Issues when using ASP.net delegation with client certificate mapping on IIS 7.0

  • Article

Recently I came across an issue that I would like to share with everyone.

We had a .net 3.5 web service hosted on IIS 7.0. We have configured it to accept a client certificate with a 1-to-1 mapping to a domain account. When presented with the cert the service appears to run as the account ok but it seems it cannot use delegation when connecting to SQL Server and fails with following error message:

Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'”

We confirmed that client certificate mapping and kerberos settings required to make this work were in place.

Also the similar setup works fine on IIS 6.0. So the issue happens only with IIS 7.0 when using client certificate for delegation.

First is to understand the different logon types that Windows supports and what their capabilities are. I have listed only ones that we have come across here in this issue. 

2 - Interactive - Intended for users who will be interactively using the machine, such as a user being logged on by a terminal server, remote shell, or similar process.

3 - Network - Intended for high performance servers to authenticate clear text passwords. LogonUser does not cache credentials for this logon type.

8 - NetworkCleartext - Windows 2000; Windows XP and Windows Server 2003 family: Preserves the name and password in the authentication packages, allowing the server to make connections to other network servers while impersonating the client. This allows a server to accept clear text credentials from a client, call LogonUser, verify that the user can access the system across the network, and still communicate with other servers. 

In IIS 6.0 & 7.0 when calling the LogonMethodEx API, the default type that is used is type 8 (Network Clear Text). This allows an NTLM connection between the IIS server and a backend server for anything that uses
type 8. This includes Basic authentication, anonymous authentication (for IIS 6.0 only), and IIS certificate mapping authentication (but not AD certificate mapped authentication). The IIS client certificate mapping type is what applies to your situation. 

In the IIS_schema.xml there is an enumeration under iisClientCertificateMappingAuthentication called "logonMethod" that has the following information: 

<enum name="Interactive" value="0" />

<enum name="Batch" value="1" />

<enum name="Network" value="2" />

<enum name="ClearText" value="3" /> 

These enumeration names/values are what are exposed to an administrator to help control how IIS logs on a user mapped to a client certificate. The default setting is "ClearText" which is equivalent to NetworkClearText. 

When a user is logged on using IIS client certificate mapping, the logic used returns a value of “3” instead of “8”. So the user is logged on with a “Network” token instead of the expected type “NetworkClearText”. Network tokens cannot be passed to a backend service so this configuration results in "NT AUTHORITY\ANONYMOUS" being passed to SQL which fails. 

WORK AROUND: 

We can change the values of the above enumeration to the following: 

<enum name="Interactive" value="2" />

<enum name="Batch" value="4" />

<enum name="Network" value="3" />

<enum name="ClearText" value="8" />

 

To enable saving of the IIS_schema.xml file we need to:

1. Give "ownership" of the "C:\Windows\System32\inetsrv\config\schema" folder to Administrators under the "Advanced" button of the "Security" tab of the schema folder properties.

2. Give "Full Control" to Administrators on the Permissions tab.

3. Remove the "Read Only" attribute from IIS_schema.xml.

Update: This issue is already fixed in IIS 7.5 (Windows 2008 R2). No schema changes are required.

References:

https://blogs.msdn.com/b/saurabh_singh/archive/2008/12/25/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

https://msdn.microsoft.com/en-us/library/aa291350(VS.71).aspx