IIS7 Client Certificate Mapping & Trusted SQL Server Connection

Question

0.00/5 (No votes)

See more:

, +

Hi
Sorry, this is long. I've recently moved a .Net 3.5 Web service from IIS6 on Server 2003 to IIS7 on Server 2008 and have an issue using client certificates mapped to a domain account for connecting to SQL Server (multiple versions on multiple servers).

Previously, the site was set to use network service in the app pool, acc01 for anonymous access and acc02 was mapped to a particular client certificate - installed on the server and client certs set to accepted.

I cannot reproduce this in IIS7. If I set the site to use the acc02 account as either the app pool account or the site level anonymous access account and set client certs to ignore it can connect to the DB fine, so it is not the account's DB access.

As soon as I set client certs to accepted and send the certificate, the Web service runs ok but gets an error connecting to SQL:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'

The exception is trapped by the service and formatted for the service's consumer so I know the site is running. Again, using either 01 or 02 account with anonymous access works so the Web server can connect to the SQL server.

When using IIS Certificate Mapping the account does not seem to get passed with the Integrated Security SQL connection.

I've tried - I think - every possible permutation of the following properties (I exhausted the two or three set ups that seemed logical a while ago and have tried most everything else):

App Pool: Managed Pipeline Mode
App Pool: Identity
App Pool: Load User Profile
Web Site: Anonymous Authentication
Web Site: ASP.NET Impersonation
Web Site: Windows Authentication
Web Site: SSL Settings (Client Certificates to Ignore works)
Web Site: iisClientCertificateMappingAuthentication - logonMethod

There's not a lot left of my tether so any suggestions are welcome at this point - but they have to be on the Web server. I don't have access to the DB server nor to AD (so it must be IIS Certificate mapping).

Thanks

Greg

Posted 24-Aug-11 4:29am

gregfarnan

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

gregfarnan · Accepted Answer · 2011-09-26T00:11:00

The cause of this issue was eventually identified by MS Support as a bug in IIS7. Here are the details...

In the IIS_schema.xml config file for IIS there is an enumeration under iisClientCertificateMappingAuthentication called "logonMethod" that has the following information:

<enum name="Interactive" value="0" />
<enum name="Batch" value="1" />
<enum name="Network" value="2" />
<enum name="ClearText" value="3" />

We were selecting ClearText in the IIS Configuration Manager drop down which is correct for the mechanism we are using (i.e. IIS certificate mapping to a domain account and Kerberos authentication with another server).

The bug is the values in this list of enums, they are wrong. The correct values are:

<enum name="Interactive" value="2" />
<enum name="Batch" value="4" />
<enum name="Network" value="3" />
<enum name="ClearText" value="8" />

The fix is to manually amend the enum values in the file. You - or your admin team - will need to take ownership of the file (C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml) to remove the read only attribute before editing.

We are told there will not be a Hotfix for this. Hope this helps!