Jakub Anderwald

Recently, when migrating an application that uses client certificate authentication to IIS 7, we noticed that ASP.NET impersonation stopped working.

Client was authenticated properly, but connection to database server was being established with machine account (DOMAIN\SERVERNAME$). We didn’t find any issue in the configuration, so we raised the case with Microsoft support.

It turns out one of IIS 7 default configuration files has a bug. The file is called C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml, and under the following section there are wrong enum entries:

<sectionSchema name="system.webServer/security/authentication/iisClientCertificateMappingAuthentication">
<attribute name="logonMethod" type="enum" defaultValue="ClearText">
<enum name="Interactive" value="0" />
<enum name="Batch" value="1" />
<enum name="Network" value="2" />
<enum name="ClearText" value="3" />
</attribute>
</sectionSchema>

And that causes IIS to use wrong logonMethod when logging in with an impersonated certificate-mapped account. The correct values to be set there are:

<sectionSchema name="system.webServer/security/authentication/iisClientCertificateMappingAuthentication">
<attribute name="logonMethod" type="enum" defaultValue="ClearText">
<enum name="Interactive" value="2" />
<enum name="Batch" value="4" />
<enum name="Network" value="3" />
<enum name="ClearText" value="8" />
</attribute>
</sectionSchema>

We set logonMethod=ClearText but as the enum entry was originally ‘3’ this told IIS to actually use the Network Token method (the real value of ‘3’) – which does not allow for the authentication mechanism we require (i.e. Kerberos delegation to a service on another server). Changing the enums to their correct value resolved the issue.

Microsoft probably won’t release a fix for that, so you’ll have to update this schema file on your own.

No related posts.