none
Using client certificate and MapClientCertificateToWindowsAccount, how to specify domain ? RRS feed

  • Question

  • Trying to setup smart card client certificate authentication for WCF service in my domain, using MapClientCertificateToWindowsAccount attribute. This works perfect for users from our own domain.

    Now we have Active Directory Trust configured with another site, users from that domain can authenticate within our domain if using username/password/domain credentials.

    When users from other site tries to connect to our WCF service using certificates it looks like it only checks among our local accounts when trying to map users with MapClientCertificateToWindowsAccount. As the same setup works with username authentication it looks like if I only found a way of specifying domain together with certificate from the client everything would work. Or if it is possible on the domain controllers to make it search for account mapping in the trusted domain as well?

    Running out of ideas...

    Any hint would be appreciated!

    Thursday, February 13, 2014 11:14 PM

Answers

  • Hi,

    IIS and Active Directory is the ability to map a certificate to a Windows user account. For more information about the feature, see Map certificates to user accounts.

    For more information about using Active Directory mapping, see Mapping Client Certificates with Directory Service Mapping.

    With this capability enabled, you can set the MapClientCertificateToWindowsAccount property of the X509ClientCertificateAuthentication class to true. In configuration, you can set the mapClientCertificateToWindowsAccount attribute of the <authentication> element to true, as shown in the following code:

    <serviceBehaviors>
     <behavior name="MappingBehavior">
      <serviceCredentials>
       <clientCertificate>
        <authentication certificateValidationMode="None" mapClientCertificateToWindowsAccount="true" />
       </clientCertificate>
      </serviceCredentials>
     </behavior>
    </serviceBehaviors>
    

    Mapping an X.509 certificate to the token that represents a Windows user account is considered an elevation of privilege because, once mapped, the Windows token can be used to gain access to protected resources. Therefore, domain policy requires the X.509 certificate to comply with its policy prior to mapping. The SChannel security package enforces this requirement.

    Also please try to check:
    #MapClientCertificateToWindowsAccount Property:
    http://msdn.microsoft.com/en-us/library/system.servicemodel.configuration.x509clientcertificateauthenticationelement.mapclientcertificatetowindowsaccount(v=vs.110).aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, February 14, 2014 5:54 AM
    Moderator
  • Hi,

    Compared to the other two ways, I will choose the first way: Try to login to correct domaincontroller from client with the certificate to get windows identity, and then use these credentials to call our WCF service using Windows Authentication.

    The first way is the most reasonable way. Since the client computers in our configuration are standalone and not members of any domain, so they can not access the service by default. But if we can give the windows identity, then it can simulate  as a windows user. So it is easy to access the service. Then above all, I will choose the first one.

    Also check:
    http://stackoverflow.com/questions/20351565/how-to-get-windowsidentity-for-a-remote-logged-in-user .

    Thanks.

    Monday, March 3, 2014 8:24 AM

All replies

  • Hi,

    IIS and Active Directory is the ability to map a certificate to a Windows user account. For more information about the feature, see Map certificates to user accounts.

    For more information about using Active Directory mapping, see Mapping Client Certificates with Directory Service Mapping.

    With this capability enabled, you can set the MapClientCertificateToWindowsAccount property of the X509ClientCertificateAuthentication class to true. In configuration, you can set the mapClientCertificateToWindowsAccount attribute of the <authentication> element to true, as shown in the following code:

    <serviceBehaviors>
     <behavior name="MappingBehavior">
      <serviceCredentials>
       <clientCertificate>
        <authentication certificateValidationMode="None" mapClientCertificateToWindowsAccount="true" />
       </clientCertificate>
      </serviceCredentials>
     </behavior>
    </serviceBehaviors>
    

    Mapping an X.509 certificate to the token that represents a Windows user account is considered an elevation of privilege because, once mapped, the Windows token can be used to gain access to protected resources. Therefore, domain policy requires the X.509 certificate to comply with its policy prior to mapping. The SChannel security package enforces this requirement.

    Also please try to check:
    #MapClientCertificateToWindowsAccount Property:
    http://msdn.microsoft.com/en-us/library/system.servicemodel.configuration.x509clientcertificateauthenticationelement.mapclientcertificatetowindowsaccount(v=vs.110).aspx .

    Best Regards,
    Amy Peng


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, February 14, 2014 5:54 AM
    Moderator
  • Thank you!

    That explained why some accounts could login with certificates and why username/password worked.

    We have a custom UserNamePasswordValidator for users logging in with username/password, so the credentials for the users are really created within our domain....

    For certificate logins the MapClientCertificateToWindowsAccount was handled by windows, and only local accounts could be authenticated, exactly as your reply said...

    The client computers in our configuration are standalone and not members of any domain...

    Based on this, what is the best approach to get the windows identity to my WCF service ?

    1. Try to login to correct domaincontroller from client with the certificate to get windows identity, and then use these credentials to call our WCF service using Windows Authentication ?

    2. Build a custom X509CertificateValidator and route certificate login to correct DC in some way? Maybe not possible as the negotiation requires access to private key on smart card.

    3. Using S4UClient from client or server code:

    WindowsIdentity identity = S4UClient.CertificateLogon(certificate);

    Have not seen any way of directing this to a specific server, but sounds like exactly what I need...

    4. Any other suggestions ?

    Best regards

    Johan

    Friday, February 14, 2014 11:10 AM
  • Hi,

    Compared to the other two ways, I will choose the first way: Try to login to correct domaincontroller from client with the certificate to get windows identity, and then use these credentials to call our WCF service using Windows Authentication.

    The first way is the most reasonable way. Since the client computers in our configuration are standalone and not members of any domain, so they can not access the service by default. But if we can give the windows identity, then it can simulate  as a windows user. So it is easy to access the service. Then above all, I will choose the first one.

    Also check:
    http://stackoverflow.com/questions/20351565/how-to-get-windowsidentity-for-a-remote-logged-in-user .

    Thanks.

    Monday, March 3, 2014 8:24 AM