Re: Client certificate error with web services

Hi Joe

I used the CN attribute with a wild card. Also tried using a 1 to 1 mapping
with an exported .cer file from the cert.

It worked fine with the Microsoft CA cert.


--
----------------------------------
Chris Seary
http://blog.searyblog.com/




"Joe Kaplan" wrote:

Do you know which attribute in the certificate is being used to identify the
user to Windows via the mapping?

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"oldbear" <oldbear@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:0626FCAF-1B3A-4B66-95E7-AB3C848DECB3@xxxxxxxxxxxxxxxx
Hi

I have a web service which uses WSE for signing, and SSL for
confidentiality
and authentication.

Authentication is via client certificates.

The above scenario is already implemented and cannot be changed.

Client certs produced by a Microsoft CA work fine for authentication. The
certificate is mapped to a user in the SAM via certificate mapping. In the
IIS log, I can see that the user is the one from the local SAM, and so
this
means that the certificate mapping has taken place.

However, when I use a certificate produced by GeoTrust, this will not
work.
It results in a 403: Access Forbidden error (status code of 5).

The iis log shows that the mapping to the user account has not taken
place.

The client cert from the Microsoft CA shows that it is valid for Client
Authentication only in the properties box, and it's purpose is 'Proves
your
identity to a remote computer'.

The certificate from GeoTrust shows that it is valid for Client
Authentication, as well as other uses. It's purpose is 'All application
policies'.

The CRLs for the Geotrust cert have been downloaded from the CRL
distribution point and placed in the certificate store. Intermediate certs
have been placed in the Intermediate Authorities folder, and the root
authority has been placed in the trusted root ca folder.

Please can you give any suggestions on why this does not work. Let me know
if you need further clarification.

Thanks in advance

--
----------------------------------
Chris Seary
http://blog.searyblog.com/





.

Relevant Pages

  • Re: Radius Server
    ... > so I'm guessing the client needs the Server Certificate, ... > export it from the server and import it to the client. ... >> But if you deployed EAP-TLS, you need a server cert and a client ...
    (microsoft.public.windows.server.networking)
  • Re: OWA Form Resetting
    ... Depends on the client browsers... ... The reason why you are getting alerts regarding the certificate being ... both the ISA server computer as well as the external ... I can view the cert and the certs ...
    (microsoft.public.isa)
  • Re: IIS Certificate Mapping password retreival
    ... themselves get stored in AD when you do the AD Mapping. ... Then install Cert Server as a root Enterprise CA ... "Active Directory Mapping" for more details.)" ... when the IIS server receives a certificate ...
    (microsoft.public.inetserver.iis.security)
  • Re: Crypto iffpar
    ... I reconfigured my test client to be a "strict client" (to use your ... > and 0x1 (meaning trusted cert) on server cryptostats. ... | The certificate signature has been verified. ...
    (comp.protocols.time.ntp)
  • Re: Wireless WPA on SBS not authenticating
    ... Automatic certificate enrollment for local system failed to contact the ... Guess that means im not gettin anything so it must be my client or router. ... you could try updating the NIC drivers on the wireless ... I can see on a client machine that the cert is there and it is the ...
    (microsoft.public.windows.server.sbs)