Re: Disable requesting client certificate when running in SSL
From: Lee Flight (lef_at_le.ac.uk-nospam)
Date: 03/11/05
- Next message: Jim Kiddoo: "Re: Group policy not running on some machines"
- Previous message: TagaR: "Re: Removing DC"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Disable requesting client certificate when running in SSL"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 11 Mar 2005 17:49:12 -0000
The nearest match I could find in Group Policy was the LDAP
client signing
http://www.microsoft.com/resources/documentation/WindowsServ/2003/standard/proddocs/en-us/638.asp
but it's not that.
I assigned my cert out of a W2K3 Enterprise CA for the domain
and it shows up against my user object in ADUC. I am a bit surprised
by this stuff because I thought it all mapping had to be mediated by IIS as
that's what the Extranet Access Management blueprints from
Microsoft use. That assumption had diminished my interest as the
IIS Directory Mapper
http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp
has no hook for ADAM. However it appears that Schannel is doing quite a
bit of the heavy lifting in W2K3. See "How Schannel Uses Certificate
Mapping"
in
(the S4U mapping boggles my mind, I had been looking for something like
this when investigating using protocol transition to overcome the inability
to impersonate ADAM users in Extranet usage).
At the moment I'm not too confident of making progress on this as I'm
at the limit of my knowledge on SASL binding using an EXTERNAL
aurthentication (I've hit the (same) limit with Digest bind against ADAM
R2).
Murky is about right.
Lee Flight
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:evseoTlJFHA.2396@TK2MSFTNGP12.phx.gbl...
> Hm. It would be nice to be able to set some kind of a policy on the DC
> (or ADAM instance) to have it automatically disable the client certificate
> request. It doesn't look like there would be an easy way to set that
> option client side from the higher level APIs (ADSI/SDS).
>
> Regarding getting your client certificate to work, I think it needs to be
> all set up so that the DC trusts the certificate and maps it to a user in
> the directory so that the LSA will create a logon token for it. However,
> I have no what is exactly required to get this to work. I'm sure the DC
> has to at least be able to trust the cert and then there has to be some
> sort of appropriate mapping back to a user in the store, but I don't know
> what is actually required there. Is it sufficient to have the user's UPN
> as a field in the cert (as altSubject or whatever) or does
> altSecurityIdentities need to be set in AD? This is all very murky to me.
>
> Joe K.
>
> "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
> news:uuS1J6iJFHA.3196@TK2MSFTNGP15.phx.gbl...
>> According to
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;290483
>>
>> "When the LDAP API performs the handshake, client authentication is not
>> done unless the QUERYCLIENTCERT function is set by using the connection
>> options. Typically, the handshake only involves identifying the server"
>>
>> and MSDN says this is surfaced as the connection option
>> LDAP_OPT_CLIENT_CERTIFICATE
>> (an option that ldp.exe does not seem to be aware of).
>>
>> I doubt we would find out the answer to the original poster's question
>> without a code review.
>>
>> [FWIW I planted a cert in my store and ran a connection attempt
>> and schannel debugging picked it up, 36875 error went away, but
>> I have not yet been able to figure out how to do the EXTERNAL
>> SASL bind with ldp.exe to push this on.]
>>
>> Lee Flight
>>
>>
>
>
- Next message: Jim Kiddoo: "Re: Group policy not running on some machines"
- Previous message: TagaR: "Re: Removing DC"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Disable requesting client certificate when running in SSL"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
