Re: [Cross-posted]: Problem with Active Directory Mapping?
From: Ohaya (ohaya_at_cox.net)
Date: 09/12/03
- Next message: SKrueger: "Microsoft Key Recovery Tool (Reskit)"
- Previous message: markus bauer: "Re: Windows update problems"
- In reply to: Ohaya: "[Cross-posted]: Problem with Active Directory Mapping?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 12 Sep 2003 08:58:34 -0400
Hi All,
Sorry for the repost, but can anyone shed some light on this
problem/situation?
Thanks!
Ohaya wrote:
>
> Hello,
>
> [I originally started this thread in microsoft.public.inetserver.iis,
> and am including a good portion of the thread below FYI. I'm
> cross-posting, as microsoft.public.inetserver.iis.security and
> microsoft.public.windows.server.security were suggested by Bernard and
> Tim, respectively. My Apologies.]
>
> Setup:
>
> - MS Windows 2003 Server with IIS, AD, and Certificate Server.
> - IIS has a self-signed server cert from Certificate Server
> - Creating/installing client certificates using Certificate server
> - IIS configured for client certificate authentication
> - Active Directory (or Windows Directory) Mapping enabled
>
> I hope that I haven't missed anything :)...
>
> Problem Description:
>
> According to:
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;q272175
>
> among other places, part of the procedure to enable Active Directory
> Certificate Mapping is to load the client certificates being mapped into
> Active Directory (see "Map the Client Certificate to the Corresponding
> Active Directory User" section on above page), by setting the "Name
> Mapping" for each Active Directory user.
>
> Using ldifde, I have confirmed that when a user is "Name Mapped", a copy
> of the client certificate appears to be stored in the AD store, and when
> the client certificate is deleted from the User->Name Mapping, that the
> client certificate is removed from the AD store.
>
> BUT, from my testing, whether or not ANY User's in AD have Name Mapped,
> when I make a connection from a PC (using IE) with a client certificate,
> the client certificate-to-Windows user mapping still seems to be
> working/occurring. I confirm this by two means:
>
> - I have an ASP page that displays the
> Request.ServerVariables("AUTH_USER"). When the mapping is working, the
> user name from the client certificate is displayed. When mapping is not
> working or disabled, the user name is blank/null
>
> - The second way I confirm this is that in IIS log files, when mapping
> is working, the user name is included in IIS log file entries. When
> mapping is not enabled, the user name is not included in the IIS log
> file entries.
>
> Mind you, for my situation, the way that this (Active) or (Windows)
> Directory Mapping is working (i.e., contrary to MS documentation,
> without having to actually load the client certificates into Active
> Directory) is actually a good thing operationally, but I would really
> know WHY is is working this way (i.e., is this the way that it is
> suppose to work?).
> Aside from just plain curiousity, my main reasons for wanting to know is
> that: (1) I need to understand how this mapping is functioning, and
> also, (2) it would disastrous for me to design/build a system based on
> my finding one thing (i.e., loading certificates is not needed for
> Directory Mapping) and then find out that it changes later.
>
> Thank you all very much for your patience!!!
>
- Next message: SKrueger: "Microsoft Key Recovery Tool (Reskit)"
- Previous message: markus bauer: "Re: Windows update problems"
- In reply to: Ohaya: "[Cross-posted]: Problem with Active Directory Mapping?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
