|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Certificate Mapping - DebuggingHow would I got about debugging Certificate Mapping in IIS? I have one user
who gets prompted for a cert, selects the one associated to his AD account and then gets prompted for his user id and password. If I associate my cert, I can get in under his account. There must be something up with his certificate but it only happens on one domain. I have a test domain set up and the mapping works fine. Any ideas? Thanks Mark Hi Mark,
Has his client certificate's private been properly exported and installed on the user's computer? On the problematic client machine, open mmc.exe and add Certificates snap-in, select current user. Verify the certificate in Personal store. There should be a line 'You have a private key corresponds...' indicates the cert's private key is properly installed. Furthermore, the CA which issues the client certificate must be trusted by the IIS server, which means the CA's certificate must be installed on IIS server's computer account's Trusted Root CA store. You can launch Certificates mmc and open Computer account's store to check this. To narrow down the problem, you may install his client cert on your machine and mapping it to your user account to test. If this doesn't work as well, the problem has been confirmed on the cert or its trust relation. Thanks. Sincerely, WenJun Zhang Microsoft Online Community Support Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msd***@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 2 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi Mark,
Just wonder if the problem has been resolved? If not, please update here. We will be glad to assist you on further troubleshooting. Have a nice weekend. Sincerely, WenJun Zhang Microsoft Online Community Support Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msd***@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 2 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. I am still trying to work on it. Yes, CA is trusted the certificate is
working. It is just on one server that the mapping is not working. Another domain and server with the same trusted certs, everything works fine. I can see the certificate get registered with another product called Tumbleweed, but I can't see anything in the Event Viewer or IIS Logs to show that it is even checking the cert. Is there a way to get more debugging info on certs? Thanks Mark ""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message Show quoteHide quote news:S0pOZx6oJHA.1700@TK2MSFTNGHUB02.phx.gbl... > Hi Mark, > > Just wonder if the problem has been resolved? If not, please update here. > We will be glad to assist you on further troubleshooting. > > Have a nice weekend. > > Sincerely, > > WenJun Zhang > > Microsoft Online Community Support > > Delighting our customers is our #1 priority. We welcome your comments and > suggestions about how we can improve the support we provide to you. Please > feel free to let my manager know what you think of the level of service > provided. You can send feedback directly to my manager at: > msd***@microsoft.com. > > ================================================== > Get notification to my posts through email? Please refer to > http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. > > MSDN Managed Newsgroup support offering is for non-urgent issues where an > initial response from the community or a Microsoft Support Engineer within > 2 business day is acceptable. Please note that each follow up response may > take approximately 2 business days as the support professional working > with > you may need further investigation to reach the most efficient resolution. > The offering is not appropriate for situations that require urgent, > real-time or phone-based interactions. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at > http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx > ================================================== > This posting is provided "AS IS" with no warranties, and confers no > rights. > Hi Mark,
We usually run SSLDiag tool on IIS server to scan the server-side SSL configurations. Since the client cert seems to be fine, you may launch the tool on both servers to perform scanning and compare the results. Hopefully this will give us some clue of the root cause. The Lastest version SSLDiag can be found at: SSL Diagnostics Version 1.1 (x86) http://www.microsoft.com/downloads/details.aspx?familyid=cabea1d0-5a10-41bc- 83d4-06c814265282&displaylang=en Also, please check if you have Certificate Trust List(CTL) configured on the problematic site's SSL configuration dialog. If there is, please ensure the client cert's CA is included in the CTL list. Look forward to your update. Thanks. Sincerely, WenJun Zhang Microsoft Online Community Support Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msd***@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 2 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi Mark,
Do you have any further progress or findings on this issue? Thanks. Sincerely, WenJun Zhang Microsoft Online Community Support Delighting our customers is our #1 priority. We welcome your comments and suggestions about how we can improve the support we provide to you. Please feel free to let my manager know what you think of the level of service provided. You can send feedback directly to my manager at: msd***@microsoft.com. ================================================== Get notification to my posts through email? Please refer to http://msdn.microsoft.com/en-us/subscriptions/aa948868.aspx#notifications. MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 2 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at http://msdn.microsoft.com/en-us/subscriptions/aa948874.aspx ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.  
Other interesting topics
iis 6 ssl redirect initial login encrypted?
IIS requiring Client "Machine" Certificate... possible? webpage permissions Unable to access site with FQDN Restricting access from my site to other sites web site access OK by IP but not by name Client certificates Managing Virtual Directories in IIS Cannot Access Site when away from Office w/VPN, on Domain Machine, Fine on non Domain Machiens... developer permissions management |
|||||||||||||||||||||||
