tags:

views:

473

answers:

2
+2  Q: 

Require client certificates appropriate for Directory Service Mapping (Active Directory)?

My MOSS 2007 instance (IIS 6) uses Windows Authentication and IIS' Directory Service Mapping (against Active Directory), allowing the user to authenticate using only her smartcard client certificate, without any username/password, and regardless of what (if any) domain the client workstation is joined to. The IIS instance is set to require client certificates.

My understanding is that, for IIS to find (in Active Directory) an account associated with the client certificate, it must be able to read from it a "User Principle Name" (sometimes called "User Logon Name").

My user's smartcard has two client certificates issued by the same Root CA. One specifies a UPN. The other does not. She's able to choose from either certificate when accessing the site. If she chooses the certificate without the UPN, authentication is certain to fail.

What can I do to make the browser's certificate selection dialog show only certificates which IIS at least has a chance of matching to an account (again: DSM & AD)?

Put more technically: how do I limit the MOSS user's client certificate selection options to those that have a UPN in the "Subject Alternate Name" field?

+1  A: 

I don't think you can change this. I believe the certificate selection screen is part of Internet Explorer.

If the user chooses a certificate that doesn't have a UPN associated, you could prompt the user to select another certificate and try again.

Edit: Since tapping into the MOSS security framework could be difficult, you can implement this as an HTTPHandler and add it to the MOSS root web.config.

When the user request comes in, the handler gets first dibs and can redirect to the "try again" page if the UPN is missing from the cert.

The "try again" page will have to retry the request by opening another window to get another certificate prompt.

Ryan Michela  2010-01-13 20:01:10
Is that accurate? My understanding is that IIS will only prompt the user for one certificate. Once the user chooses the certificate, the only way to give the user another chance is to have the user close the browser and return to the site?
lance  2010-01-13 23:01:16
Have the "Click here to try again" link open the site in a new window. You are correct about having to close the window to select a new cert.
Ryan Michela  2010-01-14 01:30:08
My understanding is that closing the /window/ is not enough, but rather that the entire /browser/ must be closed (to choose a different cert)?
lance  2010-01-25 19:34:01
+1  A: 

Just a quick thought, in case you are open to a possibly-slightly-less-annoying solution to re-authenticating. beware: several IFs!

  • IF you can rely on the user's browser being Internet Explorer 6 SP1 or newer
  • and IF you can assume that their browser will run scripts

  • and IF you are OK with clearing ALL authentication information (that is, all sites that require authentication will require re-authentication)

  • THEN you may be able to impliment the document.execCommand('ClearAuthenticationCache') javascript code. The broswer should execute this code by clearing the authentication cache - all cached usernames and passwords, all cached client certificates, etc.

If the user does not run scripts or is running something other than IE, this will not (as far as I know) run. Remember, all other tabs (and windows in the same process) share in the authentication cache. If a page/site requires authentication, then this command will require the user to re-authenticate, but at least, they won't have to navigate there again after closing all the browser windows...

Have fun!

P.S. - it should'nt affect STORED username/password combos and should not affect any PIN number that may be cached for a smart card, but will most likely require the user to press OK to submit a username/password, or to select a particular certificate again.

Brett Peirce  2010-08-10 15:55:42

related questions

Upgrading Sharepoint 3.0 to SQL 2005 Backend?
Webpart registration error in event log
Sharepoint COMException 0x81020037
Transactional Design Pattern
Deploying InfoPath forms to different SharePoint servers
Profiling/Optimizing (Sharepoint 2007) Web Parts
Retreiving the PC Name of a Client? (Windows Auth)
What's the best way to report errors from a SharePoint workflow?
How to get out parameters working in SharePoint workflows
Editing User Profile w/ Forms Authentication
WSS/MOSS Book
Creating a development environment for SharePoint.
Sharepoint Wikis
Have you used a wiki in your project or group?
Can I copy files to a Network Place from a script or the command line?
How do you deploy your SharePoint solutions?
SharePoint WSS 3.0 Integration with Mac OSX (either Safari or Firefox)
SharePoint - Connection String dialog box during FeatureActivated event
How can I improve the edit-compile-test loop when developing a SharePoint workflow?
Best ajax library for Sharepoint
Alternative Hostname for an IIS web site for internal access only
How to reference to multiple version assembly
MOSS SSP problem - Failed database logons from deleted SSP
Sharepoint: executing stsadm from a timer job + SHAREPOINT\System rights
Can ASP.NET AJAX partial rendering work inside a SharePoint 2007 application page?