I have a web server running Windows 2003 with SP1.  I need to use a client
certificate to control the access to a path.  Under Properties -> Directory
Security -> Security Communications (Edit) of the folder, I checked Require
secure channel and Require client certificates.  Then I added a mapping
between a client certificate and a newly created local windows account that
doesn't belong to any User Group.  I then tested it from a remote IE
browser.  IE correctly detected that the page requires client certificate
and prompted me to select one.  I selected the one that's mapped on the
server, it showed me the page.  It all seems to work but my question is the
user account on the server the client cert is mapped to does not belong to
any group, so it has no ACL access to the file system folder (that the web
path points at), how come I was able to view the page?  I was expecting an
Access Denied error.  I disabled Anonymous Access, Integrated Windows
Authentication, Basic Authentication etc, that is, everyting on the
Directory Security -> Authentication and Access Control tab, but the result
is the same.   This is really odd as it seems that if you have a valid
client certificate, you can get in regardless of what account it's mapped to
on the server.

Any help with explaining this behavior, or what I did wrong would be much
appreciated.

Bob

[ Post a follow-up to this message ]

Hi Bob,

I may have misunderstood your post, but,

> " Then I added a mapping between a client certificate and a newly created
> local windows account that
doesn't belong to any User Group"

All local users belong to the USERS group, each time you create one, it's
automatically part of this group...

--
Cheers,
Ed


"Bob" <bobatkpmg@yahoo.com> wrote in message
news:%23z5ztR9GGHA.2036@TK2MSFTNGP14.phx.gbl...
>I have a web server running Windows 2003 with SP1.  I need to use a client
> certificate to control the access to a path.  Under Properties ->
> Directory
> Security -> Security Communications (Edit) of the folder, I checked
> Require
> secure channel and Require client certificates.  Then I added a mapping
> between a client certificate and a newly created local windows account
> that
> doesn't belong to any User Group.  I then tested it from a remote IE
> browser.  IE correctly detected that the page requires client certificate
> and prompted me to select one.  I selected the one that's mapped on the
> server, it showed me the page.  It all seems to work but my question is
> the
> user account on the server the client cert is mapped to does not belong to
> any group, so it has no ACL access to the file system folder (that the web
> path points at), how come I was able to view the page?  I was expecting an
> Access Denied error.  I disabled Anonymous Access, Integrated Windows
> Authentication, Basic Authentication etc, that is, everyting on the
> Directory Security -> Authentication and Access Control tab, but the
> result
> is the same.   This is really odd as it seems that if you have a valid
> client certificate, you can get in regardless of what account it's mapped
> to
> on the server.
>
> Any help with explaining this behavior, or what I did wrong would be much
> appreciated.
>
> Bob
>
>

[ Post a follow-up to this message ]