Hi all. I have some troubles with smart card logon on iis. Situation: One machine - server 2008 SP2 domain controller, with AD DS, AD CS. Second - server 2008 R2, iis 7.5 with new site like "right-click - create site". Third machine - non-domain server 2008 R2. One usb-key etoken with two certificates for user "admin" (domain admin with login "contoso\admin") and for user "agent" (domain user with login "contoso\agent"). IIS configured as follows: full install with all services, exclude webdav, all ftp and custom logging. On server under authentication section "AD client certificate authentication" enabled, "win auth" tried both - enabled and disabled. On site under authentication only "win auth" enabled. On Second Machine (IIS) drivers for etoken allready installed, and i can login onto machine successfull with both certificate and can see site directory too. On non-domain machine in trusted root i import certificate from AD CS. Well, when I'm trying to log on from non-domain machine with "admin" i need type (every time when i loggin) twice (why twice?) pin for etoken and after that i joined to web-site and saw content. In iis logs i see next strings: #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2010-11-25 12:05:21 192.168.235.50 GET / - 50 - 192.168.235.100 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 401 2 5 0 2010-11-25 12:06:27 192.168.235.50 GET / - 50 - 192.168.235.100 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 401 1 2148074254 32 2010-11-25 12:06:29 192.168.235.50 GET / - 50 CONTOSO\admin 192.168.235.100 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 200 0 0 284 2010-11-25 12:07:16 192.168.235.50 GET / - 50 CONTOSO\admin 192.168.235.100 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 200 0 0 199 and nothing logs about this anywhere else. when I trying to log with "agent" three times enter pin but take error 401 - Unauthorized: Access is denied due to invalid credentials. in IIS logs: #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken 2010-11-25 12:04:57 192.168.235.50 GET / - 50 - 192.168.235.100 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 401 2 5 556 2010-11-25 12:04:57 192.168.235.50 GET / - 50 - 192.168.235.100 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 401 1 2148074254 13 2010-11-25 12:05:01 192.168.235.50 GET / - 50 - 192.168.235.100 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 401 2 5 0 2010-11-25 12:05:09 192.168.235.50 GET / - 50 - 192.168.235.100 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 401 1 2148074254 0 2010-11-25 12:05:11 192.168.235.50 GET / - 50 - 192.168.235.100 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 401 2 5 1 2010-11-25 12:05:17 192.168.235.50 GET / - 50 - 192.168.235.100 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) 401 1 2148074254 0 and nowhere in other places... I tried to add "contoso\agent" into domain admins group, and give same permissions as "contoso\admin" have. tried to import into iis certificate from AD CS into "certificates". Nothing helps me. every time i can logged with "admin" from second attempt, but never with "agent". Whats wrong?

Hello, as the most part belongs to security configuration with CA i suggest to use the security forum: http://social.technet.microsoft.com/Forums/en/winserversecurity/threads Another option to ask is the IIS forum: http://forums.iis.net/Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.