Windows IIS 6.0 client certificate mapping

Posted on 2007-07-24
Last Modified: 2012-05-05
I am trying to setup client certificate one to one mapping for my website on a windows 2003 SP2 server running IIS 6.0 (All patched up).  
Here is my issue:  My setup allows any client certificate and will not respect the client mappings (1 to 1 or many to 1).
IIS 6.0 setup (Everything is working fine, but the enforcement of the custom mappings)
1) Integrated authentication
2) Required Client certificates
3) Added a one to one mapping to a domain user account
4) Verified that the "WEB Sites/directory security" property "Enable the Windows directory Service Mapper" Is not set.
5) Web site has a working certificate
6) I use windows CA internally to issue/request certificates
7) Verified the metabase settings AccessSSLMapCert = 488
8) Restart IIS & Tried rebooting server & closed IE 7.0 brower/flushed caches

What is the secret?
    LVL 4

    Expert Comment

    Are you using a standalone or enterprise CA?

    Does the server have a web  server certificate?
    LVL 4

    Expert Comment

    This sounds like there might be a permissions problem.  Enforcing client certificates authentication just tells the web server that it shouldn't try to authenticate any requests from anonymous users or those presenting ID/password.

    AFAIK, it does nothing about whether the server will allow access to anyone presenting a client certificate.  For that, you should check the ACLs (i.e. filesystem permissions, not the permissions in the web site configuration) on both the folder and the files to which the IIS web site is providing access.  Does the ACL allow Read (or Read/Execute) for any user or group on the server (e.g. Everyone, Authenticated Users)?

    You likely are trying to restrict access to a subset of the Active Directory users, in which case I would remove the permissions for Everyone/Authenticated Users/Users and set filesystem permissions such that only the local and domain users & groups that you *want* to access the site would be able to access the site.

    e.g. If you want to allow access only for a specific set of AD users, then create a domain group containing those users (to whom the certs are mapped) and either (a) assign permissions to that domain group directly, or (b) put that domain group in a local group on the server (e.g. "WEBSITE_X Users" and assign the permissions instead to the local group.  [You could also add the domain group to the local Users group, and leave the permissions for the Users group, but that'd probably leave a door open for unexpected access that you wouldn't want.]

    Don't forget to allow Full Control (or Change) access to Administrators and SYSTEM, and if you haven't already, make sure your IUSR and/or IWAM users have the necessary permissions (there're KB articles all over to help narrow that down).

    If all this permissions verification doesn't pan out, then I'd check the Application and Security event logs for any obvious clues.  Finally, I'd suggest adding Auditing settings to the folder/files to which all certs are getting access, enable Object Access auditing and check Security event logs again - that'll probably give you clues as to which user account is getting access to the folder/files via IIS, which should help uncover the unexpected certs authentication issue,
    LVL 1

    Author Comment

    The problem I am having isn't related to permissions.  The issue is that fact that the IIS 6.0 allow connection with any client certificate verse the certificate that I mapped to the AD user logging into the server.  The custom client certificate one to one mappings on the client certificate are not working.
    LVL 1

    Author Comment

    The setup includes an Enterprise CA and yes both the server and web site have valid functioning  certificates with a trust established for the CA of the clients certificates.
    LVL 4

    Expert Comment

    OK, then I don't understand what you mean by "allows connection with any client certificate verse the certificate that I mapped to the AD user logging into the server".

    Do you mean that:
    - the browser just doesn't receive a 401: Access denied error when another cert is submitted to authenticate to the page you're testing, but that the user never sees the page's content?
    - the user sees the page's content (i.e. as if the server had actually authorized the client using the "not authorized" cert)?

    BTW, you mention "...the AD user logging into the server".  Are you testing this by logging into the console of the server where IIS is hosted?  Have you tried this from a separate Windows computer?

    And one other thing to confirm:
    - is "Windows Integrated Authentication" still enabled on the site?
    - If so, how can you be sure that the IIS server isn't just authorizing you with your Windows logon?
    - Are you actually seeing the "please select a certificate" prompt in the browser when you try to access the page you're testing?

    To confirm whether you're inadvertently authenticating automatically with the Windows ID & password, I would go into the settings for IE and block automatic Windows authentication for that site:
    - go to Tools > Internet Options > Security
    - click the Restricted Sites zone icon, ensure that it is still configured for "High" security level, and then click the Sites button
    - add the URL to which you're browsing to the list of Web sites for this zone, and click OK, OK.
    - Then close the browser and re-launch.  If the site is still accepting ID/password ("integrated") authentication, you'll get a user/password prompt.  [I'd assume this is disabled, but it's worth asking about every possibility just in case...]

    Cheers, Mike
    LVL 1

    Author Comment

    Response to poseidoncanuck,
    I don't get any browser 40x.x errors.
    The system client certificate is from a trusted source, the WEB server asks for me to select the proper personal certificate to pass, then asks me to login to AD and then the server allows access to the files.  I have windows integrated authentication, 128SSL, client cert required and a mapping setup/selected.
    I use a domain user PC to perform the testing, not the web server itself.
    If I elect not to pass a client certificate, the web site refuses my access (expected result)
    I will try the IE test, but my plan is to have the WEB server enforce client mapped one to one certificates.  I plan to use all forms of security together on this site, server SSL, client certificates, windows integrated authentication and domain/user group based file security.  Currently all is working with the exception of the client certificate mapping.
    LVL 4

    Accepted Solution

    Well, you'll probably be able to get it all working side-by-side, but let's try one authentication method at a time to isolate the issue.

    [My suspicion, based on what you describe, is that the client cert authN is failing, but then it falls back to Integrated Windows authN, which succeeds.  It *appears* that it's letting any cert through, when in fact it may just be failing the cert but using another authN method.]

    To confirm/deny my suspicion, disable the Windows Integrated authN, restart the web site, and fire up a fresh browser.  If you can *still* access the protected web pages using the invalid client cert, *then* you've got a real mystery on your hands, and I'll be very interested to see where it goes...

    Cheers, Mike
    LVL 1

    Author Comment

    Thanks Mike.  I discovered that you can't use both authentication methods i.e. windows and the client-cert at the same time, the windows authentication wins.  Thanks for your help.  I will use a high security passworded certificate from a off the grid CA, create a special user domain user to login with and apply tight file share domain permissions on the location.

    Thanks. again.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
    Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now