Re: Client Certificate -> IIS -> SQL - will it work?

From: digital-fallout (no.spam@here.com)
Date: 03/16/03


From: digital-fallout <no.spam@here.com>
Date: Sun, 16 Mar 2003 18:33:41 +0100


> After spending a few weeks on the phone working with a bunch of people at
> MS last summer, it was determined that it was not possible to use client
> certificates in this manner because the user credentials could not be
> delegated to the other network resources (too many hops). Users who
> provided uid/pwd could have their credentials delegated, but client
> certificate authentication did not result in delegatable credentials
> because of the protocol used.

same story here :-\

> So we were dead in the water with Win2K according to MS. We were told
> however that .Net would allow client certificate credentials to be
> delegated. Now that we're looking at the topic again, I'm not seeing
> where
> .Net offers us anything that 2K didn't. According to Building Secure
> ASP.NET Applications: Authentication, Authorization, and Secure
> Communication, and everything else I've read, the .Net framework didn't
> change anything - IIS certificate mapping should work, Active Directory
> certificate mapping doesn't.
>
sad but true

>
> 1) Am I correct in understanding that the .Net framework does not allow
> client certificate originating credentials be delegated beyond the box
> that initiated the authentication request?
>

 it's not the framework it's how w2k was buils by Architecture
 the KDC is wrapped into the AD, you cannot take the TGT (Ticket Granting)
 and proxy it 2 your clients, cauze it's intra domain only.

there's a good paper
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp
where you should build/wrap web-service for the TGT service ...

 i now done a prototype on RC2 .Net Server , the Ad-Mapping runs.
 but it seems a bit strange, not really tracked down.
 uses the Extension on the x509Certificate with PrincipalName=blaa@blaa.com
 and mapps the account.

 i also tried to move the certificate from a first delegation ( proxy ) box
to the real web-service behind the DMZ , but he doesen't let me push the
certificate behind ( that from the client ) something like ASPNET Account
should have an profile which he hasen,t (cauze it's a system account ) and
so he can not negiogate the second SSL Tunnel.

> 2) If #1 is true, does the framework as will be implemented in Windows
> Server 2003 make it possible?

  there was some storys about kerberos delegation, and some services
  something like 4userBlaa , and also that you could define endpoint on
                     kereberos delegation.
Means this machine can delegate to SqlServer only on this Machine.Not to
_ALL_ .

But i diden't see anything Visual ( some AD GUI or something ) on RC2.

http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=26450

with ldap it doesen't run (can be that the API is too crippled for
kerberos,or they are hacking like mad to get the release ), diden't do an
sql-server, ill see that in the security log u'll have an kerberos ticket.
n.b. you see the GUID from the User.

I'll also mentioned a little problem that with the LDAP the AD threw an
REQUIRE_PRE_AUTHENTIFICATION Error something like 0x19 or 0x18 Kerberos
error. when going for remote ldap n tryed to use delegation.

i would say get yourself RTM and give it a try.
I'm now also waiting for RTM

> 3) If the answer to #2 is "No", is anybody hiring? Our application will
> likely be forced to move to a non-Windows platform if the requirements are
> not met, and I don't think I'd be moving with it.

*mhh* where not hiring.
I'll think you should take that solution that does the job ...

-- 
 .::[ carbon unit 64 69 67 69 74 61 6c 2d 66 61 6c 6c 6f 75 74 ]::.


Relevant Pages

  • RE: SmartCard Your credentials could not be verified.
    ... This posting is provided "AS IS" with no warranties, ... SmartCard Your credentials could not be verified. ... | In the event log of the client PC i get "The client has failed to ... | the Domain Controller certificate for %servername%. ...
    (microsoft.public.windows.server.general)
  • Re: Checkpoint smart defance as IPS
    ... *any* SSL/TLS communication without tampering anything on the client ... website a client visits on-the-fly. ... don't have private key for the certificate on that website. ...
    (Security-Basics)
  • Re: Checkpoint smart defance as IPS
    ... *any* SSL/TLS communication without tampering anything on the client ... website a client visits on-the-fly. ... don't have private key for the certificate on that website. ...
    (Security-Basics)
  • Re: Cannot request computer certificate.
    ... >problem since you can not request a certificate while logged onto the CA. ... Verify that you can ping it by name and IP address from the client ... >> Kerberos, or dns. ... >> List of NetBt transports currently bound to the Redir ...
    (microsoft.public.windows.server.security)
  • Re: The message must contain a wsa:To header
    ... My client app is not generating a trace file. ... the client is not applying the WSE policy at all because of an ... at ApplicationMessagingWS.Dispatch(String messageType, String ... look for a certificate with this subject name in the certificate store ...
    (microsoft.public.dotnet.framework.webservices.enhancements)