Hello
Not entirely sure whether this is an IIS issue or a Windows authentication issue.
We have a web server in one domain, and users in another. There is a two-way domain trust between the two and using Negotiate or NTLM authentication in IIS, this works absolutely fine.
However we now have some Android smartphones that are using SCEP/NDES to gain client certificates to avoid people having to enter username and passwords when they access internal resources, and for some reason AD Certificate Based Authentication Mapping
is not able to authenticate these users, so they are receiving authentication prompts when accessing sites hosted on this web server.
On other web servers which are in the same domain as the users, this works successfully, so I know the basics work, but there is some problem when it comes to authenticating users in another domain.
It appears that the certificate is being accepted quite happily, as A) I am prompted to choose a client cert and B) If I use one of the test .asp pages you can find the code for on the internet and enter your credentials you can see the certificate details appearing as expected, but I suspect that certificates are not being successfully mapped to AD users by the DS Mapper due to the user being in a different domain to the server.
I have ensured that DS Mapper Usage and Negotiate Client Certificate are both enabled on the SSL Certificate Binding.
Has anyone managed to get a similar setup working? Or have any ideas as to how I can debug the certificate mapping process? Nothing useful appears in Failed Request Tracing or the IIS or Windows logs, so far as I can tell.
Thanks
Ralf