For the love of god, please help me. I can't afford to pull out any
more hair.
I have a small domain setup at my organization, all servers are windows
2003. We are trying to configure certificate based logins using the
directory services method (not IIS certificate mapping).
My issue is not with configuring the servers. I have SSL required,
Client certificate required, Enable Client Certificate mapping is
checked, and Directory Services mapping is checked. All of our user
accounts are stored in the domains active directory and all users have
their certificates published in the AD and the name mappings property
is properly set.
When I authenticate on our web server with my certificate I my domain
account username shows up in the web log. I can control access to
different web sites by using domain account ACLs on the different web
applications we have. It seems to me everything is properly
configured.
Here is my problem. We have a file storage and retrieval web
application. The files are stored on another server in the domain.
When I try to access an existing file I get an HTTP Error 401.3 -
Unauthorized: Access is denied due to an ACL set on the requested
resource. FYI - the files to view are displayed on the web page as
links.
It seems to me that when I present my certificate to the web server,
IIS logs me in on the web server as the account my certificate is
mapped to. However, when IIS tries to access the remote resource,
those credentials are not used to access the remote storage on our file
server. I tried giving the everyone account access and went as far as
making my account a domain admin. I tired sniffing the traffic between
the web server and file server to examine the SMB packets. I could not
determine what account was being used by looking at the raw network
data.
Just so you have all the information... We have virtual directory
setup on our web server that connects to a share on the file server via
a UNC path. On IIS 6 you have two options for authentication when
accessing a share on another server. One is to use an account/password
you supply (we do not want to do this), the other is to use the
authenticated users credentials. We assumed that when using DS mapping
that our users would always be authenticated as the account the
certificate was mapped to. This seems to be the case when accessing
the local file system, but not when trying to acces the remote file
system through a virtual directory.
I do not understand why we still have an ACL error even when giving the
everyone account full access on the share and the filesystem. This
seems to me that when the web server tries to access the remote storage
it is using a local account that the file server does not know about.
I have IIS configured to use a domain account for both the anonymous
account and the worker process account. (The IUSR_XXX and IWAM_IIS)
and these accounts are added to the local IIS_WPG group.
Can anyone shed some light on this?
-Andy
