Issues when using ASP.net delegation with client certificate mapping on IIS 7.0
Recently I came across an issue that I would like to share with everyone.
We had a .net 3.5 web service hosted on IIS 7.0. We have configured it to accept a client certificate with a 1-to-1 mapping to a domain account. When presented with the cert the service appears to run as the account ok but it seems it cannot use delegation when connecting to SQL Server and fails with following error message:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'”
We confirmed that client certificate mapping and kerberos settings required to make this work were in place.
Also the similar setup works fine on IIS 6.0. So the issue happens only with IIS 7.0 when using client certificate for delegation.
First is to understand the different logon types that Windows supports and what their capabilities are. I have listed only ones that we have come across here in this issue.
2 - Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.
3 - Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.
8 - NetworkCleartext - Windows 2000; Windows XP and Windows Server 2003 family: Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers.
In IIS 6.0 & 7.0 when calling the LogonMethodEx API, the default type that is used is type 8 (Network Clear Text). This allows an NTLM connection between the IIS server and a backend server for anything that uses
type 8. This includes Basic authentication, anonymous authentication (for IIS 6.0 only), and IIS certificate mapping authentication (but not AD certificate mapped authentication). The IIS client certificate mapping type is what applies to your situation.
In the IIS_schema.xml there is an enumeration under iisClientCertificateMappingAuthentication called "logonMethod" that has the following information:
<enum name="Interactive" value="0" />
<enum name="Batch" value="1" />
<enum name="Network" value="2" />
<enum name="ClearText" value="3" />
These enumeration names/values are what are exposed to an administrator to help control how IIS logs on a user mapped to a client certificate. The default setting is "ClearText" which is equivalent to NetworkClearText.
When a user is logged on using IIS client certificate mapping, the logic used returns a value of “3” instead of “8”. So the user is logged on with a “Network” token instead of the expected type “NetworkClearText”. Network tokens cannot be passed to a backend service so this configuration results in "NT AUTHORITY\ANONYMOUS" being passed to SQL which fails.
WORK AROUND:
We can change the values of the above enumeration to the following:
<enum name="Interactive" value="2" />
<enum name="Batch" value="4" />
<enum name="Network" value="3" />
<enum name="ClearText" value="8" />
To enable saving of the IIS_schema.xml file we need to:
1. Give "ownership" of the "C:\Windows\System32\inetsrv\config\schema" folder to Administrators under the "Advanced" button of the "Security" tab of the schema folder properties.
2. Give "Full Control" to Administrators on the Permissions tab.
3. Remove the "Read Only" attribute from IIS_schema.xml.
Update: This issue is already fixed in IIS 7.5 (Windows 2008 R2). No schema changes are required.
References:
https://msdn.microsoft.com/en-us/library/aa291350(VS.71).aspx
Comments
- Anonymous
May 02, 2012
Also struggling with client certificates on IIS 7.5 Win 7. Always got 401.2 when anonymous authentication was disabled. I found values for logon type enumeration same (0, 1, 2. 3 4). Is that fix released only for IIS 7.5 on Win 2008 R2, or also for Win 7?However, when I tried to change logon type values enum., I always got 401.1 response regardless anonymous authentication was enabled or not. - Anonymous
June 11, 2012
Hello Ivan,Sorry for delayed response. You need not change the enum values on 2008 R2Win 7 as this is taken care by code itself. - Anonymous
December 05, 2012
I am experiencing the same symptom you describe on IIS 7.5 (Server 2008 R2), logon type=3. Delegation is not working for me either. If the issue has been corrected in that release, why else might I be seeing this?I've included a security log entry below. If you have any suggestions, perhaps you could comment here:forums.iis.net/.../1Log Name: SecuritySource: Microsoft-Windows-Security-AuditingDate: 12/5/2012 9:30:35 PMEvent ID: 4624Task Category: LogonLevel: InformationKeywords: Audit SuccessUser: N/AComputer: Q-WEB-02.xyz.qa1Description:An account was successfully logged on.Subject:
Logon Type: 3New Logon:Security ID: SYSTEMAccount Name: Q-WEB-02$Account Domain: XYZQA1Logon ID: 0x3e7
Process Information:Security ID: XYZQA1Hugh.KelleyAccount Name: Hugh.KelleyAccount Domain: XYZQA1Logon ID: 0x219965aLogon GUID: {4c97ff94-b22e-3a74-43dc-e22a1e5ee5ff}
Network Information:Process ID: 0x20cProcess Name: C:WindowsSystem32lsass.exe
Detailed Authentication Information:Workstation Name: Q-WEB-02Source Network Address: -Source Port: -
Logon Process: SchannelAuthentication Package: KerberosTransited Services: -Package Name (NTLM only): -Key Length: 0
- Anonymous
March 06, 2013
Hello Hugh, in case you are still struggling with delegation issue, i would suggest you to use DelegConfig to get to the root of it:www.iis.net/.../delegconfig-v2-beta-(delegation-kerberos-configuration-tool)You may also refer to this checklist for Kerberos settings on IIS 7:blogs.msdn.com/.../service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx - Anonymous
January 13, 2015
Getting the same problem, but we are using ClientCertificateAuthentication... not IISClientCertificateAuthentication. In other words, our certificates need to resolve to a user account in Active Directory. This much is working, but for some reason the domain account is not being used to connect to the SQL DB, it is anonymous... Is this setting still applicable?