Solved

Client certificate for site in iis SSL

Posted on 2013-11-18
2
828 Views
Last Modified: 2013-11-24
Hi,
I am building a web site (Windows 2008 R2, iis 7.5. not in active directory [DMZ]) and I would like to allow only a client with a specific certificate to browse my site. So I chose a 2-ways SSL. I created a server certifictae which works great.
Then I created a new certificate for the client (which is trusted by the client and by the server) and changed the SSL to Require a client certificate. it allowed me to browse the site with any client certificate.
So I went to IIS and configed the
system.webServer/security/authentication/iisClientCertificateMappingAuthentication

as explained in:
http://blogs.iis.net/rlucero/archive/2008/05/23/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration.aspx

but then I tried from a different machine with a different certificate and it still worked! it seems that NO MATTER which client certificate I use from a client machine, as long as it is trusted by the server, it is acceptable by the server,
even when I DONT use the certificate which was defined at the one-to-one mapping.

What am I missing here? if any certificate is acceptable- why does the one-to-one request  the public key of the certificate?
0
Comment
Question by:mashuf1976
2 Comments
 
LVL 76

Expert Comment

by:arnold
ID: 39658467
The mapping deals with mapping the client certificate to a USER which reflects as an authenticated user in the log for simpler auditing.

The require client certificate means any will do as long as anonymous access is permitted.

The MAPing of certificate to user and eliminating the anonymous access will mean only a client certificate that is mapped to a user will be accepted as valid for the connection.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39658525
The server can be configured to do a mapping of the certificate to a user account. This can be either a one-to-one mapping, where the specific certificate is mapped to a single user account, or a many-to-one mapping, where the server uses certain fields in the certificate information to map any matching certificate to a designated user account. When a mapping is used, the certificate allows the user to be granted or denied access to resources as a particular user. When using client certificates in this manner, you do not have to use any other authentication method

http://support.microsoft.com/kb/907274

Also have deny rule to disallow others in the mapping. And client certificates that aren’t marked with the Client Authentication purpose won’t be picked up by browsers.

If there is no mapping client certificates to any Windows user accounts, we can leave the password field empty and typed in the user’s name into the userName field to easily identify the row and the certificate. Else to be more specific you will need that user account pass word as well.

https://fermi.service-now.com/kb_view.do?sysparm_article=KB0010823
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now