Solved

Client certificate for site in iis SSL

Posted on 2013-11-18
2
851 Views
Last Modified: 2013-11-24
Hi,
I am building a web site (Windows 2008 R2, iis 7.5. not in active directory [DMZ]) and I would like to allow only a client with a specific certificate to browse my site. So I chose a 2-ways SSL. I created a server certifictae which works great.
Then I created a new certificate for the client (which is trusted by the client and by the server) and changed the SSL to Require a client certificate. it allowed me to browse the site with any client certificate.
So I went to IIS and configed the
system.webServer/security/authentication/iisClientCertificateMappingAuthentication

as explained in:
http://blogs.iis.net/rlucero/archive/2008/05/23/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration.aspx

but then I tried from a different machine with a different certificate and it still worked! it seems that NO MATTER which client certificate I use from a client machine, as long as it is trusted by the server, it is acceptable by the server,
even when I DONT use the certificate which was defined at the one-to-one mapping.

What am I missing here? if any certificate is acceptable- why does the one-to-one request  the public key of the certificate?
0
Comment
Question by:mashuf1976
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 78

Expert Comment

by:arnold
ID: 39658467
The mapping deals with mapping the client certificate to a USER which reflects as an authenticated user in the log for simpler auditing.

The require client certificate means any will do as long as anonymous access is permitted.

The MAPing of certificate to user and eliminating the anonymous access will mean only a client certificate that is mapped to a user will be accepted as valid for the connection.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39658525
The server can be configured to do a mapping of the certificate to a user account. This can be either a one-to-one mapping, where the specific certificate is mapped to a single user account, or a many-to-one mapping, where the server uses certain fields in the certificate information to map any matching certificate to a designated user account. When a mapping is used, the certificate allows the user to be granted or denied access to resources as a particular user. When using client certificates in this manner, you do not have to use any other authentication method

http://support.microsoft.com/kb/907274

Also have deny rule to disallow others in the mapping. And client certificates that aren’t marked with the Client Authentication purpose won’t be picked up by browsers.

If there is no mapping client certificates to any Windows user accounts, we can leave the password field empty and typed in the user’s name into the userName field to easily identify the row and the certificate. Else to be more specific you will need that user account pass word as well.

https://fermi.service-now.com/kb_view.do?sysparm_article=KB0010823
0

Featured Post

SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Many of you may be aware of the recent Google Docs scam emails that have been floating around coming from various people that you know. Here's a guide on identifying How To Identify the Scam Email You will see an email from someone you’ve had co…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question