-----Original Message-----
From: John Lightfoot [mailto:jlightfoot@gmail.com]
Sent: Tuesday, March 07, 2006 9:53 AM
To: larobins@bellatlantic.net; focus-ms@securityfocus.com
Subject: RE: Certificate authentication under IIS
From an internal certificate authority. The certificate
authority is on my certificate trust list (CTL).
If I require client certificates but allow anonymous access,
I get challenged for the certificate to get to the web site,
but once the certificate is accepted, I'm still anonymous to
the web site even though the certificate is mapped to a valid
user account.
If I don't allow anonymous access, I get challenged for my
client certificate but once I provide it I get "HTTP Error
401.2 - Unauthorized:
Access is denied due to server configuration," with a message
"You do not have permission to view this directory or page
using the credentials that you supplied because your Web
browser is sending a WWW-Authenticate header field that the
Web server is not configured to accept." I wondered if it
might be something to do with my client running IE7beta2, but
it doesn't work under IE6 either.
I'm not sure if this is a clue, but when I also require
Integrated Windows authentication, I get challenged for my
certificate, then get a Windows username/password challenge.
I've found that I can use a different Windows user account
than the one the certificate is mapped to and still log in.
I thought the way it was supposed to work if you required
both a mapped client certificate and integrated Windows
login, the mapped client certificate account had to be the
same as the login account.
-----Original Message-----
From: Laura A. Robinson [mailto:larobins@bellatlantic.net]
Sent: Tuesday, March 07, 2006 12:17 AM
To: 'John Lightfoot'; focus-ms@securityfocus.com
Subject: RE: Certificate authentication under IIS
From where were the client certificates obtained? (Internal
CA, Verisign,
etc.?)
Laura
-----Original Message-----
From: John Lightfoot [mailto:jlightfoot@gmail.com]
Sent: Monday, March 06, 2006 4:16 PM
To: focus-ms@securityfocus.com
Subject: Re: Certificate authentication under IIS
Hello,
I am trying to figure out how to use client certificates to
authenticate in IIS under Windows Server 2003.
Specifically, I'm trying to use client certificates to map
to Windows
user accounts in IIS, but I don't want to require username and
password, too.
I'm trying to use one-factor authentication mapped to a Windows
account with the one factor being the certificate.
Upon presentation of the certificate by the client, I want the IIS
session to log-in the user to the mapped user account. I
only seem to
be able to require both a certificate and username/password, not a
certificate only.
I'm able to require client certificates and present the
proper one to
the web site. In the "authentication methods"
configuration screen, if I deselect "enable anonymous access"
and select "integrated Windows authentication," I can log-in by
providing both the certificate and the username/password of
the mapped
account. If I deselect "integrated Windows
authentication," I get an
HTTP 401.2 error, "You do not have permission to view this
directory
or page using the credentials that you supplied because your Web
browser is sending a WWW-Authenticate header field that the
Web server
is not configured to accept." Is it possible to log-in a
user based
only on presentation of the certificate?
Any help would be greatly appreciated. Thanks.
John Lightfoot
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
--------------------------------------------------------------
-------------
