Re: Possible Security Flaw in Windows 2000

From: D. Cross [MS] (vaq130@hotmail.com)
Date: 06/03/02 

From: "D. Cross [MS]" <vaq130@hotmail.com>
Date: Mon, 3 Jun 2002 06:26:43 -0700

IIS certificate mapping uses explicit name mapping to authenticate users. A
certificate is explicitly trusted when it is issued from an enterprise CA -
that is a certificate will automatically map to a user account based on the
name in the cert. You could have deleted johndoe1 and johndoe2 and
re-created them and the certificates would still work. A valid cert is a
cert (issued from a trusted CA) that contains a valid name that matches an
account name.

So this is actually by design. 

--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Matt Flynn" <matthew_t_flynn@hotmail.com> wrote in message
news:u$fOa9uCCHA.2096@tkmsftngp04...
> I have a question about something that I found when testing Windows 2000
> security. The problem occurs when using client certificates to
authenticate
> to IIS, and I have enabled Directory Authentication. I have two users, one
> is John Doe whose sAMAccountName=johndoe and another is John A. Doe whose
> sAMAccountName=johndoe2. The certificate is issued to johndoe2.
> Here is where the problem actually happens:
> If someone changes the johndoe2 to johndoe1 and then changes johndoe to
> johndoe2. Now if the old johndoe2 uses his certificate to authenticate to
> IIS he will be authenticated as the old johndoe.
> Though this might not happen very easily, it is a large security problem
> because the reason for certificates is to be sure that the correct user is
> being authenticated. As far as I can tell from my testing is that the
> authentication takes place by comparing the first half of the
subjectAltName
> to the sAMAccountNames in Active Directory.
> I am pretty sure I have all of the security patches installed. Has anyone
> else seen this problem? Is there any way to fix it?
>
> Thanks
>
> Matt
>
>

Relevant Pages

  • Sharepoint Portal and Client Certficate Authentication
    ... Server to accept client certificates to authenticate ... With only IIS this is easy, ... client's certificate will authenticate them. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Flaws IIS6 with AD (2003) Cert Mapping
    ... authentication over https, then when they request a user cert, the CA fills ... the certificate in place of the username/password authentication. ... authenticate users, it's the Subject Alternative information with the UPN ...
    (microsoft.public.inetserver.iis.security)
  • Re: VPN Access
    ... Make sure that you are logging onto your computer with credentials that will ... authenticate you to your domain resources. ... User Certificate is Valid ... successfully and I can access share drive on one server. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Secure web site access and PKI Certs
    ... But I should have thought that if the PKCS12 certificate is password ... It sounds like a poor way to authenticate. ... Secure web site access and PKI Certs ...
    (Security-Basics)
  • RE: Secure web site access and PKI Certs
    ... In this case you would want the certificate created under the Domain ... Secure web site access and PKI Certs ... It sounds like a poor way to authenticate. ...
    (Security-Basics)