Re: Client certificate error with web services

Do you know which attribute in the certificate is being used to identify the
user to Windows via the mapping?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"oldbear" <oldbear@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0626FCAF-1B3A-4B66-95E7-AB3C848DECB3@xxxxxxxxxxxxxxxx
Hi

I have a web service which uses WSE for signing, and SSL for
confidentiality
and authentication.

Authentication is via client certificates.

The above scenario is already implemented and cannot be changed.

Client certs produced by a Microsoft CA work fine for authentication. The
certificate is mapped to a user in the SAM via certificate mapping. In the
IIS log, I can see that the user is the one from the local SAM, and so
this
means that the certificate mapping has taken place.

However, when I use a certificate produced by GeoTrust, this will not
work.
It results in a 403: Access Forbidden error (status code of 5).

The iis log shows that the mapping to the user account has not taken
place.

The client cert from the Microsoft CA shows that it is valid for Client
Authentication only in the properties box, and it's purpose is 'Proves
your
identity to a remote computer'.

The certificate from GeoTrust shows that it is valid for Client
Authentication, as well as other uses. It's purpose is 'All application
policies'.

The CRLs for the Geotrust cert have been downloaded from the CRL
distribution point and placed in the certificate store. Intermediate certs
have been placed in the Intermediate Authorities folder, and the root
authority has been placed in the trusted root ca folder.

Please can you give any suggestions on why this does not work. Let me know
if you need further clarification.

Thanks in advance

--
----------------------------------
Chris Seary
http://blog.searyblog.com/




.

Relevant Pages

  • Re: LDP client authentication fails
    ... The remote server has requested SSL client authentication, ... I have copied the personal certificate as follows: ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • SNA 3270 to IP TN3270 Conversion =?ISO-8859-1?Q?=96?= Data Stream Encryption
    ... asked them on their thoughts regarding data stream encryption, ... which means that all data is encrypted before it is sent to the client. ... certificate and the keys from three different places: ... SSL client authentication provides additional authentication and access ...
    (bit.listserv.ibm-main)
  • RE: Client certificate authentication
    ... "SSPI Mutual Authentication Is Indicated on the Client Side But Not on the ... I have seen an known issue of AcceptSecurityContext() not return ... successfully able to map the certificate to a user account in AD. ...
    (microsoft.public.platformsdk.security)
  • RE: Client certificate authentication
    ... "SSPI Mutual Authentication Is Indicated on the Client Side But Not on the ... I have seen an known issue of AcceptSecurityContext() not return ... successfully able to map the certificate to a user account in AD. ...
    (microsoft.public.platformsdk.security)