I am trying to enable a topology where:
- Non domain-joined client (smartphone, non-Windows browser, etc.) authenticates via client cert to IIS 8
- IIS 7.5 performs clientCertificateMappingAuthentication to match the certificate subject to an AD user
- The user is then impersonated on an ASP.NET thread
- The user's identity is delegated to a back end service - SQL, in this case.
I have 1-3 working. Requirement 4 escapes me (though it will work for HTTP basic authentication and Windows authentication).
I have enabled failed request tracing and don't see any IIS errors, the SQL connection just tries to open anonymously and fails. The same page request works (SQL request authenticates) if I just ignore client certs on the IIS site.
This is just a delegation issue. The app pool identity is mapped to an SPN and trusted for delegation (all protocols) to the service in question:
userPrincipalName: service-kerbtest@xyz.qa1
servicePrincipalName: http/kerbtest.xyz.qa1
msDS-AllowedToDelegateTo: MSSQLSvc/bcaps.dbs.xyz.qa1:1433
Here you can see some evidence the the client-IIS authentication is working.
WindowsIdentity (AppPool process: 2636):
WindowsIdentity (current thread): XYZQA1\Hugh.Kelley
AuthenticationType: Kerberos
IsAuthenticated: True
Connecting to:
Server=bcaps.dbs.xyz.qa1;Integrated Security=SSPI;Initial Catalog=master;
Error Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
Page User: XYZQA1\Hugh.Kelley
Page AuthenticationType: SSL/PCT
From web.config:
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
From applicationHost.config:
<location path="kerbtest.xyz.qa1">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
<authentication>
<anonymousAuthentication enabled="false" />
<clientCertificateMappingAuthentication enabled="true" />
<basicAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
<location path="kerbtest.xyz.qa1" overrideMode="Allow">
<system.webServer>
<security>
<authentication>
<windowsAuthentication>
<providers />
<extendedProtection />
</windowsAuthentication>
</authentication>
</security>
</system.webServer>
</location>