[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Windows IIS 6.0 client certificate mapping

Posted on 2007-07-24
Medium Priority
Last Modified: 2012-05-05
I am trying to setup client certificate one to one mapping for my website on a windows 2003 SP2 server running IIS 6.0 (All patched up).  
Here is my issue:  My setup allows any client certificate and will not respect the client mappings (1 to 1 or many to 1).
IIS 6.0 setup (Everything is working fine, but the enforcement of the custom mappings)
1) Integrated authentication
2) Required Client certificates
3) Added a one to one mapping to a domain user account
4) Verified that the "WEB Sites/directory security" property "Enable the Windows directory Service Mapper" Is not set.
5) Web site has a working certificate
6) I use windows CA internally to issue/request certificates
7) Verified the metabase settings AccessSSLMapCert = 488
8) Restart IIS & Tried rebooting server & closed IE 7.0 brower/flushed caches

What is the secret?
  • 4
  • 3

Expert Comment

ID: 19562576
Are you using a standalone or enterprise CA?

Does the server have a web  server certificate?

Expert Comment

ID: 19567916
This sounds like there might be a permissions problem.  Enforcing client certificates authentication just tells the web server that it shouldn't try to authenticate any requests from anonymous users or those presenting ID/password.

AFAIK, it does nothing about whether the server will allow access to anyone presenting a client certificate.  For that, you should check the ACLs (i.e. filesystem permissions, not the permissions in the web site configuration) on both the folder and the files to which the IIS web site is providing access.  Does the ACL allow Read (or Read/Execute) for any user or group on the server (e.g. Everyone, Authenticated Users)?

You likely are trying to restrict access to a subset of the Active Directory users, in which case I would remove the permissions for Everyone/Authenticated Users/Users and set filesystem permissions such that only the local and domain users & groups that you *want* to access the site would be able to access the site.

e.g. If you want to allow access only for a specific set of AD users, then create a domain group containing those users (to whom the certs are mapped) and either (a) assign permissions to that domain group directly, or (b) put that domain group in a local group on the server (e.g. "WEBSITE_X Users" and assign the permissions instead to the local group.  [You could also add the domain group to the local Users group, and leave the permissions for the Users group, but that'd probably leave a door open for unexpected access that you wouldn't want.]

Don't forget to allow Full Control (or Change) access to Administrators and SYSTEM, and if you haven't already, make sure your IUSR and/or IWAM users have the necessary permissions (there're KB articles all over support.microsoft.com to help narrow that down).

If all this permissions verification doesn't pan out, then I'd check the Application and Security event logs for any obvious clues.  Finally, I'd suggest adding Auditing settings to the folder/files to which all certs are getting access, enable Object Access auditing and check Security event logs again - that'll probably give you clues as to which user account is getting access to the folder/files via IIS, which should help uncover the unexpected certs authentication issue,

Author Comment

ID: 19568197
The problem I am having isn't related to permissions.  The issue is that fact that the IIS 6.0 allow connection with any client certificate verse the certificate that I mapped to the AD user logging into the server.  The custom client certificate one to one mappings on the client certificate are not working.
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  


Author Comment

ID: 19568224
The setup includes an Enterprise CA and yes both the server and web site have valid functioning  certificates with a trust established for the CA of the clients certificates.

Expert Comment

ID: 19568333
OK, then I don't understand what you mean by "allows connection with any client certificate verse the certificate that I mapped to the AD user logging into the server".

Do you mean that:
- the browser just doesn't receive a 401: Access denied error when another cert is submitted to authenticate to the page you're testing, but that the user never sees the page's content?
- the user sees the page's content (i.e. as if the server had actually authorized the client using the "not authorized" cert)?

BTW, you mention "...the AD user logging into the server".  Are you testing this by logging into the console of the server where IIS is hosted?  Have you tried this from a separate Windows computer?

And one other thing to confirm:
- is "Windows Integrated Authentication" still enabled on the site?
- If so, how can you be sure that the IIS server isn't just authorizing you with your Windows logon?
- Are you actually seeing the "please select a certificate" prompt in the browser when you try to access the page you're testing?

To confirm whether you're inadvertently authenticating automatically with the Windows ID & password, I would go into the settings for IE and block automatic Windows authentication for that site:
- go to Tools > Internet Options > Security
- click the Restricted Sites zone icon, ensure that it is still configured for "High" security level, and then click the Sites button
- add the URL to which you're browsing to the list of Web sites for this zone, and click OK, OK.
- Then close the browser and re-launch.  If the site is still accepting ID/password ("integrated") authentication, you'll get a user/password prompt.  [I'd assume this is disabled, but it's worth asking about every possibility just in case...]

Cheers, Mike

Author Comment

ID: 19568787
Response to poseidoncanuck,
I don't get any browser 40x.x errors.
The system client certificate is from a trusted source, the WEB server asks for me to select the proper personal certificate to pass, then asks me to login to AD and then the server allows access to the files.  I have windows integrated authentication, 128SSL, client cert required and a mapping setup/selected.
I use a domain user PC to perform the testing, not the web server itself.
If I elect not to pass a client certificate, the web site refuses my access (expected result)
I will try the IE test, but my plan is to have the WEB server enforce client mapped one to one certificates.  I plan to use all forms of security together on this site, server SSL, client certificates, windows integrated authentication and domain/user group based file security.  Currently all is working with the exception of the client certificate mapping.

Accepted Solution

poseidoncanuck earned 2000 total points
ID: 19570922
Well, you'll probably be able to get it all working side-by-side, but let's try one authentication method at a time to isolate the issue.

[My suspicion, based on what you describe, is that the client cert authN is failing, but then it falls back to Integrated Windows authN, which succeeds.  It *appears* that it's letting any cert through, when in fact it may just be failing the cert but using another authN method.]

To confirm/deny my suspicion, disable the Windows Integrated authN, restart the web site, and fire up a fresh browser.  If you can *still* access the protected web pages using the invalid client cert, *then* you've got a real mystery on your hands, and I'll be very interested to see where it goes...

Cheers, Mike

Author Comment

ID: 19571685
Thanks Mike.  I discovered that you can't use both authentication methods i.e. windows and the client-cert at the same time, the windows authentication wins.  Thanks for your help.  I will use a high security passworded certificate from a off the grid CA, create a special user domain user to login with and apply tight file share domain permissions on the location.

Thanks. again.

Featured Post

Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Integration Management Part 2
Loops Section Overview

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question