>From an internal certificate authority. The certificate authority is on my certificate trust list (CTL).
If I require client certificates but allow anonymous access, I get challenged for the certificate to get to the web site, but once the certificate is accepted, I'm still anonymous to the web site even though the certificate is mapped to a valid user account. If I don't allow anonymous access, I get challenged for my client certificate but once I provide it I get "HTTP Error 401.2 - Unauthorized: Access is denied due to server configuration," with a message "You do not have permission to view this directory or page using the credentials that you supplied because your Web browser is sending a WWW-Authenticate header field that the Web server is not configured to accept." I wondered if it might be something to do with my client running IE7beta2, but it doesn't work under IE6 either. I'm not sure if this is a clue, but when I also require Integrated Windows authentication, I get challenged for my certificate, then get a Windows username/password challenge. I've found that I can use a different Windows user account than the one the certificate is mapped to and still log in. I thought the way it was supposed to work if you required both a mapped client certificate and integrated Windows login, the mapped client certificate account had to be the same as the login account. -----Original Message----- From: Laura A. Robinson [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 07, 2006 12:17 AM To: 'John Lightfoot'; [email protected] Subject: RE: Certificate authentication under IIS >From where were the client certificates obtained? (Internal CA, Verisign, etc.?) Laura > -----Original Message----- > From: John Lightfoot [mailto:[EMAIL PROTECTED] > Sent: Monday, March 06, 2006 4:16 PM > To: [email protected] > Subject: Re: Certificate authentication under IIS > > Hello, > > I am trying to figure out how to use client certificates to > authenticate in IIS under Windows Server 2003. > > Specifically, I'm trying to use client certificates to map to Windows > user accounts in IIS, but I don't want to require username and > password, too. > I'm trying to use one-factor authentication mapped to a Windows > account with the one factor being the certificate. > Upon presentation of the certificate by the client, I want the IIS > session to log-in the user to the mapped user account. I only seem to > be able to require both a certificate and username/password, not a > certificate only. > > I'm able to require client certificates and present the proper one to > the web site. In the "authentication methods" > configuration screen, if I deselect "enable anonymous access" > and select "integrated Windows authentication," I can log-in by > providing both the certificate and the username/password of the mapped > account. If I deselect "integrated Windows authentication," I get an > HTTP 401.2 error, "You do not have permission to view this directory > or page using the credentials that you supplied because your Web > browser is sending a WWW-Authenticate header field that the Web server > is not configured to accept." Is it possible to log-in a user based > only on presentation of the certificate? > > Any help would be greatly appreciated. Thanks. > > > > John Lightfoot > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
