Solved

Client certificate for site in iis SSL

Posted on 2013-11-18
2
843 Views
Last Modified: 2013-11-24
Hi,
I am building a web site (Windows 2008 R2, iis 7.5. not in active directory [DMZ]) and I would like to allow only a client with a specific certificate to browse my site. So I chose a 2-ways SSL. I created a server certifictae which works great.
Then I created a new certificate for the client (which is trusted by the client and by the server) and changed the SSL to Require a client certificate. it allowed me to browse the site with any client certificate.
So I went to IIS and configed the
system.webServer/security/authentication/iisClientCertificateMappingAuthentication

as explained in:
http://blogs.iis.net/rlucero/archive/2008/05/23/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration.aspx

but then I tried from a different machine with a different certificate and it still worked! it seems that NO MATTER which client certificate I use from a client machine, as long as it is trusted by the server, it is acceptable by the server,
even when I DONT use the certificate which was defined at the one-to-one mapping.

What am I missing here? if any certificate is acceptable- why does the one-to-one request  the public key of the certificate?
0
Comment
Question by:mashuf1976
2 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39658467
The mapping deals with mapping the client certificate to a USER which reflects as an authenticated user in the log for simpler auditing.

The require client certificate means any will do as long as anonymous access is permitted.

The MAPing of certificate to user and eliminating the anonymous access will mean only a client certificate that is mapped to a user will be accepted as valid for the connection.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39658525
The server can be configured to do a mapping of the certificate to a user account. This can be either a one-to-one mapping, where the specific certificate is mapped to a single user account, or a many-to-one mapping, where the server uses certain fields in the certificate information to map any matching certificate to a designated user account. When a mapping is used, the certificate allows the user to be granted or denied access to resources as a particular user. When using client certificates in this manner, you do not have to use any other authentication method

http://support.microsoft.com/kb/907274

Also have deny rule to disallow others in the mapping. And client certificates that aren’t marked with the Client Authentication purpose won’t be picked up by browsers.

If there is no mapping client certificates to any Windows user accounts, we can leave the password field empty and typed in the user’s name into the userName field to easily identify the row and the certificate. Else to be more specific you will need that user account pass word as well.

https://fermi.service-now.com/kb_view.do?sysparm_article=KB0010823
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many businesses neglect disaster recovery and treat it as an after-thought. I can tell you first hand that data will be lost, hard drives die, servers will be hacked, and careless (or malicious) employees can ruin your data.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question