RE: Client certificate authentication
- From: Timothy Jewett <jewettware@xxxxxxxxxxxxx>
- Date: Wed, 14 Feb 2007 07:05:17 -0800
Jeffrey, You stated in the 1st reply that I should be able to validate the
the clients certificate. How do I do that ? When I called
QueryContextAttribute specifing SECPKG_ATTR_REMOTE_CERT_CONTEXT I get
""Jeffrey Tan[MSFT]"" wrote:
Thanks for your feedback!
Yes, this is issue I talked about in the first reply. I have discussed this
issue with SSL expert and the original issue owner. They confirmed that
they are the same issue.
AcceptSecurityContext will set ASC_RET_MUTUAL_AUTH if a client certificate
was received from the client and schannel was successfully able to map the
certificate to a user account in AD. For this to occur, Certificate
Mapping must be performed by domain admin before.
Certificate Mapping is the process of mapping a client authentication
certificate to a domain user account in AD. This operation is done on the
domain controller of the AD domain either manually or programmatically
during installation by domain admin:
20-a2d4581dfbea1033.mspx?mfr=true (Look for "How Schannel Uses Certificate
Mapping Certificates requirement is documented in "Authenticating the
client" in MSDN.
The Certificate Mapping process is documented at [Section Using the Active
Directory for One-to-One Mapping]
The handshake succeeds even though cert mapping has failed. The return
value of QueryContextAttributes with SECPKG_ATTR_ACCESS_TOKEN will indicate
the reason for cert mapping failure.
Note: this also applies to x64 Win2003.
There are also 2 WebClient and WebServer samples in the PlatformSDK at
%MSSDK%\Samples\Security\SSPI\SSL. This is the folder structure if you have
Windows Server 2003 SP1 Platform SDK installed.
If you still have anything unclear, please feel free to tell me, thanks.
Microsoft Online Community Support
Get notification to my posts through email? Please refer to
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
This posting is provided "AS IS" with no warranties, and confers no rights.
- Prev by Date: RE: Client certificate authentication
- Next by Date: Getting the digital certificate containers location
- Previous by thread: RE: Client certificate authentication
- Next by thread: RE: Client certificate authentication