Solved

Client certificate for site in iis SSL

Posted on 2013-11-18
2
835 Views
Last Modified: 2013-11-24
Hi,
I am building a web site (Windows 2008 R2, iis 7.5. not in active directory [DMZ]) and I would like to allow only a client with a specific certificate to browse my site. So I chose a 2-ways SSL. I created a server certifictae which works great.
Then I created a new certificate for the client (which is trusted by the client and by the server) and changed the SSL to Require a client certificate. it allowed me to browse the site with any client certificate.
So I went to IIS and configed the
system.webServer/security/authentication/iisClientCertificateMappingAuthentication

as explained in:
http://blogs.iis.net/rlucero/archive/2008/05/23/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration.aspx

but then I tried from a different machine with a different certificate and it still worked! it seems that NO MATTER which client certificate I use from a client machine, as long as it is trusted by the server, it is acceptable by the server,
even when I DONT use the certificate which was defined at the one-to-one mapping.

What am I missing here? if any certificate is acceptable- why does the one-to-one request  the public key of the certificate?
0
Comment
Question by:mashuf1976
2 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 39658467
The mapping deals with mapping the client certificate to a USER which reflects as an authenticated user in the log for simpler auditing.

The require client certificate means any will do as long as anonymous access is permitted.

The MAPing of certificate to user and eliminating the anonymous access will mean only a client certificate that is mapped to a user will be accepted as valid for the connection.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39658525
The server can be configured to do a mapping of the certificate to a user account. This can be either a one-to-one mapping, where the specific certificate is mapped to a single user account, or a many-to-one mapping, where the server uses certain fields in the certificate information to map any matching certificate to a designated user account. When a mapping is used, the certificate allows the user to be granted or denied access to resources as a particular user. When using client certificates in this manner, you do not have to use any other authentication method

http://support.microsoft.com/kb/907274

Also have deny rule to disallow others in the mapping. And client certificates that aren’t marked with the Client Authentication purpose won’t be picked up by browsers.

If there is no mapping client certificates to any Windows user accounts, we can leave the password field empty and typed in the user’s name into the userName field to easily identify the row and the certificate. Else to be more specific you will need that user account pass word as well.

https://fermi.service-now.com/kb_view.do?sysparm_article=KB0010823
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Gmail Account risks 4 76
change password links 7 73
Signing certificate through internal CA server windows server 2008 11 34
IE 11 + long running scripts 3 29
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
In 2017, ransomware will become so virulent and widespread that if you aren’t a victim yourself, you will know someone who is.
Google currently has a new report that is in beta and coming soon to Webmaster Tool accounts. This Micro Tutorial will highlight new features for Google Webmaster Tools.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now