Client Certificate Mapping and Delegation?
From: Steve Jansen (steve.jansen@nospam.byteinteractive.com)
Date: 03/05/03
- Next message: Gustavo: "iis block access"
- Previous message: James: "cookies are bugging me"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steve Jansen" <steve.jansen@nospam.byteinteractive.com> Date: Wed, 5 Mar 2003 10:32:46 -0500
Hello,
Is it possible (supported or unsupported) to perform security delegation on
W2K/IIS 5 when authenticating visitors by client certificate mapping over
SSL?
Basically, I want the visitor to connect to a SQL Server instance (via
Windows authentication) using the credentials mapped to their certificate.
The SQL Server cluster is on the same AD domain, but, different machines
from the web server cluster. When connecting to SQL, I always receive
"Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" error, which
generally occurs when the NT credentials are not passed or delegated over
Windows authentication.
I can get delegation to work via Kerberos with Windows Authentication (aka
Challenge/Response) in our development environment. I can also accomplish
this goal using Basic Authentication over SSL, as IIS has the plaintext
credentials.
I cannot get this to work using client certificate mapping, which is
unexpected as IIS has the username/password mapping credentials stored in
the metabase. Thus, I would expect IIS to be able either use the persisted
credentials, or delegate via a Kerberos ticket.
-- -Steve Jansen Byte Interactive
- Next message: Gustavo: "iis block access"
- Previous message: James: "cookies are bugging me"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
