Help me come to grips with SSL and WebDAV on IIS 8

I'm not entirely sure I follow what your ultimate goal is, here. But from what you've described wanting to do it sounds like all sorts of convoluted bad idea. It's certainly possible to map AD user accounts to certificates (2008+ does this quite well) but the non-domain iis/proxy thing you're trying to do is likely to get in the way fairly significantly. You may find it's a lot easier, simpler, and quicker to setup a VPN and have your users connect to that and then map their drives normally. This is a quicker, simpler, easier, built-in option.

It's certainly possible to map AD user accounts to certificates Just to clarify, that's exactly what I want not to happen. I want my users to need to type their customary usernames and passwords with their customary fingers, but only be given the opportunity to do that if in possession of a valid SSL client cert. My ultimate goal is to be able to give any of our not at all technically savvy primary school teachers a USB stick and instructions saying "take this home, plug it in, click Connect, and you get the same O: and P: drives as you do at work, and the usual desktop shortcuts pointing to your usual folders on those." I also want to lock down our currently hopelessly insecure web app enough that the idea of putting a link to it on the school web page doesn't make me feel ill. I have considered doing the file server part with OpenVPN. There is already a process in place upstream for providing remote access to the school's existing VPN, but it's ridiculously bureaucratic because it allows access to far more things that I want to open up, Windows-only on the client side, and honestly would need far more of my time to administer and train staff for than a more restricted solution I set up locally and admin myself. WebDAV is an attractive option because I already have an externally-accessible server box in place that can do it, and it will also come in useful for file server access on the iPads that have recently started to worm their way into the curriculum. Our internal staff passwords are sufficiently kid-resistant, but far too squishy-soft for general protection against a hostile Internet. That's why I want to lock external access to our web server down to machines controlled by people I've physically handed a USB stick to, and why I want to be able to revoke those sticks individually and easily. I don't want my client certs automatically mapping to user IDs because most of our teachers are going to be using home machines that don't have separate Windows accounts set up on them, and I want at least some minimal technical measure in place against entire families being given instant no-effort access to staff-only school resources.

By the way, I had remote file access working beautifully a few years back, using SMB/CIFS over ssh port forwarding, but that really only worked well for our Mac and Linux clients; Windows service packs kept breaking it. WebDAV for remote file access is well supported on all the client platforms I care about with virtually zero setup, so if I can just get the SSL stuff under control and learn how to admin an IIS 8 WebDAV server, I'm golden.

Pretty sure you can require an AD client cert AND user/pass - reason I'm rcommending this route is the revocation is easy and can be done by a helpdesk guy disabling their AD account. Also doesn't require the client PC to be a domain member - you'd have to physically give them their certificate, and the cert chain.

It's certainly possible to map AD user accounts to certificates Just to clarify, that's exactly what I want not to happen. I want my users to need to type their customary usernames and passwords with their customary fingers, but only be given the opportunity to do that if in possession of a valid SSL client cert. I think this *is* what you want to do. A) You control cert issuance, which ought to be User:Cert :: 1:1 B) You control AD accounts C) If you do (A) and (B) right, AD: Cert :: 1:1 D) You control the Certificate Revocation List, for bad Users I suppose you *could* layer ASPNet forms authentication over that. That said, VPN is the absolutely right answer, and you can do VPN over SSL w/ a cert.

Just for further clarification, I am the "help desk guy" as well as the domain admin, and I want to be able to revoke a remote access client cert without also disabling on-campus AD login. Also, the most common thing that will end up happening to my client certs is that they get installed on a home PC shared by the teacher's whole family, and this is not something I'm willing to treat as "bad behaviour" as long as they don't also tell their own kids their staff username and password. Would appreciate being given the benefit of an assumption that I have in fact carefully considered the balance between technical feasibility, user aptitude and organizational politics. I understand completely that a VPN would easily allow for a wider range of remote capabilities than the proposed SMB/CIFS to WebDAV proxy, but please believe me that it's not going to happen that way, mostly for political and user aptitude reasons. Also not interested in solutions that ultimately involve http://sites.inka.de/~bigred/devel/tcp-tcp.html been there, done that, didn't work well. Will now stop threadsitting except to respond to specific requests for clarification.

I want to be able to revoke a remote access client cert without also disabling on-campus AD login. no prob - you use IIS Certificate mapping, not AD Certificate Mapping. Here's an http://technet.microsoft.com/en-us/library/bb742438.aspx.

yep - just noticed that's an old article - sorry. concepts are exactly the same, but google around for the IIS 7 one for the mechanics.