HOW TO: Configure Client Certificate Mappings in Internet Information Services (IIS) 5.0 (313070)

SUMMARY

This step-by-step article describes how to configure client certificate mappings in Internet Information Services (IIS) 5.0.

back to the top

Mapping Client Certificates to User Accounts

In IIS, you can authenticate users who log on with a client certificate by mapping the certificates to Windows user accounts. The mapped certificates are used to either deny access to Web resources, or grant rights and permissions for the mapped user account. There are two methods in which to map certificates:

• One-to-one mapping
  
  One-to-one mapping maps a single client certificate to a single user account. The server compares a copy of its certificate with the client certificate that is sent by the browser. Both certificates must be identical for the mapping to proceed.
• Many-to-one mapping
  
  Many-to-one mapping maps multiple certificates to a single user account. It uses wildcard matching rules to define the certificate criteria for mapping. This type of mapping does not compare the actual client certificate, instead, it accepts all client certificates that meet specific criteria. If certificates match the rules, they are mapped to the appropriate user account.

back to the top

Windows 2000 Active Directory Service Mapping

In IIS, you can also map a certificate to a Windows user account by using the Microsoft Windows 2000 Active Directory directory service feature. This option is available only at the Master properties level and if the server is a member of a Windows 2000 domain.

To enable the Windows directory service mapper:

1. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
2. In the Internet Information Services pane, right-click * server name where server name is the name of the server, and then click Properties.
3. Click the Internet Information Services tab.
4. Under Master Properties, click WWW Service, and then click Edit.
5. In the WWW Service Master Properties for * server name Properties dialog box, click the Directory Security tab.
6. Under Secure communications, click to select the Enable the Windows directory service mapper check box, and then click OK.

For more information about Windows 2000 Active Directory Service mapping, click Start, click Help, click the Index tab, and then type mapping certificates.

back to the top

One-to-One Mapping

Export a Certificate

In IIS one-to-one mapping, some certificates must first be exported. To export a certificate for use in IIS one-to-one mapping:

1. Start Internet Explorer, and then click Internet Options on the Tools menu.
2. Click the Content tab.
3. Under Certificates, click Certificates, and then click the Personal tab.
4. Click the certificate that you want to export, and then click Export to start the Certificate Export Wizard.
5. Click Next.
6. Click No, do not export the private key, and then click Next.
7. Click Base-64 encoded X.509 (.CER), and then click Next.
8. In the File name box, click Browse, specify a name and location where you want to save the file, and then click Save.
9. Click Next, and then click Finish.
10. Click OK to the "The export was successful" message, click Close, and then click OK. The certificate is ready for one-to-one mapping in IIS. This procedure needs to be completed once for each certificate.

back to the top

Map a Specific Client Certificate to a User Account

To map a specific client certificate to a user account:

1. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
2. Right-click the Web site for which you want to configure authentication (for example, Default Web Site), and then click Properties.
3. Click the Directory Security tab, and then under Secure communications, click Edit.
4. Click to select the Enable client certificate mapping check box, and then click Edit.
5. Click the 1-to-1 tab, and then click Add.
6. In the Open box, locate the certificate file, and then click Open.
   
   NOTE: If you cannot locate the certificate file, you may need to export the file.
7. In the Map to Account dialog box, use the following steps:
   1. In the Map Name box, type a map name.
   2. In the Account box, type, or click Browse to browse to the Windows user account that you want to map. Type the password of the user account in the Password box, and then click OK.
   3. Re-type the password in the Confirm Password dialog box, and then click OK.
8. Repeat steps 5-7 to map other certificates or to map this certificate to other user accounts.
9. When you are finished creating the mappings that you want, click OK three times, and then quit Internet Services Manager, or close the IIS snap-in.

back to the top

Many-to-One Mapping

Map Client Certificates by Using Wildcard Rules

To add a client certificate mapping by using wildcard rules:

1. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
2. Right-click the Web site for which you want to configure authentication (for example, Default Web Site), and then click Properties.
3. Click the Directory Security tab, and then under Secure communications, click Edit.
4. Click to select the Enable client certificate mapping check box, and then click Edit.
5. Click the Many-to-1 tab, and then click Add.
6. In the General dialog box, type a name for the rule, and then Next.
7. In the Rules dialog box, click New.
8. In the Edit Rule Element dialog box that appears, configure the settings that you want for the rule, click OK, and then click Next.
   
   NOTE: You should configure your matching rules to be as specific as possible. Use wildcard rules that match information from several different fields and sub fields.
9. In the Mapping dialog box, do one of the following:
   • Click Accept this certificate for Logon Authentication, and then in the Account box, type, or click Browse to browse to the Windows user account that you want to map. Type the password of the user account in the Password box.
     
     -or-
   • Click Refuse Access.
10. Click Finish.
11. Repeat steps 5-10 to create other mapping rules.
12. To establish the priority of the rules that you defined, click a rule in the list, and then click Move Up or Move Down to move the rule higher or lower on the list. Rules that are higher on the list have a higher priority.
13. Click OK three times, and then quit Internet Services Manager, or close the IIS snap-in.

back to the top

Edit an Existing Wildcard Rule

To edit an existing wildcard rule:

1. Start Internet Services Manager, or open the MMC that contains the IIS snap-in.
2. Right-click the Web site for which you want to configure authentication (for example, Default Web Site), and then click Properties.
3. Click the Directory Security tab, and then click Edit under Secure communications.
4. Click to select the Enable client certificate mapping check box, and then click Edit.
5. Click the Many-to-1 tab, click the rule that you want to edit, and then click Edit Rule.
6. In the Edit Wildcard Mapping Rule dialog box, make the changes that you want, and then click OK.
7. Click OK four times, and then quit Internet Services Manager, or close the IIS snap-in.

back to the top

Troubleshooting

If you use IIS to map client certificates to user accounts, you cannot also use the Windows Directory Service to configure client certificate mappings. You can only use one method or the other.

For additional information about related topics, click the article number below to view the article in the Microsoft Knowledge Base: back to the top