Re: IIS Certificate Mapping password retreival
From: Ohaya (ohaya_at_cox.net.NO_SPAM)
Date: 10/23/03
- Next message: grw: "Re: Virus W32/Dumaru.a@MM"
- Previous message: Jonathan Maltz [MS-MVP]: "Re: IIS 6.0 - All Unknown CGI Extensions"
- In reply to: Craig Humphrey: "Re: IIS Certificate Mapping password retreival"
- Next in thread: Craig Humphrey: "Re: IIS Certificate Mapping password retreival"
- Reply: Craig Humphrey: "Re: IIS Certificate Mapping password retreival"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 22 Oct 2003 19:38:04 -0400
Craig,
Comments below, interspersed....
Craig Humphrey wrote:
>
> Hi Ohaya,
>
> I think you've crossed the wires slightly.
>
> The password retrieval is in IIS's Certificate Mapping, NOT in AD's.
Actually, I understood that :)...
>
> AD's problem is that it bases certificate mapping on the "Subject" line of
> the cert (and the issuer), which is not guaranteed to be unique.
I don't think that that above is completely accurate... I agree that
"Active Directory Mapping" uses the info in the Subject field of the
client cert, but:
a) When you have/use Certificate Server that is configured as an
Enterprise CA, from my testing, you have to first have each user created
as a User in Active Directory (and thus the same User "under Windows")
before the user can request a client cert.
And, you cannot (as far as I know - I just tried it) create the have the
same user in AD, so that means that each time you create a new user,
it'll have to be unique.
b) When the user uses, say, IE to request a client cert at
http://mymachine/certsrv, that user must authenticate as a User against
Active Directory (which, again, is unique). The info from AD is then
used to populate the Subject field in the client cert (which, again,
means that among all the certs issued by this Certificate Server, each
client cert will have a unique Subject).
> While certificates that are issued automatically by AD will (I think) have
> the username as part of the subject, these certs are not able to be used for
> logging into say IIS, and I think this is because of two things.
> 1. The user never has the private key (both private and public keys are
> stored in AD only) [but I could be wrong on this one].
> 2. To achieve cert mapping for IIS (from AD) you need to have the cert
> installed into Active Directory Users and Computers | Right Click a user |
> Name Mappings | X.509 Certificates. Make sure you have Advanced Features
> turned on, otherwise Name Mappings doesn't show up. Only it never maps the
> cert, it only maps the Subject line from the cert (and the issuer).
I'm not clear what you mean by "these certs are not able to be used
logging into say IIS", BUT, instead of doing #2 above (which is actually
IIS mapping, not Active Directory Mapping, I think), have you tried the
procedure in the Section "Enable the Active Directory Mapper in IIS 5.0"
on this page:
http://support.microsoft.com/default.aspx?scid=kb;en-us;q272175
This procedure does NOT cause the client certs to be stored into the
Active Directory (or anywhere else on the server from what I can
tell)... I have verified this myself using LDIFDE to dump Active
Directory. Nor does it store any username or password info into Active
Directory.
>From what I can tell (and I'll admit that this is only from my testing,
as I never got a clear explanation despite numerous posts), the way that
this "Active Directory Mapping" works is:
1) Client connects to IIS
2) Client and IIS mutually authenticate ==> cert is valid and unaltered
3) IIS extracts the "username" (I think it's referred-to as the UPN
actually) from the client certificate
4) IIS impersonates the user per the username, and logs into Windows as
that user.
In other words, this mapping is done kind of "statelessly", just based
on the info in the client certs themselves.
Using ASP, you can actually verify that with the above, the user is
really logged into Windows as that user, BTW.
I know that this is really confusing.
The MS docs seem to be really inconsistent in the way they discuss
mapping. Some docs talk about "Windows Directory Mapping", and some
others talk about "Active Directory Mapping".
Before we go on, I hope that you understand and believe that none of
the above is intended to be "flaming". Like I said in a previous post,
I've been through a lot of this earlier when I was testing, and I got
some help on these NGs, but there's still some stuff that I never did
get clear answers on, so I understand how confusing all of this is (and
MS' docs on their websites sometimes make things even more confusing,
e.g., with the naming).
One last thing: I heard awhile ago that support for Certificate Server
issues was moved over to the Active Directory NGs. This is one of those
that I never got a clear answer on, but maybe if you go there, you can
get more confused like I did :). I think that there are MS people over
there who are involved in AD.
- Next message: grw: "Re: Virus W32/Dumaru.a@MM"
- Previous message: Jonathan Maltz [MS-MVP]: "Re: IIS 6.0 - All Unknown CGI Extensions"
- In reply to: Craig Humphrey: "Re: IIS Certificate Mapping password retreival"
- Next in thread: Craig Humphrey: "Re: IIS Certificate Mapping password retreival"
- Reply: Craig Humphrey: "Re: IIS Certificate Mapping password retreival"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
