[Cross-posted]: Problem with Active Directory Mapping?

From: Ohaya (ohaya_at_cox.net)
Date: 09/11/03 

Date: Thu, 11 Sep 2003 07:54:36 -0400

Hello,

[I originally started this thread in microsoft.public.inetserver.iis,
and am including a good portion of the thread below FYI. I'm
cross-posting, as microsoft.public.inetserver.iis.security and
microsoft.public.windows.server.security were suggested by Bernard and
Tim, respectively. My Apologies.]

Setup:

- MS Windows 2003 Server with IIS, AD, and Certificate Server.
- IIS has a self-signed server cert from Certificate Server
- Creating/installing client certificates using Certificate server
- IIS configured for client certificate authentication
- Active Directory (or Windows Directory) Mapping enabled

I hope that I haven't missed anything :)...

Problem Description:

According to:

http://support.microsoft.com/default.aspx?scid=kb;en-us;q272175

among other places, part of the procedure to enable Active Directory
Certificate Mapping is to load the client certificates being mapped into
Active Directory (see "Map the Client Certificate to the Corresponding
Active Directory User" section on above page), by setting the "Name
Mapping" for each Active Directory user.

Using ldifde, I have confirmed that when a user is "Name Mapped", a copy
of the client certificate appears to be stored in the AD store, and when
the client certificate is deleted from the User->Name Mapping, that the
client certificate is removed from the AD store.

BUT, from my testing, whether or not ANY User's in AD have Name Mapped,
when I make a connection from a PC (using IE) with a client certificate,
the client certificate-to-Windows user mapping still seems to be
working/occurring. I confirm this by two means:

- I have an ASP page that displays the
Request.ServerVariables("AUTH_USER"). When the mapping is working, the
user name from the client certificate is displayed. When mapping is not
working or disabled, the user name is blank/null

- The second way I confirm this is that in IIS log files, when mapping
is working, the user name is included in IIS log file entries. When
mapping is not enabled, the user name is not included in the IIS log
file entries.

Mind you, for my situation, the way that this (Active) or (Windows)
Directory Mapping is working (i.e., contrary to MS documentation,
without having to actually load the client certificates into Active
Directory) is actually a good thing operationally, but I would really
know WHY is is working this way (i.e., is this the way that it is
suppose to work?).
Aside from just plain curiousity, my main reasons for wanting to know is
that: (1) I need to understand how this mapping is functioning, and
also, (2) it would disastrous for me to design/build a system based on
my finding one thing (i.e., loading certificates is not needed for
Directory Mapping) and then find out that it changes later.

Thank you all very much for your patience!!!

Tim Coffey wrote:
>
> There is a security group for IIS which might be of help:
> microsoft.public.inetserver.iis.security
>
> Thank you. I hope this information is helpful.
>
> Tim Coffey [MSFT]
>
> This posting is provided “AS IS” with no warranties, and confers no rights. You assume all risk for your use. © 2001 Microsoft
> Corporation. All rights reserved.
> --------------------
> | From: "Bernard" <qbernard@hotmail.com>
> | References: <3F5D4163.AC093043@cox.net> <O8BAPNodDHA.2432@TK2MSFTNGP10.phx.gbl> <3F5D5385.20A5BDFA@cox.net>
> <erl4oWpdDHA.2268@TK2MSFTNGP12.phx.gbl> <3F5DB300.E69E1609@cox.net> <3F5DBDD4.9BD9130E@cox.net> <OD5pxu0dDHA.1636
> @TK2MSFTNGP12.phx.gbl> <3F5EAC0B.5AA589B1@cox.net> <#7SF$81dDHA.2168@TK2MSFTNGP09.phx.gbl> <3F5F11EF.1A51D931
> @cox.net> <3F5F19E3.2C272A2A@cox.net>
> | Subject: Re: IIS "Directory Mapper" vs. Active Directory "Directory Mapper"
> | Date: Thu, 11 Sep 2003 13:50:33 +0800
> | Lines: 440
> | Organization: -
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.3718.0
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3718.0
> | Message-ID: <OvGYfiCeDHA.2144@TK2MSFTNGP12.phx.gbl>
> | Newsgroups: microsoft.public.inetserver.iis
> | NNTP-Posting-Host: 203.115.210.200
> | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
> | Xref: cpmsftngxa06.phx.gbl microsoft.public.inetserver.iis:275031
> | X-Tomcat-NG: microsoft.public.inetserver.iis
> |
> | Damn ! :)
> |
> | Mm.. I will try to get some help.. will post when I have more detail.
> | meanwhile you can try this group -
> |
> | microsoft.public.windows.server.security
> |
> | state your setup and outcome of testing.
> |
> |
> | --
> | Regards,
> | Bernard Cheah
> | http://support.microsoft.com/
> | Please respond to newsgroups only ...
> |
> |
> | "Ohaya" <ohaya@cox.net> wrote in message news:3F5F19E3.2C272A2A@cox.net...
> | > Bernard et al,
> | >
> | > I've been doing some further analysis, using the "ldifde" tool to export
> | > the info from AD.
> | >
> | > From this testing:
> | >
> | > 1) If the User->Name Mapping is used to Add a client cert, it appears
> | > that the client cert itself is NOT added, at least from the ldifde
> | > output.
> | >
> | > 2) If the User->Published Certificate is used to Add a client cert, it
> | > appears that the client cert itself IS added, at least from the ldifde
> | > output.
> | >
> | > So, I hope that this answers one of my questions, i.e., whether the
> | > client cert itself ever does or does not get stored into AD.
> | >
> | >
> | > BUT, AGAIN, this still begs my earlier question about why Active
> | > Directory still works EVEN IF THE CLIENT CERTIFICATES are NOT stored in
> | > AD?
> | >
> | > This seems contradictory to the information from the Microsoft
> | > documentation.
> | >
> | >
> | >
> | >
> | > Ohaya wrote:
> | > >
> | > > Bernard,
> | > >
> | > > Now, your comment brings us back to the original question again :(.
> | > >
> | > > In my testing, I have SPECIFICALLY gone into AD manager, and for each
> | > > User, I have DELETED the client certificates (or, made sure that they
> | > > are not there in the first place) under the "Name Mappings". I have
> | > > also deleted (or made sure they are not there in the first place) the
> | > > client certificates in the User->Properties->Published Certificates tab.
> | > >
> | > > In other words, I think that I have either UNDONE the last step from:
> | > >
> | > > http://support.microsoft.com/default.aspx?scid=kb;en-us;q272175
> | > >
> | > > or made sure that that last step doesn't get done for each User in AD.
> | > >
> | > > And yet, in my testing, even after doing this (and the system has been
> | > > on for DAYS now - so user token caching shouldn't be an issue), the
> | > > mapping is still working, and when I connect, it is still connecting
> | > > user the Windows user login for the person in the client certificate.
> | > >
> | > > In fact, I just did another test again. I created a new user in AD,
> | > > then I requested/installed a client certificate in IE using certsrv (on
> | > > a different PC). Then I went into AD, and checked the User's Name
> | > > Mapping and Published Certificates, and there were none.
> | > >
> | > > Then I connected to IIS, to an ASP page displaying the
> | > > ServerVariables("AUTH_USER"), and it displayed the logged-in user name
> | > > from the client certificate! And, IIS log shows that same user name.
> | > >
> | > > In other words, the mapping is still working even though I didn't (or at
> | > > least don't think I did) store the client certificate into AD for that
> | > > new user.
> | > >
> | > > So, I am STILL puzzled because:
> | > >
> | > > - As you confirmed, the MS docs SEEM to indicate that to do Active
> | > > Directory Mapping, the client certificates have to be stored into AD.
> | > >
> | > > - My testing seems to indicate that even when the client certificates
> | > > are NOT stored in AD, the Active Directory Mapping works for ALL users
> | > > when the mapping is enabled.
> | > >
> | > > Something is wrong here, or I (maybe WE) are misunderstanding something
> | > > here!!!
> | > >
> | > > Can ANYONE here shed some light on this???????
> | > >
> | > > Bernard wrote:
> | > > >
> | > > > Mm.. I do a recheck on Win2003 and Win2000 cert help file.
> | > > > it seems that it does store the .cer file in AD.
> | > > >
> | > > > --
> | > > > Regards,
> | > > > Bernard Cheah
> | > > > http://support.microsoft.com/
> | > > > Please respond to newsgroups only ...
> | > > >
> | > > > "Ohaya" <ohaya@cox.net> wrote in message
> | news:3F5EAC0B.5AA589B1@cox.net...
> | > > > > Bernard,
> | > > > >
> | > > > > Thanks, you have been of great help in my understanding. A couple
> | of
> | > > > > clarifications, which I hope that you, or anyone else can respond
> | to:
> | > > > >
> | > > > >
> | > > > > Re. this:
> | > > > >
> | > > > > > I'm too sure what you mean by
> | > > > > > ". why are the other users
> | > > > > > being mapped when I have Directory Mapper enabled, even though
> | I've
> | > > > > > removed all the Published Certificates and Name Mappings for each
> | user
> | > > > > > in AD?"
> | > > > > >
> | > > > > > one of adv you might use AD mapping instead of IIS is because
> | > > > > > AD allow you to scale across domain, apply to all machines, not
> | just
> | > > > > > the IIS server. and of coz, no cert is store in ADit onlu store
> | the
> | > > > mapping
> | > > > > > detail as of which cert is mapping for which users, those 'mapping
> | info'
> | > > > > > again I'm not too sure which attribute in the AD schema, but it's
> | there.
> | > > > >
> | > > > >
> | > > > > The instructions that I've seen for "Configuring Active Directory
> | > > > > Certificate Mapping", e.g., from the last part of:
> | > > > >
> | > > > > http://support.microsoft.com/default.aspx?scid=kb;en-us;q272175
> | > > > >
> | > > > > SEEMS to indicate that you have to "Add" each client certificate TO
> | > > > > Active Directory. The implication of this procedure SEEMS to be
> | that to
> | > > > > do Active Directory mapping you have to store/add each client
> | > > > > certificate to the AD store.
> | > > > >
> | > > > > In addition, if you right click a user in Active Directory manager
> | (and
> | > > > > if the "Advanced Features" is enabled), there is a "Published
> | > > > > Certificates" tab, which again seems to indicate that client certs
> | are
> | > > > > stored in the AD.
> | > > > >
> | > > > > Maybe I am misunderstanding what the "Add" does?
> | > > > >
> | > > > >
> | > > > >
> | > > > >
> | > > > >
> | > > > >
> | > > > > Bernard wrote:
> | > > > > >
> | > > > > > Great stuff !
> | > > > > > I'm glad your have verified 1) and 2)
> | > > > > >
> | > > > > > I'm too sure what you mean by
> | > > > > > ". why are the other users
> | > > > > > being mapped when I have Directory Mapper enabled, even though
> | I've
> | > > > > > removed all the Published Certificates and Name Mappings for each
> | user
> | > > > > > in AD?"
> | > > > > >
> | > > > > > one of adv you might use AD mapping instead of IIS is because
> | > > > > > AD allow you to scale across domain, apply to all machines, not
> | just
> | > > > > > the IIS server. and of coz, no cert is store in ADit onlu store
> | the
> | > > > mapping
> | > > > > > detail as of which cert is mapping for which users, those 'mapping
> | info'
> | > > > > > again I'm not too sure which attribute in the AD schema, but it's
> | there.
> | > > > > >
> | > > > > > --
> | > > > > > Regards,
> | > > > > > Bernard Cheah
> | > > > > > http://support.microsoft.com/
> | > > > > > Please respond to newsgroups only ...
> | > > > > >
> | > > > > > "Ohaya" <ohaya@cox.net> wrote in message
> | > > > news:3F5DBDD4.9BD9130E@cox.net...
> | > > > > > > Bernard,
> | > > > > > >
> | > > > > > > Ok, I've completed my additional testing, and here is what I've
> | found:
> | > > > > > >
> | > > > > > > 1) It does appear that some of the behavior that I saw (being
> | able to
> | > > > > > > connect with client cert even though the user had been deleted
> | from
> | > > > AD,
> | > > > > > > but client cert had not been revoked) was because of the IIS
> | user
> | > > > token
> | > > > > > > caching.
> | > > > > > >
> | > > > > > > 2) It turned out ( :)!!!) that I did have the "Allow anonymous"
> | > > > checked
> | > > > > > > in the specific website Directory Security page. Once I
> | unchecked
> | > > > that,
> | > > > > > > and after deleting the user from AD, and waiting, I got an error
> | when
> | > > > > > > trying to connect with the client cert for the user that was
> | deleted.
> | > > > > > >
> | > > > > > >
> | > > > > > > So, it appears that the way that IIS works if Directory Mapper
> | is
> | > > > > > > enabled and allow anonymous" is enabled is that if the client
> | cert is
> | > > > > > > good, IIS will still allow the user to connect under the
> | anonymous
> | > > > > > > user. In this case, the ServerVariables("AUTH_USER") returns a
> | null
> | > > > > > > string.
> | > > > > > >
> | > > > > > >
> | > > > > > > BUT, I think that this still begs the earlier question about HOW
> | > > > > > > Directory Mapper is actually working, i.e., why are the other
> | users
> | > > > > > > being mapped when I have Directory Mapper enabled, even though
> | I've
> | > > > > > > removed all the Published Certificates and Name Mappings for
> | each user
> | > > > > > > in AD?
> | > > > > > >
> | > > > > > > Like I said, it appears to me like the way that Directory Mapper
> | is
> | > > > > > > working is:
> | > > > > > >
> | > > > > > > - IIS does successful SSL client authentication
> | > > > > > > - IIS extracts user name from client certificate, and uses that
> | to
> | > > > login
> | > > > > > > as the Windows user per that name
> | > > > > > >
> | > > > > > > i.e., AD does not appear to be involved at all in this
> | "Directory
> | > > > > > > Mapping", other than for the actual logging of the Windows user
> | for
> | > > > the
> | > > > > > > session, and client certificates DO NOT need to be "stored" in
> | AD for
> | > > > > > > Directory Mapper to work????
> | > > > > > >
> | > > > > > >
> | > > > > > >
> | > > > > > >
> | > > > > > > Ohaya wrote:
> | > > > > > > >
> | > > > > > > > Bernard,
> | > > > > > > >
> | > > > > > > > Re:
> | > > > > > > >
> | > > > > > > > > As for why it working with mapping to AD user, I guess it's
> | using
> | > > > > > > > > IIS mapping and default to the anonymous account.
> | > > > > > > >
> | > > > > > > > If the above is the case (that it is defaulting to the
> | anonymous
> | > > > > > > > account), why is my test ASP page, where I display/output the
> | > > > > > > > ServerVariables("AUTH_USER) still showing the user name (from
> | the
> | > > > client
> | > > > > > > > certificate)? As I just posted, that was really the point of
> | my
> | > > > latest
> | > > > > > > > experiment, to prove to myself that when Directory Mapper was
> | > > > enabled,
> | > > > > > > > whether IIS was logging in as the Windows user (per the
> | mapping) or
> | > > > not
> | > > > > > > > :(.
> | > > > > > > >
> | > > > > > > > Bernard wrote:
> | > > > > > > > >
> | > > > > > > > > To answer your questions
> | > > > > > > > > 1) yes
> | > > > > > > > > 2) yes
> | > > > > > > > > 3) Win 2003 behaviour - I'm not sure, only tried once in
> | w2k.
> | > > > > > > > > to enable AD mapping, go to IIS MMC, right click on 'web
> | sites'
> | > > > node.
> | > > > > > > > > select 'directory security' tab nad check the Windows DS
> | mapper.
> | > > > > > > > >
> | > > > > > > > > As for why it working with mapping to AD user, I guess it's
> | using
> | > > > > > > > > IIS mapping and default to the anonymous account.
> | > > > > > > > >
> | > > > > > > > > For IIS 6.0, open IIS MMC, press F1 and search for
> | 'certificate
> | > > > > > mapping'
> | > > > > > > > > for more detail.
> | > > > > > > > >
> | > > > > > > > > --
> | > > > > > > > > Regards,
> | > > > > > > > > Bernard Cheah
> | > > > > > > > > http://support.microsoft.com/
> | > > > > > > > > Please respond to newsgroups only ...
> | > > > > > > > >
> | > > > > > > > > "Ohaya" <ohaya@cox.net> wrote in message
> | > > > > > news:3F5D5385.20A5BDFA@cox.net...
> | > > > > > > > > > Bernard,
> | > > > > > > > > >
> | > > > > > > > > > Thanks for the pointer.
> | > > > > > > > > >
> | > > > > > > > > > So, if I'm understanding this article, "IIS mapping" is
> | done
> | > > > purely
> | > > > > > > > > > within IIS (e.g., for one-to-one mapping, the client certs
> | are
> | > > > > > stored
> | > > > > > > > > > somewhere that IIS knows about) and includes ability to do
> | > > > > > one-to-one
> | > > > > > > > > > and many-to-one mapping from within IIS?
> | > > > > > > > > >
> | > > > > > > > > > And, with "Active Directory Mapping", IIS checks the AD
> | store
> | > > > for
> | > > > > > > > > > matches for the incoming client certificate, and uses info
> | from
> | > > > AD
> | > > > > > to
> | > > > > > > > > > then logon to the matching Windows user?
> | > > > > > > > > >
> | > > > > > > > > >
> | > > > > > > > > > BTW, one of the test servers that I'm working on is
> | Win2003 (I
> | > > > > > assumed
> | > > > > > > > > > it would be the same as Win2K), and what I'm really
> | puzzled
> | > > > about is
> | > > > > > > > > > that I've tried to follow the Active Directory Mapping
> | method,
> | > > > and
> | > > > > > what
> | > > > > > > > > > I'm finding is that even if I don't do the steps in "Map
> | the
> | > > > Client
> | > > > > > > > > > Certificate to the Corresponding Active Directory User" in
> | the
> | > > > > > 272175
> | > > > > > > > > > article, it appears to be mapping the client certs to user
> | > > > accounts
> | > > > > > > > > > correctly.
> | > > > > > > > > >
> | > > > > > > > > > In other words, I am enabling the Active Directory Mapper,
> | and
> | > > > > > enabling
> | > > > > > > > > > client certificate mapping on the website, but not going
> | through
> | > > > the
> | > > > > > > > > > last step in that article, and it's still working (I can
> | tell,
> | > > > > > because I
> | > > > > > > > > > have an ASP script that displays some debugging info).
> | > > > > > > > > >
> | > > > > > > > > > Plus, I don't see any "Master properties" box anywehere
> | :(...
> | > > > > > > > > >
> | > > > > > > > > > Any ideas why this is working without doing all the "name
> | > > > mapping"
> | > > > > > on
> | > > > > > > > > > the individual users in AD?
> | > > > > > > > > >
> | > > > > > > > > > Thanks again!!!
> | > > > > > > > > >
> | > > > > > > > > >
> | > > > > > > > > >
> | > > > > > > > > > Bernard wrote:
> | > > > > > > > > > >
> | > > > > > > > > > > Try this kb
> | > > > > > > > > > > Comparing IIS 5.0 Certificate Mapping and Native Windows
> | 2000
> | > > > > > Active
> | > > > > > > > > > > Directory Certificate Mapping
> | > > > > > > > > > > http://support.microsoft.com/?id=216906
> | > > > > > > > > > >
> | > > > > > > > > > > --
> | > > > > > > > > > > Regards,
> | > > > > > > > > > > Bernard Cheah
> | > > > > > > > > > > http://support.microsoft.com/
> | > > > > > > > > > > Please respond to newsgroups only ...
> | > > > > > > > > > >
> | > > > > > > > > > > "Ohaya" <ohaya@cox.net> wrote in message
> | > > > > > > > > news:3F5D4163.AC093043@cox.net...
> | > > > > > > > > > > > Hi,
> | > > > > > > > > > > >
> | > > > > > > > > > > > I've been trying to figure out how to map client
> | > > > certificates to
> | > > > > > > > > Windows
> | > > > > > > > > > > > accounts on SSL connections into an IIS server, and
> | I've
> | > > > been
> | > > > > > reading
> | > > > > > > > > > > > through all kinds of documents, and am confused.
> | > > > > > > > > > > >
> | > > > > > > > > > > > With Windows 2000 (and 2003) are there two DIFFERENT
> | > > > "Mappers",
> | > > > > > i.e.,
> | > > > > > > > > is
> | > > > > > > > > > > > there an "IIS Directory Mapper" and a (different)
> | "Active
> | > > > > > Directory
> | > > > > > > > > > > > Directory Mapper"?
> | > > > > > > > > > > >
> | > > > > > > > > > > > The documents on MSDN, etc. seem to indicate this is
> | the
> | > > > case.
> | > > > > > > > > > > >
> | > > > > > > > > > > > Can anyone clarify this? And, if there are these two
> | > > > methods,
> | > > > > > what's
> | > > > > > > > > > > > the difference between them, and why would you use one
> | vs.
> | > > > the
> | > > > > > other?
> | > > > > > > > > > > >
> | > > > > > > > > > > > Thanks in advance!!!
> |
> |
> |

Relevant Pages
Quantcast