« Previous Next »

Thread: Certificate mapping authentication not work on Server Share

Last post 10-09-2008 5:24 PM by krolson. 5 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (6 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 10-06-2008, 3:58 PM

    • Metek
    • Not Ranked
    • Joined on 10-06-2008, 6:38 PM
    • Posts 10

    Certificate mapping authentication not work on Server Share

    Reply Contact

    Hello All,

    I'm trying to setup IIS7.0 WEB site with "Windows Authentication" through "Active Directory Client Certificate Authentication". My User account is properly mapped to Domain User account and I have an access to all directories located on WEB server.

    Now I added Virtual directory with physical path mapping to the share on another server. "Connected As" is set to Application User (pass-through authentication). I verified that Domain User Account authenticated by Client certificate have an access to Share on another server and corresponding ACL on the physical disk directory. However, when I'm trying connect to the new virtual directory 2 problems appear:

    1. I'm getting Dialog asking for User Name and password. Why?

    2. Regardless what I'm entering in that dialog (Domain account of user logged into WEB site or even Domain Administrator data), I'm getting error 401. Log file is not informative at all: I see call to various Authentication modules, they all return false. The only Warning in log is

    ModuleName IIS Web Core
    Notification 2
    HttpStatus 401
    HttpReason Unauthorized
    HttpSubStatus 3
    ErrorCode 2147942405
    ConfigExceptionInfo
    Notification AUTHENTICATE_REQUEST
    ErrorCode Access is denied. (0x80070005)

    What's wrong? Any help is appreciated.

    Al

     

  • 10-07-2008, 7:58 PM In reply to

    • anilr
    • Top 10 Contributor
    • Joined on 05-23-2006, 10:13 PM
    • Redmond, WA
    • Posts 2,343

    Re: Certificate mapping authentication not work on Server Share

    Reply Contact

    Are you trying "windows integrated authentication" or "AD client cert authentication"?  Note that the IIS Manager does not let you configure the latter and you will have to write some scripts to configure it.

    Anil Ruia
    Senior Software Design Engineer
    IIS Core Server

  • 10-07-2008, 8:02 PM In reply to

    • krolson
    • Top 75 Contributor
    • Joined on 10-06-2008, 10:32 PM
    • Posts 97

    Re: Certificate mapping authentication not work on Server Share

    Reply Contact

    One issue may be that you cannot use pass-through authentication to access web.config files on a remote share (because IIS uses the authenticated user for pass-through, and the access would have to occur before IIS has determined the authenticated user). 

    You could try to give the IIS worker process identity read access to the remote content share, but pass-through access is a little messy in this case.  I would recommend using virtual directory fixed credentials instead.  Remember to set a username and password on the virtual directory that correspond to a valid account on your share.

  • 10-08-2008, 1:48 PM In reply to

    • Metek
    • Not Ranked
    • Joined on 10-06-2008, 6:38 PM
    • Posts 10

    Re: Certificate mapping authentication not work on Server Share

    Reply Contact

    Hi Anil,

    Thank you for your reply. As specified in my initial message, we are using "Active Directory Client Certificate Authentication".

    >> you will have to write some scripts to configure it

    What kinf of scripts? How can I configure such way that user is identified on network share?

    With best regards,

    Al 

     

  • 10-08-2008, 1:55 PM In reply to

    • Metek
    • Not Ranked
    • Joined on 10-06-2008, 6:38 PM
    • Posts 10

    Re: Certificate mapping authentication not work on Server Share

    Reply Contact

    Hello Krolson,

    The access via User account is working OK, but unfortunately, we are making Intranet and need differintiate user rights on the share. Any suggestion, how we can make authentification working? I also do not understand why access fails when I'm typing credential directy into Authentication dialog.

    >>  You could try to give the IIS worker process identity read access to the remote content share

    Could you please explain this option in more details?

    With best regards,

    Al

     

  • 10-09-2008, 5:24 PM In reply to

    • krolson
    • Top 75 Contributor
    • Joined on 10-06-2008, 10:32 PM
    • Posts 97

    Re: Certificate mapping authentication not work on Server Share

    Reply Contact

    You would have to configure the share permissions to allow at least read access to the identity IIS is using (the IIS worker process identity) to connect to the share. 

    Also, I believe that in order to use pass-through authentication you would have to disable the use of distributed web.config files in the virtual directory. To do this you set the allowSubDirConfig attribute on the virtual directory definition fo "false." 

     The pass-through method can be tricky because some application frameworks will use the IIS worker process identity while others will always use the authenticated user identity.

     A few cautions as well: if you grant IIS permissions above Read access (or give the IIS account administrative privileges on the remote network server), it may be possible for an attacker to gain control of the remote share if the server is compromised.  You would only need write/full access if you are using IIS to publish content (and you should never use identities with administrative privileges on the file server to access remote content). 

Page 1 of 1 (6 items)
Microsoft Communities