iis smart card logon and delegation

[yuval k.]

Hi all

i have a web application (DOTNET application) which is connected to the AD.
i need to logon to the web application using a smart card,
after the authentication the web application tries to connect
to the AD and create a new user in the AD using the context
of the smart card user. the smart card user authenticates himself
to the web application :
i've checked it in the log file of the web server
and in the security log --

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/2/2003
Time: 5:38:52 PM
User: MYDOMAIN\12345
Computer: MANUTD
Description:
Successful Network Logon:
User Name: 12345
Domain: MYDOMAIN
Logon ID: (0x0,0x7656D)
Logon Type: 3
Logon Process: Schannel
Authentication Package: Kerberos
Workstation Name: MANUTD
Logon GUID: -
Caller User Name: MANUTD$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 572
Transited Services: -
Source Network Address: -
Source Port: -

but the logon process to the AD failed --


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 10/2/2003
Time: 5:38:52 PM
User: NT AUTHORITY\SYSTEM
Computer: CHELSA
Description:
Pre-authentication failed:
User Name: 12345
User ID: MYDOMAIN\12345
Service Name: krbtgt/MYDOMAIN.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.5.10.136

i've checked all the checkbox for delegation in all user and computer
accounts but still it doesn't work.
if i use username and password to authenticate to the web server
the application work fine with no errors.
even if i change the web.config file
<identity impersonate="true" userName="MYDOMAIN\12345" password="123456">
(it's not the real password )
it still works when i use password authentication but fails with
smart card logon.

can someone help me please, i've contacted microsoft but they still
don't have answer for me.

 

[David Cross [MS]]

maybe some of these articles may provide some leads:

Guidelines for Enabling Smart Card Logon with Third-Party Certification
Authorities (Q281245):
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q281245
Requirements for Domain Controller Certificates from a Third-Party CA
(Q291010): http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010
· How to Import a Third-Party Certificate into the NTAuth Store
(Q295663): http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q295663
Step by Step Guide to Certificate Mapping:
http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp

 

[yuval k.]

maybe some of these articles may provide some leads:

Guidelines for Enabling Smart Card Logon with Third-Party Certification
Authorities (Q281245):
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q281245
Requirements for Domain Controller Certificates from a Third-Party CA
(Q291010): http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010
· How to Import a Third-Party Certificate into the NTAuth Store
(Q295663): http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q295663
Step by Step Guide to Certificate Mapping:
http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi all

i have a web application (DOTNET application) which is connected to the AD.
i need to logon to the web application using a smart card,
after the authentication the web application tries to connect
to the AD and create a new user in the AD using the context
of the smart card user. the smart card user authenticates himself
to the web application :
i've checked it in the log file of the web server
and in the security log --

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/2/2003
Time: 5:38:52 PM
User: MYDOMAIN\12345
Computer: MANUTD
Description:
Successful Network Logon:
User Name: 12345
Domain: MYDOMAIN
Logon ID: (0x0,0x7656D)
Logon Type: 3
Logon Process: Schannel
Authentication Package: Kerberos
Workstation Name: MANUTD
Logon GUID: -
Caller User Name: MANUTD$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 572
Transited Services: -
Source Network Address: -
Source Port: -

but the logon process to the AD failed --


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 10/2/2003
Time: 5:38:52 PM
User: NT AUTHORITY\SYSTEM
Computer: CHELSA
Description:
Pre-authentication failed:
User Name: 12345
User ID: MYDOMAIN\12345
Service Name: krbtgt/MYDOMAIN.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.5.10.136

i've checked all the checkbox for delegation in all user and computer
accounts but still it doesn't work.
if i use username and password to authenticate to the web server
the application work fine with no errors.
even if i change the web.config file
<identity impersonate="true" userName="MYDOMAIN\12345" password="123456">
(it's not the real password )
it still works when i use password authentication but fails with
smart card logon.

can someone help me please, i've contacted microsoft but they still
don't have answer for me.

Hi Mr. Cross

I've read all of those articales, and i've worked according to all of them.
i can login to the doamin using smart cards (the same smart card) and the IIS
shows in the logs the the user is authenitacted using the upn from the
certificate, but the IIS doesn't continue with the delegation of the user
cerdentials. it seems like an iis/application misconfiguration.

do you have any other idea how to debug the delegation process?

 

[David Cross [MS]]

Is the IIS server joined to the domain?

This may be a difficult one to debug in a newsgroup unfortunately.

any errors on the IIS server?

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"David Cross [MS]" <[email protected]> wrote in message

maybe some of these articles may provide some leads:

Guidelines for Enabling Smart Card Logon with Third-Party Certification
Authorities (Q281245):
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q281245
Requirements for Domain Controller Certificates from a Third-Party CA
(Q291010): http://support.microsoft.com/default.aspx?scid=kb;en-us;Q291010
· How to Import a Third-Party Certificate into the NTAuth Store
(Q295663): http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q295663
Step by Step Guide to Certificate Mapping:
http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Hi all

i have a web application (DOTNET application) which is connected to

the
AD.

i need to logon to the web application using a smart card,
after the authentication the web application tries to connect
to the AD and create a new user in the AD using the context
of the smart card user. the smart card user authenticates himself
to the web application :
i've checked it in the log file of the web server
and in the security log --

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 10/2/2003
Time: 5:38:52 PM
User: MYDOMAIN\12345
Computer: MANUTD
Description:
Successful Network Logon:
User Name: 12345
Domain: MYDOMAIN
Logon ID: (0x0,0x7656D)
Logon Type: 3
Logon Process: Schannel
Authentication Package: Kerberos
Workstation Name: MANUTD
Logon GUID: -
Caller User Name: MANUTD$
Caller Domain: MYDOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 572
Transited Services: -
Source Network Address: -
Source Port: -

but the logon process to the AD failed --


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 10/2/2003
Time: 5:38:52 PM
User: NT AUTHORITY\SYSTEM
Computer: CHELSA
Description:
Pre-authentication failed:
User Name: 12345
User ID: MYDOMAIN\12345
Service Name: krbtgt/MYDOMAIN.COM
Pre-Authentication Type: 0x0
Failure Code: 0x19
Client Address: 10.5.10.136

i've checked all the checkbox for delegation in all user and computer
accounts but still it doesn't work.
if i use username and password to authenticate to the web server
the application work fine with no errors.
even if i change the web.config file
<identity impersonate="true" userName="MYDOMAIN\12345" password="123456">
(it's not the real password )
it still works when i use password authentication but fails with
smart card logon.

can someone help me please, i've contacted microsoft but they still
don't have answer for me.

Hi Mr. Cross

I've read all of those articales, and i've worked according to all of them.
i can login to the doamin using smart cards (the same smart card) and the IIS
shows in the logs the the user is authenitacted using the upn from the
certificate, but the IIS doesn't continue with the delegation of the user
cerdentials. it seems like an iis/application misconfiguration.

do you have any other idea how to debug the delegation process?

 

[yuval k.]

the IIS is joined to the domain, using the smart card on the client or
the IIS server for interactive login will work.
there are no errors on the IIS server (full audit and IIS logs)
i see an error on the domain controller that the user failed to login
and afterward the IIS computer tries to log on using anonymouse user.
i'm tring right now to change the application to write a file on the IIS
server and check with which user it wrote it and do
some more debuging, i'll have more info when i'll finish.

 

[yuval k.]

Hi Again

i've checked few more things in the proccess.
if i hard code in the application the user name and password
(the same user authentication to the iis ) and the application works fine.
i've changed the application to create a file instead of creating a new user
in the AD, the file created on the web server has the owner
of the authenticated user so it seems there is no problem
in the client authentication to the web server with the smart card
and the mapping.
i'm using the S4U extentions.
any help will be appritiated
thanks