• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 700
  • Last Modified:

Windows IIS 6.0 client certificate mapping

I am trying to setup client certificate one to one mapping for my website on a windows 2003 SP2 server running IIS 6.0 (All patched up).  
Here is my issue:  My setup allows any client certificate and will not respect the client mappings (1 to 1 or many to 1).
IIS 6.0 setup (Everything is working fine, but the enforcement of the custom mappings)
1) Integrated authentication
2) Required Client certificates
3) Added a one to one mapping to a domain user account
4) Verified that the "WEB Sites/directory security" property "Enable the Windows directory Service Mapper" Is not set.
5) Web site has a working certificate
6) I use windows CA internally to issue/request certificates
7) Verified the metabase settings AccessSSLMapCert = 488
8) Restart IIS & Tried rebooting server & closed IE 7.0 brower/flushed caches

What is the secret?
  • 4
  • 3
1 Solution
Are you using a standalone or enterprise CA?

Does the server have a web  server certificate?
This sounds like there might be a permissions problem.  Enforcing client certificates authentication just tells the web server that it shouldn't try to authenticate any requests from anonymous users or those presenting ID/password.

AFAIK, it does nothing about whether the server will allow access to anyone presenting a client certificate.  For that, you should check the ACLs (i.e. filesystem permissions, not the permissions in the web site configuration) on both the folder and the files to which the IIS web site is providing access.  Does the ACL allow Read (or Read/Execute) for any user or group on the server (e.g. Everyone, Authenticated Users)?

You likely are trying to restrict access to a subset of the Active Directory users, in which case I would remove the permissions for Everyone/Authenticated Users/Users and set filesystem permissions such that only the local and domain users & groups that you *want* to access the site would be able to access the site.

e.g. If you want to allow access only for a specific set of AD users, then create a domain group containing those users (to whom the certs are mapped) and either (a) assign permissions to that domain group directly, or (b) put that domain group in a local group on the server (e.g. "WEBSITE_X Users" and assign the permissions instead to the local group.  [You could also add the domain group to the local Users group, and leave the permissions for the Users group, but that'd probably leave a door open for unexpected access that you wouldn't want.]

Don't forget to allow Full Control (or Change) access to Administrators and SYSTEM, and if you haven't already, make sure your IUSR and/or IWAM users have the necessary permissions (there're KB articles all over support.microsoft.com to help narrow that down).

If all this permissions verification doesn't pan out, then I'd check the Application and Security event logs for any obvious clues.  Finally, I'd suggest adding Auditing settings to the folder/files to which all certs are getting access, enable Object Access auditing and check Security event logs again - that'll probably give you clues as to which user account is getting access to the folder/files via IIS, which should help uncover the unexpected certs authentication issue,
SALMONKILLER1Author Commented:
The problem I am having isn't related to permissions.  The issue is that fact that the IIS 6.0 allow connection with any client certificate verse the certificate that I mapped to the AD user logging into the server.  The custom client certificate one to one mappings on the client certificate are not working.
Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

SALMONKILLER1Author Commented:
The setup includes an Enterprise CA and yes both the server and web site have valid functioning  certificates with a trust established for the CA of the clients certificates.
OK, then I don't understand what you mean by "allows connection with any client certificate verse the certificate that I mapped to the AD user logging into the server".

Do you mean that:
- the browser just doesn't receive a 401: Access denied error when another cert is submitted to authenticate to the page you're testing, but that the user never sees the page's content?
- the user sees the page's content (i.e. as if the server had actually authorized the client using the "not authorized" cert)?

BTW, you mention "...the AD user logging into the server".  Are you testing this by logging into the console of the server where IIS is hosted?  Have you tried this from a separate Windows computer?

And one other thing to confirm:
- is "Windows Integrated Authentication" still enabled on the site?
- If so, how can you be sure that the IIS server isn't just authorizing you with your Windows logon?
- Are you actually seeing the "please select a certificate" prompt in the browser when you try to access the page you're testing?

To confirm whether you're inadvertently authenticating automatically with the Windows ID & password, I would go into the settings for IE and block automatic Windows authentication for that site:
- go to Tools > Internet Options > Security
- click the Restricted Sites zone icon, ensure that it is still configured for "High" security level, and then click the Sites button
- add the URL to which you're browsing to the list of Web sites for this zone, and click OK, OK.
- Then close the browser and re-launch.  If the site is still accepting ID/password ("integrated") authentication, you'll get a user/password prompt.  [I'd assume this is disabled, but it's worth asking about every possibility just in case...]

Cheers, Mike
SALMONKILLER1Author Commented:
Response to poseidoncanuck,
I don't get any browser 40x.x errors.
The system client certificate is from a trusted source, the WEB server asks for me to select the proper personal certificate to pass, then asks me to login to AD and then the server allows access to the files.  I have windows integrated authentication, 128SSL, client cert required and a mapping setup/selected.
I use a domain user PC to perform the testing, not the web server itself.
If I elect not to pass a client certificate, the web site refuses my access (expected result)
I will try the IE test, but my plan is to have the WEB server enforce client mapped one to one certificates.  I plan to use all forms of security together on this site, server SSL, client certificates, windows integrated authentication and domain/user group based file security.  Currently all is working with the exception of the client certificate mapping.
Well, you'll probably be able to get it all working side-by-side, but let's try one authentication method at a time to isolate the issue.

[My suspicion, based on what you describe, is that the client cert authN is failing, but then it falls back to Integrated Windows authN, which succeeds.  It *appears* that it's letting any cert through, when in fact it may just be failing the cert but using another authN method.]

To confirm/deny my suspicion, disable the Windows Integrated authN, restart the web site, and fire up a fresh browser.  If you can *still* access the protected web pages using the invalid client cert, *then* you've got a real mystery on your hands, and I'll be very interested to see where it goes...

Cheers, Mike
SALMONKILLER1Author Commented:
Thanks Mike.  I discovered that you can't use both authentication methods i.e. windows and the client-cert at the same time, the windows authentication wins.  Thanks for your help.  I will use a high security passworded certificate from a off the grid CA, create a special user domain user to login with and apply tight file share domain permissions on the location.

Thanks. again.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now