RE: Client certificate authentication



Hi Jewett,

Can you tell me what version of OS you are experiencing this problem? And
what type of security protocol you are using with SSPI, SSL or kerberos?

I assume you mean the AcceptSecurityContext() does not return
ASC_REQ_MUTUAL_AUTH.

This problem looks like the symptom talked about in the link below, can you
check if they are the same problems?
"SSPI Mutual Authentication Is Indicated on the Client Side But Not on the
Server Side"
http://support.microsoft.com/kb/304161/en-us

I have seen an known issue of AcceptSecurityContext() not return
ASC_REQ_MUTUAL_AUTH when using SSPI with SSL(Schannel). Below is some
details information:

The AcceptSecurityContext function will return ASC_RET_MUTUAL_AUTH if a
client certificate was received from the client and schannel was
successfully able to map the certificate to a user account in AD. This is
the mandatory requirement for Schannel mutual authentication design.

Mapping Certificates requirement is documented in "Authenticating the
client" at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/se
curity/performing_authentication_using_schannel.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/se
curity/mapping_certificates.asp

Windows Schannel implementation will attempt to map the certificate to a
user account in AD in order for AcceptSecurityContext() to return
ASC_RET_MUTUAL_AUTH. This is performed so that the server can perform
authorization decisions based on the impersonation access token.

The Certificate Mapping process is documented at:
http://www.microsoft.com/windows2000/en/advanced/help/sag_CS_CertMapAccounts
..htm
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windo
ws2000/en/advanced/help/sag_CSprocs_CertMapAD.htm

Certificate Mapping is the process of mapping a client authentication
certificate to a domain user account in AD. This operation is done on the
domain controller of the AD domain either manually or programmatically
during installation. This step is required for AcceptSecurityContext to
return ASC_RET_MUTUAL_AUTH.

However, this is really not required, if you want to simply check/validate
the client authentication certificate in the server code. But,
AcceptSecurityContext() will not return ASC_RET_MUTUAL_AUTH unless schannel
was successfully able to map the client authentication certificate to a
user account in AD. This is the mandatory requirement for Schannel mutual
authentication design on the server side.

I will wait for your further feedback and information. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


.



Relevant Pages

  • Re: LDP client authentication fails
    ... The remote server has requested SSL client authentication, ... I have copied the personal certificate as follows: ...
    (microsoft.public.windows.server.active_directory)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Client certificate authentication
    ... "SSPI Mutual Authentication Is Indicated on the Client Side But Not on the ... I have seen an known issue of AcceptSecurityContext() not return ... successfully able to map the certificate to a user account in AD. ...
    (microsoft.public.platformsdk.security)
  • SNA 3270 to IP TN3270 Conversion =?ISO-8859-1?Q?=96?= Data Stream Encryption
    ... asked them on their thoughts regarding data stream encryption, ... which means that all data is encrypted before it is sent to the client. ... certificate and the keys from three different places: ... SSL client authentication provides additional authentication and access ...
    (bit.listserv.ibm-main)
  • Re: Checkpoint smart defance as IPS
    ... *any* SSL/TLS communication without tampering anything on the client ... website a client visits on-the-fly. ... don't have private key for the certificate on that website. ...
    (Security-Basics)