Re: IIS Certificate Mapping password retreival
From: Craig Humphrey (craig.humphrey_at_nospam.chapmantripp.com)
Date: 10/23/03
- Next message: Jonathan Maltz [MS-MVP]: "Re: IIS 6.0 - All Unknown CGI Extensions"
- Previous message: T.J.: "secure homepage"
- In reply to: Ohaya: "Re: IIS Certificate Mapping password retreival"
- Next in thread: Ohaya: "Re: IIS Certificate Mapping password retreival"
- Reply: Ohaya: "Re: IIS Certificate Mapping password retreival"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 23 Oct 2003 11:11:24 +1300
Hi Ohaya,
I think you've crossed the wires slightly.
The password retrieval is in IIS's Certificate Mapping, NOT in AD's.
AD's problem is that it bases certificate mapping on the "Subject" line of
the cert (and the issuer), which is not guaranteed to be unique.
While certificates that are issued automatically by AD will (I think) have
the username as part of the subject, these certs are not able to be used for
logging into say IIS, and I think this is because of two things.
1. The user never has the private key (both private and public keys are
stored in AD only) [but I could be wrong on this one].
2. To achieve cert mapping for IIS (from AD) you need to have the cert
installed into Active Directory Users and Computers | Right Click a user |
Name Mappings | X.509 Certificates. Make sure you have Advanced Features
turned on, otherwise Name Mappings doesn't show up. Only it never maps the
cert, it only maps the Subject line from the cert (and the issuer).
Make more sense?
Later'ish
Craig
"Ohaya" <ohaya@cox.net.NO_SPAM> wrote in message
news:ett0ZqFmDHA.988@TK2MSFTNGP10.phx.gbl...
> Craig,
>
> It's been awhile since I've worked with it, and perhaps I'm missing
> something, but if you assume that you are running MS Certificate Server as
> an Enterprise CA (vs. a standalone CA), when user requests a client
> certificate, they have to authenticate themselves to Windows. Their
Windows
> username then gets embedded into the Subject (actually something like the
> SubjectAlternate field) of the client certificate that gets issued.
>
> Then, when the AD mapping occurs, the Windows username gets extracted from
> the authenticated client cert, and is used to logon (via impersonation) as
> that user.
>
> The client certificate is signed, so client certificate authentication
> implies (within limits of cryptography) that the username in the cert has
> not been tampered with.
>
> I guess what I'm saying is that, given the above scenario, I don't see
where
> the user's password gets exposed to the admin??
>
> I think that you're correct that if you use AD mapping, that you need AD,
or
> perhaps more globally, you have to buy into a whole bunch of MS-specific
> mechanisms, but then, why are you even looking at certificate mapping in
the
> first placel?
>
> Presumably (and this may be a bad assumption), this is because you want to
> enforce some kind of ACL or role/privilege in your system, and it seems to
> me that the choices are use the infrastructure/mechanisms that MS provides
> (AD, AD mapping, etc.), "roll your own" (i.e., implement the
> roles/privileges in your application), possibly with the "help" of some
> 3rd-party products...
>
> Sorry for rambling on, but we've been going through somewhat similar
> ruminations ourselves :)....
- Next message: Jonathan Maltz [MS-MVP]: "Re: IIS 6.0 - All Unknown CGI Extensions"
- Previous message: T.J.: "secure homepage"
- In reply to: Ohaya: "Re: IIS Certificate Mapping password retreival"
- Next in thread: Ohaya: "Re: IIS Certificate Mapping password retreival"
- Reply: Ohaya: "Re: IIS Certificate Mapping password retreival"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
