Can you tell me what version of OS you are experiencing this problem? And
what type of security protocol you are using with SSPI, SSL or kerberos?
I assume you mean the AcceptSecurityContext() does not return
ASC_REQ_MUTUAL_AUTH.
This problem looks like the symptom talked about in the link below, can you
check if they are the same problems?
"SSPI Mutual Authentication Is Indicated on the Client Side But Not on the
Server Side"
http://support.microsoft.com/kb/304161/en-us
I have seen an known issue of AcceptSecurityContext() not return
ASC_REQ_MUTUAL_AUTH when using SSPI with SSL(Schannel). Below is some
details information:
The AcceptSecurityContext function will return ASC_RET_MUTUAL_AUTH if a
client certificate was received from the client and schannel was
successfully able to map the certificate to a user account in AD. This is
the mandatory requirement for Schannel mutual authentication design.
Mapping Certificates requirement is documented in "Authenticating the
client" at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/se
curity/performing_authentication_using_schannel.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/se
curity/mapping_certificates.asp
Windows Schannel implementation will attempt to map the certificate to a
user account in AD in order for AcceptSecurityContext() to return
ASC_RET_MUTUAL_AUTH. This is performed so that the server can perform
authorization decisions based on the impersonation access token.
The Certificate Mapping process is documented at:
http://www.microsoft.com/windows2000/en/advanced/help/sag_CS_CertMapAccounts
.htm
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windo
ws2000/en/advanced/help/sag_CSprocs_CertMapAD.htm
Certificate Mapping is the process of mapping a client authentication
certificate to a domain user account in AD. This operation is done on the
domain controller of the AD domain either manually or programmatically
during installation. This step is required for AcceptSecurityContext to
return ASC_RET_MUTUAL_AUTH.
However, this is really not required, if you want to simply check/validate
the client authentication certificate in the server code. But,
AcceptSecurityContext() will not return ASC_RET_MUTUAL_AUTH unless schannel
was successfully able to map the client authentication certificate to a
user account in AD. This is the mandatory requirement for Schannel mutual
authentication design on the server side.
I will wait for your further feedback and information. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Thanks for your feedback!
Yes, this is issue I talked about in the first reply. I have discussed this
issue with SSL expert and the original issue owner. They confirmed that
they are the same issue.
AcceptSecurityContext will set ASC_RET_MUTUAL_AUTH if a client certificate
was received from the client and schannel was successfully able to map the
certificate to a user account in AD. For this to occur, Certificate
Mapping must be performed by domain admin before.
Certificate Mapping is the process of mapping a client authentication
certificate to a domain user account in AD. This operation is done on the
domain controller of the AD domain either manually or programmatically
during installation by domain admin:
http://technet2.microsoft.com/WindowsServer/en/library/3f98fdd9-ed64-49f7-9c
20-a2d4581dfbea1033.mspx?mfr=true (Look for "How Schannel Uses Certificate
Mapping").
Mapping Certificates requirement is documented in "Authenticating the
client" in MSDN.
http://msdn2.microsoft.com/en-us/library/aa378819.aspx
The Certificate Mapping process is documented at [Section Using the Active
Directory for One-to-One Mapping]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac
tivedirectory/howto/mapcerts.mspx
The handshake succeeds even though cert mapping has failed. The return
value of QueryContextAttributes with SECPKG_ATTR_ACCESS_TOKEN will indicate
the reason for cert mapping failure.
Note: this also applies to x64 Win2003.
There are also 2 WebClient and WebServer samples in the PlatformSDK at
%MSSDK%\Samples\Security\SSPI\SSL. This is the folder structure if you have
Windows Server 2003 SP1 Platform SDK installed.
If you still have anything unclear, please feel free to tell me, thanks.
I will perform some research over your further question and reply to you
ASAP. Thanks for your understanding.
Sorry for letting you wait. I have discussed this issue with one SSL
developer, below is his comment:
"That means the client did not even send a certificate. The protocol allows
this:
SSL3: The client sends a no certificate alert.
TLS: The client sends a certficate message with 0 length (i.e, no
certificates).
The handshake will succeed in this case but cert mapping will obviously
fail.
If you have a sniff, then I'd be happy to take a look to confirm.
I agree that the documentation is somewhat lacking and will open a doc bug
to address this."
So, can you provide the network sniff of this issue? Thanks.
Additionally, you have to call QueryContextAttributes() only after the
authentication loop is completed.
If QueryContextAttributes SECPKG_ATTR_REMOTE_CERT_CONTEXT fails on the
server with SEC_E_NO_CREDENTIALS it means that the client didn't supply a
client authentication certificate. The problem is in the client side code.
You can use this to check if the client supplied a certificate or not as
shown in WebServer sample.
You can look at WebServer and WebClient SDK samples as a reference.
Hope this helps.
Sorry for the late response, I am out of office yesterday.
I will perform some research on this issue and let you know the result
ASAP. Thanks.
Sorry for letting you wait.
I have consulted this issue with the SSL dev team. Based on their feedback,
we do update our internal list in schannel if new root's are added. So, a
reboot is not necessary. They are not sure what's going on here.
Can you help to give a recheck? In this scenario, the behavior is different
from our design spec, so is it possible for you to provide sample reproduce
projects with detailed steps to help me give it a local repro?
Thanks,
--
Timothy Jewett
Jewet...@online.nospam
Yes, I understand it. If you need further help, please feel free to post,
thanks.