Okay, what are the underlying NTFS permissions to the files/folders to which you're browsing? It sounds like the user to whom you've mapped the certificate doesn't have permissions.
Laura > -----Original Message----- > From: John Lightfoot [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 07, 2006 9:53 AM > To: [EMAIL PROTECTED]; [email protected] > Subject: RE: Certificate authentication under IIS > > From an internal certificate authority. The certificate > authority is on my certificate trust list (CTL). > > If I require client certificates but allow anonymous access, > I get challenged for the certificate to get to the web site, > but once the certificate is accepted, I'm still anonymous to > the web site even though the certificate is mapped to a valid > user account. > > If I don't allow anonymous access, I get challenged for my > client certificate but once I provide it I get "HTTP Error > 401.2 - Unauthorized: > Access is denied due to server configuration," with a message > "You do not have permission to view this directory or page > using the credentials that you supplied because your Web > browser is sending a WWW-Authenticate header field that the > Web server is not configured to accept." I wondered if it > might be something to do with my client running IE7beta2, but > it doesn't work under IE6 either. > > I'm not sure if this is a clue, but when I also require > Integrated Windows authentication, I get challenged for my > certificate, then get a Windows username/password challenge. > I've found that I can use a different Windows user account > than the one the certificate is mapped to and still log in. > I thought the way it was supposed to work if you required > both a mapped client certificate and integrated Windows > login, the mapped client certificate account had to be the > same as the login account. > > -----Original Message----- > From: Laura A. Robinson [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 07, 2006 12:17 AM > To: 'John Lightfoot'; [email protected] > Subject: RE: Certificate authentication under IIS > > From where were the client certificates obtained? (Internal > CA, Verisign, > etc.?) > > Laura > > > -----Original Message----- > > From: John Lightfoot [mailto:[EMAIL PROTECTED] > > Sent: Monday, March 06, 2006 4:16 PM > > To: [email protected] > > Subject: Re: Certificate authentication under IIS > > > > Hello, > > > > I am trying to figure out how to use client certificates to > > authenticate in IIS under Windows Server 2003. > > > > Specifically, I'm trying to use client certificates to map > to Windows > > user accounts in IIS, but I don't want to require username and > > password, too. > > I'm trying to use one-factor authentication mapped to a Windows > > account with the one factor being the certificate. > > Upon presentation of the certificate by the client, I want the IIS > > session to log-in the user to the mapped user account. I > only seem to > > be able to require both a certificate and username/password, not a > > certificate only. > > > > I'm able to require client certificates and present the > proper one to > > the web site. In the "authentication methods" > > configuration screen, if I deselect "enable anonymous access" > > and select "integrated Windows authentication," I can log-in by > > providing both the certificate and the username/password of > the mapped > > account. If I deselect "integrated Windows > authentication," I get an > > HTTP 401.2 error, "You do not have permission to view this > directory > > or page using the credentials that you supplied because your Web > > browser is sending a WWW-Authenticate header field that the > Web server > > is not configured to accept." Is it possible to log-in a > user based > > only on presentation of the certificate? > > > > Any help would be greatly appreciated. Thanks. > > > > > > > > John Lightfoot > > > > -------------------------------------------------------------- > > ------------- > > -------------------------------------------------------------- > > ------------- > > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
