With digest authentication, you're bypassing the certificate authentication (and you're using a less secure method, since digest authentication uses reversible encryption of credentials). As far as client certificate mappings, they're designed to allow you to use stronger authentication methods in conjunction with NTFS permissions to the files and directories that you want to secure. Using certificates as an authentication method is valid for a number of configurations, and isn't necessarily a replacement for user authentication. It *is* user authentication (assuming we're talking user certificates as we are in this scenario).
As an example, I have a web site that allows anonymous authentication to the home page, but when users attempt to access secured portions of the site (achieved via NTFS permissions on the files and directories), because I've configured IIS to use certificates, the users are prompted to select a certificate from their stores when they try to access those files. The point behind using certificates for those pages is that users are authenticated for access to portions of the site that are not made available to anonymous users, but those users do not have to type in credentials to access them. This is useful in situations where, for example, a company's main web site contains a link to portions of the site that are employee-only. This type of authentication is often most useful, however, in a b2b scenario where a company has issued certificates to people who are not employees- vendors and partners, for example, and where those people need to be able to access secured content. Laura > -----Original Message----- > From: Info (HBDK.de) [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 07, 2006 2:53 AM > To: 'John Lightfoot'; [email protected] > Subject: AW: Re: Certificate authentication under IIS > > Please try following scenario: > - Digest Authentication within Active Directory or Windows Domain > - Require SSL & 128bit > - Require Client Certificate (internal CA, not a Public one > in 1st testing szenario) > - Client certificate mapping activated > - Trust list defined & activated > > I use that configuration live on several sites and it works > without any user authentication request. I don't think, that > it makes sense to use client certificate mapping to external > users who are not trusting my own CA and are not controlled > via my Active Directory policies, do you? > > You can use that method as an additional authentication > method by using client certificates to ensure, that the > client is really authenticated to the server. But it's just > an additional feature to the standard way "enforcing users to > log on to the system" ad accepting server side authentication > by certificates. It's not assumed to replace user > authentication itself. So far my understandings using client > certificate mappings. > > A strong PKI infrastructure needs clients auth'd to services > and/or devices, but as last instance. First you need a > defined environment, then you can define security parameters. > > Best regards, > Andreas Habedank > ---------------- > HBDK.DE - IT-Security Management & Consulting - http://www.hbdk.de > > -----Ursprüngliche Nachricht----- > Von: John Lightfoot [mailto:[EMAIL PROTECTED] > Gesendet: Dienstag, 7. März 2006 05:38 > An: [EMAIL PROTECTED]; [email protected] > Betreff: RE: Re: Certificate authentication under IIS > > It doesn't seem to work that way. If I allow anonymous > access, even though I require a client certificate, have the > certificate mapped to a user account, and present the client > certificate when I navigate to the web site, the IIS log > doesn't show the user as having logged in. If I also check > "Integrated Windows authentication," I present the > certificate but am required to log in with username/password, > then the user account shows up in the log. If I *don't* > allow anonymous access, I can't get in at all, that's when I > get the 401.2 error. > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Monday, March 06, 2006 9:41 PM > To: [email protected] > Subject: Re: Re: Certificate authentication under IIS > > This should work out of the box. > > Website, Directory security, Secure communications, check > Require SSL, check Require 128 bit, select Require client > certificates, check enable client certificate mapping, press > edit and pick your windows account mappings. > > Regards, > Craig. > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > > > > -------------------------------------------------------------- > ------------- > -------------------------------------------------------------- > ------------- > --------------------------------------------------------------------------- ---------------------------------------------------------------------------
