Re: SSL - TS - Smart Card - Authentication



1. Is the issuing CA in the NTAuth store in each of the forests?
2. Is the root CA that issued the certificate in the trusted root store in each forest
3. For the smart card auth certificate, does the UPN in the certificate SAN extension map to a user account in each forest.
4. Do all Web sites require certificate-based authentication

Brian


"Mike Hammerfish" <MikeHammerfish@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:7118F2BD-AE05-4A81-97EB-21EACC9BEA52@xxxxxxxxxxxxxxxx
Here is a tough one for a very smart person.

Environment:

[ TEST DOMAIN ] – SSL IIS Web Site
[ TEST DOMAIN ] – Dev Server
[ CORP DOMAIN ] – Client workstation – Smart Card

Scenario 1:

1. From Corp Domain I hit (https://...) TEST SSL IIS Web Site
2. I get a smart card prompt, enter in creds, and the Web Site renders a page.

Scenario 2:

1. From Corp Domain Work Station I TS into TEST Domain Dev Server.
2. I hit (https...) the TEST SSL IIS Web Site from the (TS’ed) TEST Domain
Dev Server

3. I do not get a Smart Card Prompt.
4. I get the following error.

HTTP Error 403.7 - Forbidden: SSL client certificate is required.
Internet Information Services (IIS)

Note 1:

1. When I TS to the TEST/Dev server I get a smart card popup.
2. It does not accept my smart card PIN.
3. I press <ESC> and enter in the regular challenge response authentication,
and I’m on the machine.
4. It is then when I try to hit (https://...) the SSL IIS Box and am unable
to.

Note 2:

1. I can TS from the CORP DOMAIN workstation directly to the TEST DOMAIN SSL
IIS BOX.
2. From the TEST DOMAIN SSL box (TS ed) I hit (https://) the SSL IIS WebSite.
3. I’m prompted for a smart card.

I want to be able to:

1. TS into the TEST/DEV box.
2. From the TS’ed TEST/DEV box be able to hit (https://...) box.
3. Have the smart card prompt
4. Enter in the creds.
5. Have the SSL site render my page.

Sorry for big explanation, but I wanted to provide as much information about
the problem to hopefully save some multiple QA threads.
I have asked all of our administrators and been unable to get any answers,
so you help would be greatly appreciated.

Feel free to ping my email address if needed.

Thank you in advance for any help

MikeHammerFish@xxxxxxxxxxx

--
Thank you
Mike Hammerfish

.