Please try following scenario: - Digest Authentication within Active Directory or Windows Domain - Require SSL & 128bit - Require Client Certificate (internal CA, not a Public one in 1st testing szenario) - Client certificate mapping activated - Trust list defined & activated
I use that configuration live on several sites and it works without any user authentication request. I don't think, that it makes sense to use client certificate mapping to external users who are not trusting my own CA and are not controlled via my Active Directory policies, do you? You can use that method as an additional authentication method by using client certificates to ensure, that the client is really authenticated to the server. But it's just an additional feature to the standard way "enforcing users to log on to the system" ad accepting server side authentication by certificates. It's not assumed to replace user authentication itself. So far my understandings using client certificate mappings. A strong PKI infrastructure needs clients auth'd to services and/or devices, but as last instance. First you need a defined environment, then you can define security parameters. Best regards, Andreas Habedank ---------------- HBDK.DE - IT-Security Management & Consulting - http://www.hbdk.de -----Ursprüngliche Nachricht----- Von: John Lightfoot [mailto:[EMAIL PROTECTED] Gesendet: Dienstag, 7. März 2006 05:38 An: [EMAIL PROTECTED]; [email protected] Betreff: RE: Re: Certificate authentication under IIS It doesn't seem to work that way. If I allow anonymous access, even though I require a client certificate, have the certificate mapped to a user account, and present the client certificate when I navigate to the web site, the IIS log doesn't show the user as having logged in. If I also check "Integrated Windows authentication," I present the certificate but am required to log in with username/password, then the user account shows up in the log. If I *don't* allow anonymous access, I can't get in at all, that's when I get the 401.2 error. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, March 06, 2006 9:41 PM To: [email protected] Subject: Re: Re: Certificate authentication under IIS This should work out of the box. Website, Directory security, Secure communications, check Require SSL, check Require 128 bit, select Require client certificates, check enable client certificate mapping, press edit and pick your windows account mappings. Regards, Craig. --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
