Client certificate mapping in IIS 7 and impersonation

Recently, when migrating an application that uses client certificate authentication to IIS 7, we noticed that ASP.NET impersonation stopped working.

Client was authenticated properly, but connection to database server was being established with machine account (DOMAIN\SERVERNAME$). We didn’t find any issue in the configuration, so we raised the case with Microsoft support.

It turns out one of IIS 7 default configuration files has a bug. The file is called C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml, and under the following section there are wrong enum entries:

<sectionSchema name="system.webServer/security/authentication/iisClientCertificateMappingAuthentication">
<attribute name="logonMethod" type="enum" defaultValue="ClearText">
<enum name="Interactive" value="0" />
<enum name="Batch" value="1" />
<enum name="Network" value="2" />
<enum name="ClearText" value="3" />
</attribute>
</sectionSchema>

And that causes IIS to use wrong logonMethod when logging in with an impersonated certificate-mapped account. The correct values to be set there are:

<sectionSchema name="system.webServer/security/authentication/iisClientCertificateMappingAuthentication">
<attribute name="logonMethod" type="enum" defaultValue="ClearText">
<enum name="Interactive" value="2" />
<enum name="Batch" value="4" />
<enum name="Network" value="3" />
<enum name="ClearText" value="8" />
</attribute>
</sectionSchema>

We set logonMethod=ClearText but as the enum entry was originally ‘3’ this told IIS to actually use the Network Token method (the real value of ‘3’) – which does not allow for the authentication mechanism we require (i.e. Kerberos delegation to a service on another server). Changing the enums to their correct value resolved the issue.

Microsoft probably won’t release a fix for that, so you’ll have to update this schema file on your own.

Sharing is caring!

8 comments

  1. Win Siu says:

    I am using Windows 2008 R2 SP1, I tried the suggestions above and it is still not working for some reasons. Still getting logon error in event log. According to Windows event log, it is still using Logon Type 3, Failure Reason: Unknown user name or bad password.

  2. Do you have logonType set to ClearText?

  3. Win Siu says:

    yes, wonder if it is applicable to Windows Server 2008 R2?

  4. I just checked and Microsoft says this exists only in 2008. Thanks for pointing out.

  5. Win Siu says:

    @Jakub “Kocureq” Anderwald
    Thanks for checking it out

  6. Ivan Pavlik says:

    Also struggling with client certificates on IIS 7.5, Win7. I did mappings, switched off anonymous authentication and got 401.2 response. When I tried your solution, I always got 401.1 response regardless anonymous authentication is enabled or not.

  7. Wei-Chung says:

    I got access denied when update the C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml. Do I have to do anything to update xml file?

  8. I guess you need to start Notepad with full admin rights (“run as administrator”) to be able to write system files. Please check that and let me know if it helped.

Leave a Reply

Your email address will not be published. Required fields are marked *