IIS 6 Directory Services Mapping ACL Problems

IIS 6 Directory Services Mapping ACL Problems

am 24.10.2006 16:08:25 von drew.sullivan

For the love of god, please help me. I can't afford to pull out any
more hair.

I have a small domain setup at my organization, all servers are windows
2003. We are trying to configure certificate based logins using the
directory services method (not IIS certificate mapping).

My issue is not with configuring the servers. I have SSL required,
Client certificate required, Enable Client Certificate mapping is
checked, and Directory Services mapping is checked. All of our user
accounts are stored in the domains active directory and all users have
their certificates published in the AD and the name mappings property
is properly set.

When I authenticate on our web server with my certificate I my domain
account username shows up in the web log. I can control access to
different web sites by using domain account ACLs on the different web
applications we have. It seems to me everything is properly
configured.

Here is my problem. We have a file storage and retrieval web
application. The files are stored on another server in the domain.
When I try to access an existing file I get an HTTP Error 401.3 -
Unauthorized: Access is denied due to an ACL set on the requested
resource. FYI - the files to view are displayed on the web page as
links.

It seems to me that when I present my certificate to the web server,
IIS logs me in on the web server as the account my certificate is
mapped to. However, when IIS tries to access the remote resource,
those credentials are not used to access the remote storage on our file
server. I tried giving the everyone account access and went as far as
making my account a domain admin. I tired sniffing the traffic between
the web server and file server to examine the SMB packets. I could not
determine what account was being used by looking at the raw network
data.

Just so you have all the information... We have virtual directory
setup on our web server that connects to a share on the file server via
a UNC path. On IIS 6 you have two options for authentication when
accessing a share on another server. One is to use an account/password
you supply (we do not want to do this), the other is to use the
authenticated users credentials. We assumed that when using DS mapping
that our users would always be authenticated as the account the
certificate was mapped to. This seems to be the case when accessing
the local file system, but not when trying to acces the remote file
system through a virtual directory.

I do not understand why we still have an ACL error even when giving the
everyone account full access on the share and the filesystem. This
seems to me that when the web server tries to access the remote storage
it is using a local account that the file server does not know about.
I have IIS configured to use a domain account for both the anonymous
account and the worker process account. (The IUSR_XXX and IWAM_IIS)
and these accounts are added to the local IIS_WPG group.

Can anyone shed some light on this?

-Andy

Re: IIS 6 Directory Services Mapping ACL Problems

am 25.10.2006 05:16:05 von Ken Schaefer

It would appear that you can not delegate Certificate based credentials.

IIS does not have the user's password, so it can't just logon to the remote
file server as the user directly.

Nor is Kerberos involved, so the Kerberos proxy service can't just get a
service ticket to the remote server on behalf of the user (this is my
assumption).

So, your last option may be Protocol Transition. This allows IIS to get a
Kerberos service ticket even when the initial authentication protocol was
not Kerberos (e.g. it was NTLM). I don't know if it works with certificate
based auth though...

Kerberos Protocol Transition and Constrained Delegation
http://technet2.microsoft.com/WindowsServer/en/library/c312b a01-318f-46ca-990e-a597f3c294eb1033.mspx?mfr=true

Your other alternative might be to use a Trusted Subsystem model. You have a
single account that accesses the remote file share, and checks the ACLs on
resources on that file share to see if the user is allowed access or not.
Only display the items the user has access to.

Lastly - if you want to see what account is being used to access the remote
file share, enable auditing of logon failures on the remote file share
and/or run Filemon, and see (a) what logon failures there might be and (b)
which account is getting access denied.

Cheers
Ken


wrote in message
news:1161698905.238736.217570@m7g2000cwm.googlegroups.com...
> For the love of god, please help me. I can't afford to pull out any
> more hair.
>
> I have a small domain setup at my organization, all servers are windows
> 2003. We are trying to configure certificate based logins using the
> directory services method (not IIS certificate mapping).
>
> My issue is not with configuring the servers. I have SSL required,
> Client certificate required, Enable Client Certificate mapping is
> checked, and Directory Services mapping is checked. All of our user
> accounts are stored in the domains active directory and all users have
> their certificates published in the AD and the name mappings property
> is properly set.
>
> When I authenticate on our web server with my certificate I my domain
> account username shows up in the web log. I can control access to
> different web sites by using domain account ACLs on the different web
> applications we have. It seems to me everything is properly
> configured.
>
> Here is my problem. We have a file storage and retrieval web
> application. The files are stored on another server in the domain.
> When I try to access an existing file I get an HTTP Error 401.3 -
> Unauthorized: Access is denied due to an ACL set on the requested
> resource. FYI - the files to view are displayed on the web page as
> links.
>
> It seems to me that when I present my certificate to the web server,
> IIS logs me in on the web server as the account my certificate is
> mapped to. However, when IIS tries to access the remote resource,
> those credentials are not used to access the remote storage on our file
> server. I tried giving the everyone account access and went as far as
> making my account a domain admin. I tired sniffing the traffic between
> the web server and file server to examine the SMB packets. I could not
> determine what account was being used by looking at the raw network
> data.
>
> Just so you have all the information... We have virtual directory
> setup on our web server that connects to a share on the file server via
> a UNC path. On IIS 6 you have two options for authentication when
> accessing a share on another server. One is to use an account/password
> you supply (we do not want to do this), the other is to use the
> authenticated users credentials. We assumed that when using DS mapping
> that our users would always be authenticated as the account the
> certificate was mapped to. This seems to be the case when accessing
> the local file system, but not when trying to acces the remote file
> system through a virtual directory.
>
> I do not understand why we still have an ACL error even when giving the
> everyone account full access on the share and the filesystem. This
> seems to me that when the web server tries to access the remote storage
> it is using a local account that the file server does not know about.
> I have IIS configured to use a domain account for both the anonymous
> account and the worker process account. (The IUSR_XXX and IWAM_IIS)
> and these accounts are added to the local IIS_WPG group.
>
> Can anyone shed some light on this?
>
> -Andy
>