Forgive me if this question is something I already know, but I think
there's a mismatch between my expectations and reality. Wouldn't be
the first time *that* happened, of course.

I've successfully got certificate server set up, and I've got account
mapping going. But when a user with a certificate accesses a vdir so
configured, they are getting prompted for credentials. That's not
what I expected: I was thinking that the certificate would be all
they would need.

So I'm looking for confirmation: even if the certificate mapping is
working correctly, should the users be prompted to login? If that's
the case, its it safe to say that the having the certificate
requirement is essentially just a third credentially requirement?

If so, fine -- so be it.  If not, what should my next troubleshooting
step be?

I'm happy to RTFM if somebody can point me to a good M to F'n R. 

Thanks!

Kent Tegels



SQL Sever Express Blog (Good for FAQs): http://tinyurl.com/6r4gb

SQL Server Express BOL (The docs you need): http://tinyurl.com/4ctjx

Kent's Blog: http://www.tegels.org/

[ Post a follow-up to this message ]

Hi,

"Kent Tegels" <kent@tegels.org> schrieb:
> I've successfully got certificate server set up, and I've got account
> mapping going.

via AD or via direct config?

> So I'm looking for confirmation: even if the certificate mapping is
> working correctly, should the users be prompted to login?

it depends ... does the useraccount that is mapped to the cert have access
to the files in question?

> If so, fine -- so be it.  If not, what should my next troubleshooting
> step be?

check the W3-logfile and activate logging on all possible fields.

Jochen

[ Post a follow-up to this message ]

Jochen Ruhland wrote:



> via AD or via direct config?

Direct config, AD isn't an option here. At least not immediately or
easily.


 
is
[vbcol=seagreen] 


[vbcol=seagreen]
> it depends ... does the useraccount that is mapped to the cert have
access

> to the files in question?

Yes.



> check the W3-logfile and activate logging on all possible fields.

Nothing helpful there.



Danke,

Kent Tegels



SQL Sever Express Blog (Good for FAQs): http://tinyurl.com/6r4gb

SQL Server Express BOL (The docs you need): http://tinyurl.com/4ctjx

Kent's Blog: http://www.tegels.org/

[ Post a follow-up to this message ]

Hi,

"Kent Tegels" <kent@tegels.org> schrieb:
> Nothing helpful there.

you should at least see a 403-error when you try to access the file. What
username is listed there? Enable auditing for that file and check eventlog.

Jochen

[ Post a follow-up to this message ]

I've dug myself out of this. Turns out that I didn't allow anonymous
access and the user in question didn't have DACLs were they should.
Once I started allowing anonymous but required certificates and gave
the anonmyous ASP.NET process to directory, it all started working
and the the impersonation process I wanted to achieve turned out fine.


Thanks!

Kent Tegels



SQL Sever Express Blog (Good for FAQs): http://tinyurl.com/6r4gb

SQL Server Express BOL (The docs you need): http://tinyurl.com/4ctjx

Kent's Blog: http://www.tegels.org/

[ Post a follow-up to this message ]