Re: Can IIS Log username from client certificate?
From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: Sat, 6 Sep 2003 15:20:13 -0700
IIS *requires* some authenticated Windows user to be used for every request.
i.e. "Anonymous" authentication means that IIS uses a built in IUSR account.
Any other authentication implies some Windows user identity is authenticated
through a variety of protocols
To use client certificates for authentication, you must provide some way to
map a cert user identity to some Windows user. Without this mapping, IIS
will not know what authenticated Windows identity to use for that request.
If you do not want a 1-1 mapping, what about a many-to-1 mapping?
In other words -- if you want a Authorization model (i.e.
list/read/write/execute) based on cert user identity, you will need a 1-1
mapping so that NT ACLs can work for you. If you plan to have all cert user
identity have similar authorization, use a many-to-1 mapping (with a couple
of exceptions to allow administrators, etc).
-- //David IIS This posting is provided "AS IS" with no warranties, and confers no rights. // "Ohaya" <email@example.com> wrote in message news:3F57E951.84D404E9@cox.net... Ohaya wrote: > > Hi, > > I'm running IIS under Win2003 Server, and have "client authentication > required" enabled but with mapping from the client cert to the Windows > username NOT enabled. > > Is there any way to have IIS log the username from the client's > certificate logged to the IIS log file, without the user having to enter > username/password (basic authentication)? > > If not, is it possible to get the username from the certificate > programmatically, e.g., using ASP? > > Thanks in advance!!! Hi, I've done some further experimentation and it looks like if I enable/configure mapping from the client certificate to Windows username, the user name does appear in the IIS logs. However, as indicated in my original post, we would really like to accomplish this (have name from the client cert appear in the IIS logs) without having to setup the mapping. Is there any way to do this? I've also found that .NET has an HTTPClientCertificate class that might allow us to retrieve the DN from the client cert, but here again, we'd like to not have to go to .NET just yet. Is there anything with "regular" ASP that would allow us to do this? Thanks again in advance!!!