• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 892
  • Last Modified:

Client certificate for site in iis SSL

I am building a web site (Windows 2008 R2, iis 7.5. not in active directory [DMZ]) and I would like to allow only a client with a specific certificate to browse my site. So I chose a 2-ways SSL. I created a server certifictae which works great.
Then I created a new certificate for the client (which is trusted by the client and by the server) and changed the SSL to Require a client certificate. it allowed me to browse the site with any client certificate.
So I went to IIS and configed the

as explained in:

but then I tried from a different machine with a different certificate and it still worked! it seems that NO MATTER which client certificate I use from a client machine, as long as it is trusted by the server, it is acceptable by the server,
even when I DONT use the certificate which was defined at the one-to-one mapping.

What am I missing here? if any certificate is acceptable- why does the one-to-one request  the public key of the certificate?
1 Solution
The mapping deals with mapping the client certificate to a USER which reflects as an authenticated user in the log for simpler auditing.

The require client certificate means any will do as long as anonymous access is permitted.

The MAPing of certificate to user and eliminating the anonymous access will mean only a client certificate that is mapped to a user will be accepted as valid for the connection.
btanExec ConsultantCommented:
The server can be configured to do a mapping of the certificate to a user account. This can be either a one-to-one mapping, where the specific certificate is mapped to a single user account, or a many-to-one mapping, where the server uses certain fields in the certificate information to map any matching certificate to a designated user account. When a mapping is used, the certificate allows the user to be granted or denied access to resources as a particular user. When using client certificates in this manner, you do not have to use any other authentication method


Also have deny rule to disallow others in the mapping. And client certificates that aren’t marked with the Client Authentication purpose won’t be picked up by browsers.

If there is no mapping client certificates to any Windows user accounts, we can leave the password field empty and typed in the user’s name into the userName field to easily identify the row and the certificate. Else to be more specific you will need that user account pass word as well.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: GDPR Implemented - Tips & Lessons Learned

Join the WatchGuard team on Thursday, March 29th as we recount some valuable lessons learned in weighing the needs of a business against the new regulatory environment, look ahead at the two months left before implementation, and help you understand the steps you can take today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now