Yes, the certificate mapping does give you an impersonatable token and if
you use protocol transition (S4U), it should be then possible to delegate
the impersonated security context to the web service via Kerberos
delegation.
As I said before, you can't actually delegate the client certificate SSL
handshake itself since you don't have the private key, but the Kerberos
delegation approach can be made to work.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Dominick Baier" <dbaier@pleasep leasenospam_lea stprivilege.com wrote in
message news:8e******** *************** ***@news.micros oft.com...
IIS has a certificate mapping feature - this allows to map the certificate
to a Windows account (i can't remember if this gives you an impersonatable
token - Joe?).
You could also use protocol transition to do this - but this requires a
domain.
-----
Dominick Baier (http://www.leastprivilege.com)
Developing More Secure Microsoft ASP.NET 2.0 Applications
(http://www.microsoft.com/mspress/books/9989.asp)
>I have some secure ASP.NET Web Services (which could become WCF
services) used to generate a secure ASP.NET page. Is there any way to
delegate (impersonate?) the client cert from the user accessing the
page to the secure service ?
Thanks in advance
Doug