Hi

I've setup an IIS 6 server (on Win2K3 server) to do 2-way SSL using
cert-based authentication with smart cards.

On the IIS web site, I have these settings:

* Anonymous access - disabled
* Integrated Windows authentication -- enabled
* Require client certs - enabled
* Client certificate mapping -- disabled
* Windows Directory Service Mapper - enabled

At the client side (on both WinXP and Vista), I am using a smartcard that
has a legit MS CA issued cert that I have been able to use for smartcard
logon. This cert was issued off a "smartcard user" template.   The XP/Vista
client and the IIS server all belong to the same AD domain and shares the
same CA.

When I visit the abovementioned web-site,

1. I got a certificate prompt, whereupon I selected the abovementioned cert.
2. I was prompted for a PIN (by the smartcard CSP).
3. I entered the correct PIN.
4. I expected to be successfully logged-into the web site at this point, but
instead I next saw a Username/Password prompt.
5. I inspected the logs at IIS, but cannot find any error/reason why the
certificate login was not accepted.

To narrow down the problem, I enabled "client certificate mapping" and
imported the above certificate into IIS. In this case, I was able to login
successfully with my cert to access the web site.

So, the problem must lie somewhere with the automatic mapping of the cert to
AD credentials. Unfortunately, I cannot find any  error logs anywhere that
would help me troubleshoot.

Does anyone have any advice on this?


Thanks and regards,

CM Low

[ Post a follow-up to this message ]

OK. Thanks!  Your suggestion seems to solve the specific problem I
mentioned.

I was looking at "integrated authentication" because I was eventually going
to put some ASP pages on the web site that would execute some processes
using user's own AD privilleges (rather than as some generic "IUSR_..."
account).  I'm still curious as to why what I did earlier did not work.

Best Regards,

CM

"ohaya" <ohaya@cox.net> wrote in message
news:e5hS6v3PHHA.4124@TK2MSFTNGP06.phx.gbl...[vbcol=seagreen]
> Hi,
>
> I think the problem may be that you have "Integrated Windows
> Authentication" enabled plus the require client certs, plus anonymous is
> disabled.
>
> Instead, try:
>
> Integrated Windows Authentication - unchecked
> Anonymous - checked
>
> I'm not sure about the DS mapping, haven't looked at that lately, but what
> that would do, when it works, is log you "into" IIS as the mapped domain
> user.  If I recall, for this to work, your users also all have to have the
> userPrincipalName attribute populated in AD, and the Subject in the client
> cert has to be formatted in a certain way (again, it's been awhile, so
> take that last part with a "grain of salt").
>
> Jim
>
>
>
> C Low wrote: 

[ Post a follow-up to this message ]