Cannot get Cert authentication with directory service mapping to work

Cannot get Cert authentication with directory service mapping to work

am 24.01.2007 05:47:12 von C Low

Hi

I've setup an IIS 6 server (on Win2K3 server) to do 2-way SSL using
cert-based authentication with smart cards.

On the IIS web site, I have these settings:

* Anonymous access - disabled
* Integrated Windows authentication -- enabled
* Require client certs - enabled
* Client certificate mapping -- disabled
* Windows Directory Service Mapper - enabled

At the client side (on both WinXP and Vista), I am using a smartcard that
has a legit MS CA issued cert that I have been able to use for smartcard
logon. This cert was issued off a "smartcard user" template. The XP/Vista
client and the IIS server all belong to the same AD domain and shares the
same CA.

When I visit the abovementioned web-site,

1. I got a certificate prompt, whereupon I selected the abovementioned cert.
2. I was prompted for a PIN (by the smartcard CSP).
3. I entered the correct PIN.
4. I expected to be successfully logged-into the web site at this point, but
instead I next saw a Username/Password prompt.
5. I inspected the logs at IIS, but cannot find any error/reason why the
certificate login was not accepted.

To narrow down the problem, I enabled "client certificate mapping" and
imported the above certificate into IIS. In this case, I was able to login
successfully with my cert to access the web site.

So, the problem must lie somewhere with the automatic mapping of the cert to
AD credentials. Unfortunately, I cannot find any error logs anywhere that
would help me troubleshoot.

Does anyone have any advice on this?


Thanks and regards,

CM Low

Re: Cannot get Cert authentication with directory service mappingto work

am 24.01.2007 06:53:40 von ohaya

Hi,

I think the problem may be that you have "Integrated Windows
Authentication" enabled plus the require client certs, plus anonymous is
disabled.

Instead, try:

Integrated Windows Authentication - unchecked
Anonymous - checked

I'm not sure about the DS mapping, haven't looked at that lately, but
what that would do, when it works, is log you "into" IIS as the mapped
domain user. If I recall, for this to work, your users also all have to
have the userPrincipalName attribute populated in AD, and the Subject in
the client cert has to be formatted in a certain way (again, it's been
awhile, so take that last part with a "grain of salt").

Jim



C Low wrote:
> Hi
>
> I've setup an IIS 6 server (on Win2K3 server) to do 2-way SSL using
> cert-based authentication with smart cards.
>
> On the IIS web site, I have these settings:
>
> * Anonymous access - disabled
> * Integrated Windows authentication -- enabled
> * Require client certs - enabled
> * Client certificate mapping -- disabled
> * Windows Directory Service Mapper - enabled
>
> At the client side (on both WinXP and Vista), I am using a smartcard that
> has a legit MS CA issued cert that I have been able to use for smartcard
> logon. This cert was issued off a "smartcard user" template. The XP/Vista
> client and the IIS server all belong to the same AD domain and shares the
> same CA.
>
> When I visit the abovementioned web-site,
>
> 1. I got a certificate prompt, whereupon I selected the abovementioned cert.
> 2. I was prompted for a PIN (by the smartcard CSP).
> 3. I entered the correct PIN.
> 4. I expected to be successfully logged-into the web site at this point, but
> instead I next saw a Username/Password prompt.
> 5. I inspected the logs at IIS, but cannot find any error/reason why the
> certificate login was not accepted.
>
> To narrow down the problem, I enabled "client certificate mapping" and
> imported the above certificate into IIS. In this case, I was able to login
> successfully with my cert to access the web site.
>
> So, the problem must lie somewhere with the automatic mapping of the cert to
> AD credentials. Unfortunately, I cannot find any error logs anywhere that
> would help me troubleshoot.
>
> Does anyone have any advice on this?
>
>
> Thanks and regards,
>
> CM Low
>
>

Re: Cannot get Cert authentication with directory service mapping to work

am 26.01.2007 07:32:11 von C Low

OK. Thanks! Your suggestion seems to solve the specific problem I
mentioned.

I was looking at "integrated authentication" because I was eventually going
to put some ASP pages on the web site that would execute some processes
using user's own AD privilleges (rather than as some generic "IUSR_..."
account). I'm still curious as to why what I did earlier did not work.

Best Regards,

CM

"ohaya" wrote in message
news:e5hS6v3PHHA.4124@TK2MSFTNGP06.phx.gbl...
> Hi,
>
> I think the problem may be that you have "Integrated Windows
> Authentication" enabled plus the require client certs, plus anonymous is
> disabled.
>
> Instead, try:
>
> Integrated Windows Authentication - unchecked
> Anonymous - checked
>
> I'm not sure about the DS mapping, haven't looked at that lately, but what
> that would do, when it works, is log you "into" IIS as the mapped domain
> user. If I recall, for this to work, your users also all have to have the
> userPrincipalName attribute populated in AD, and the Subject in the client
> cert has to be formatted in a certain way (again, it's been awhile, so
> take that last part with a "grain of salt").
>
> Jim
>
>
>
> C Low wrote:
>> Hi
>>
>> I've setup an IIS 6 server (on Win2K3 server) to do 2-way SSL using
>> cert-based authentication with smart cards.
>>
>> On the IIS web site, I have these settings:
>>
>> * Anonymous access - disabled
>> * Integrated Windows authentication -- enabled
>> * Require client certs - enabled
>> * Client certificate mapping -- disabled
>> * Windows Directory Service Mapper - enabled
>>
>> At the client side (on both WinXP and Vista), I am using a smartcard that
>> has a legit MS CA issued cert that I have been able to use for smartcard
>> logon. This cert was issued off a "smartcard user" template. The
>> XP/Vista client and the IIS server all belong to the same AD domain and
>> shares the same CA.
>>
>> When I visit the abovementioned web-site,
>>
>> 1. I got a certificate prompt, whereupon I selected the abovementioned
>> cert.
>> 2. I was prompted for a PIN (by the smartcard CSP).
>> 3. I entered the correct PIN.
>> 4. I expected to be successfully logged-into the web site at this point,
>> but instead I next saw a Username/Password prompt.
>> 5. I inspected the logs at IIS, but cannot find any error/reason why the
>> certificate login was not accepted.
>>
>> To narrow down the problem, I enabled "client certificate mapping" and
>> imported the above certificate into IIS. In this case, I was able to
>> login successfully with my cert to access the web site.
>>
>> So, the problem must lie somewhere with the automatic mapping of the cert
>> to AD credentials. Unfortunately, I cannot find any error logs anywhere
>> that would help me troubleshoot.
>>
>> Does anyone have any advice on this?
>>
>>
>> Thanks and regards,
>>
>> CM Low
>>