Re: IIS 6 Directory Services Mapping ACL Problems

It would appear that you can not delegate Certificate based credentials.

IIS does not have the user's password, so it can't just logon to the remote
file server as the user directly.

Nor is Kerberos involved, so the Kerberos proxy service can't just get a
service ticket to the remote server on behalf of the user (this is my
assumption).

So, your last option may be Protocol Transition. This allows IIS to get a
Kerberos service ticket even when the initial authentication protocol was
not Kerberos (e.g. it was NTLM). I don't know if it works with certificate
based auth though...

Kerberos Protocol Transition and Constrained Delegation
http://technet2.microsoft.com/WindowsServer/en/library/c312ba01-318f-46ca-990e-a597f3c294eb1033.mspx?mfr=true

Your other alternative might be to use a Trusted Subsystem model. You have a
single account that accesses the remote file share, and checks the ACLs on
resources on that file share to see if the user is allowed access or not.
Only display the items the user has access to.

Lastly - if you want to see what account is being used to access the remote
file share, enable auditing of logon failures on the remote file share
and/or run Filemon, and see (a) what logon failures there might be and (b)
which account is getting access denied.

Cheers
Ken


<drew.sullivan@xxxxxxxxx> wrote in message
news:1161698905.238736.217570@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
For the love of god, please help me. I can't afford to pull out any
more hair.

I have a small domain setup at my organization, all servers are windows
2003. We are trying to configure certificate based logins using the
directory services method (not IIS certificate mapping).

My issue is not with configuring the servers. I have SSL required,
Client certificate required, Enable Client Certificate mapping is
checked, and Directory Services mapping is checked. All of our user
accounts are stored in the domains active directory and all users have
their certificates published in the AD and the name mappings property
is properly set.

When I authenticate on our web server with my certificate I my domain
account username shows up in the web log. I can control access to
different web sites by using domain account ACLs on the different web
applications we have. It seems to me everything is properly
configured.

Here is my problem. We have a file storage and retrieval web
application. The files are stored on another server in the domain.
When I try to access an existing file I get an HTTP Error 401.3 -
Unauthorized: Access is denied due to an ACL set on the requested
resource. FYI - the files to view are displayed on the web page as
links.

It seems to me that when I present my certificate to the web server,
IIS logs me in on the web server as the account my certificate is
mapped to. However, when IIS tries to access the remote resource,
those credentials are not used to access the remote storage on our file
server. I tried giving the everyone account access and went as far as
making my account a domain admin. I tired sniffing the traffic between
the web server and file server to examine the SMB packets. I could not
determine what account was being used by looking at the raw network
data.

Just so you have all the information... We have virtual directory
setup on our web server that connects to a share on the file server via
a UNC path. On IIS 6 you have two options for authentication when
accessing a share on another server. One is to use an account/password
you supply (we do not want to do this), the other is to use the
authenticated users credentials. We assumed that when using DS mapping
that our users would always be authenticated as the account the
certificate was mapped to. This seems to be the case when accessing
the local file system, but not when trying to acces the remote file
system through a virtual directory.

I do not understand why we still have an ACL error even when giving the
everyone account full access on the share and the filesystem. This
seems to me that when the web server tries to access the remote storage
it is using a local account that the file server does not know about.
I have IIS configured to use a domain account for both the anonymous
account and the worker process account. (The IUSR_XXX and IWAM_IIS)
and these accounts are added to the local IIS_WPG group.

Can anyone shed some light on this?

-Andy



.

Relevant Pages

  • Re: RWW and Remote desktop stopped working on all clients
    ... After diggin through ALL the group policies, I found Remote ... Desktop DISABLED under the Account Lockout policy - I don't think I've even ... adminsitrator or another account with Domain Admin role; also the server ...
    (microsoft.public.windows.server.sbs)
  • Re: One Post to Sum It All Up
    ... > I am not suure I have my DNS configured conrrectly. ... I aslo have a DNS server in the ... > via the external IP:port however, when I am at a remote ... > prompted with the certificate warning and a credentials ...
    (microsoft.public.win2000.dns)
  • Re: asp.net remote [hosted] configuration usse
    ... That includes machine admin rights. ... to manipulate the that one site, one of many on a remote PC running Win2k3. ... The FrontPage Server Extensions Access Method ... Create an account on the remote Web Server. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • IIS 6 Directory Services Mapping ACL Problems
    ... We are trying to configure certificate based logins using the ... When I authenticate on our web server with my certificate I my domain ... account username shows up in the web log. ... The files are stored on another server in the domain. ...
    (microsoft.public.inetserver.iis.security)
  • CEICW fails on create on create secure web site configuration
    ... other connecting to a router which connects to the internet. ... this change, I was disconnected from the server, as was to be ... and creating a new certificate with the new IP address. ... When I attempt remote access now, ...
    (microsoft.public.windows.server.sbs)