Re: Client Certificate -> IIS -> SQL - will it work?

From: digital-fallout (no.spam@here.com)
Date: 03/16/03 

From: digital-fallout <no.spam@here.com>
Date: Sun, 16 Mar 2003 18:33:41 +0100

> After spending a few weeks on the phone working with a bunch of people at
> MS last summer, it was determined that it was not possible to use client
> certificates in this manner because the user credentials could not be
> delegated to the other network resources (too many hops). Users who
> provided uid/pwd could have their credentials delegated, but client
> certificate authentication did not result in delegatable credentials
> because of the protocol used.

same story here :-\

> So we were dead in the water with Win2K according to MS. We were told
> however that .Net would allow client certificate credentials to be
> delegated. Now that we're looking at the topic again, I'm not seeing
> where
> .Net offers us anything that 2K didn't. According to Building Secure
> ASP.NET Applications: Authentication, Authorization, and Secure
> Communication, and everything else I've read, the .Net framework didn't
> change anything - IIS certificate mapping should work, Active Directory
> certificate mapping doesn't.
>
sad but true

>
> 1) Am I correct in understanding that the .Net framework does not allow
> client certificate originating credentials be delegated beyond the box
> that initiated the authentication request?
>

 it's not the framework it's how w2k was buils by Architecture
 the KDC is wrapped into the AD, you cannot take the TGT (Ticket Granting)
 and proxy it 2 your clients, cauze it's intra domain only.

there's a good paper
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp
where you should build/wrap web-service for the TGT service ...

 i now done a prototype on RC2 .Net Server , the Ad-Mapping runs.
 but it seems a bit strange, not really tracked down.
 uses the Extension on the x509Certificate with PrincipalName=blaa@blaa.com
 and mapps the account.

 i also tried to move the certificate from a first delegation ( proxy ) box
to the real web-service behind the DMZ , but he doesen't let me push the
certificate behind ( that from the client ) something like ASPNET Account
should have an profile which he hasen,t (cauze it's a system account ) and
so he can not negiogate the second SSL Tunnel.

> 2) If #1 is true, does the framework as will be implemented in Windows
> Server 2003 make it possible?

  there was some storys about kerberos delegation, and some services
  something like 4userBlaa , and also that you could define endpoint on
                     kereberos delegation.
Means this machine can delegate to SqlServer only on this Machine.Not to
_ALL_ .

But i diden't see anything Visual ( some AD GUI or something ) on RC2.

http://www.ntsecurity.net/Articles/Index.cfm?ArticleID=26450

with ldap it doesen't run (can be that the API is too crippled for
kerberos,or they are hacking like mad to get the release ), diden't do an
sql-server, ill see that in the security log u'll have an kerberos ticket.
n.b. you see the GUID from the User.

I'll also mentioned a little problem that with the LDAP the AD threw an
REQUIRE_PRE_AUTHENTIFICATION Error something like 0x19 or 0x18 Kerberos
error. when going for remote ldap n tryed to use delegation.

i would say get yourself RTM and give it a try.
I'm now also waiting for RTM

> 3) If the answer to #2 is "No", is anybody hiring? Our application will
> likely be forced to move to a non-Windows platform if the requirements are
> not met, and I don't think I'd be moving with it.

*mhh* where not hiring.
I'll think you should take that solution that does the job ... 

-- 
 .::[ carbon unit 64 69 67 69 74 61 6c 2d 66 61 6c 6c 6f 75 74 ]::.

Relevant Pages

  • RE: SmartCard Your credentials could not be verified.
    ... This posting is provided "AS IS" with no warranties, ... SmartCard Your credentials could not be verified. ... | In the event log of the client PC i get "The client has failed to ... | the Domain Controller certificate for %servername%. ...
    (microsoft.public.windows.server.general)
  • Re: Cannot request computer certificate.
    ... >problem since you can not request a certificate while logged onto the CA. ... Verify that you can ping it by name and IP address from the client ... >> Kerberos, or dns. ... >> List of NetBt transports currently bound to the Redir ...
    (microsoft.public.windows.server.security)
  • Re: The message must contain a wsa:To header
    ... My client app is not generating a trace file. ... the client is not applying the WSE policy at all because of an ... at ApplicationMessagingWS.Dispatch(String messageType, String ... look for a certificate with this subject name in the certificate store ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: L2TP/IPSec from XP client to Windows 2003 Server
    ... ie no valid cert found on client - contacted Microsoft ... Windows Server 2003 Certificate Authority running ... The next step is to install Certificate Services on the Windows Server ... From Networks Connections on the client, ...
    (microsoft.public.security)
  • Re: Cannot request computer certificate.
    ... I would verify that the certificate services service is running and set to ... Verify that you can ping it by name and IP address from the client ... > Kerberos, or dns. ... > List of NetBt transports currently bound to the Redir ...
    (microsoft.public.windows.server.security)