none
Where does IIS 7 put Client certs for clientCertificateMappingAuth? RRS feed

  • Question

  • In IIS 6.x, the X509 client certificates would be put into the Active Directory > User > Name Mappings field. Turning on the clientCertificateMappingAuthentication field for a Web Site in IIS 7 appears to do something similar, but we cannot find where the mappings go. Are they local to the machine? Are they mapped into AD (Published Certificates)?

    Thank you.

    Tuesday, April 12, 2011 5:01 PM

Answers

  • After months of consultation with MS engineers, we figured it out. IIS 7 is smarter than IIS 6.

     

    We have been using domain-local (x.y.z) generated certificates for testing. IIS 6 on Windows Server 2003r2 didn’t appear to check, or care, that the OU in the cert was local. IIS 7 appears to check that, and presumes since the cert is local, and the user exists, to grant through-access under the account. No AD mapping, because the cert says, “this person is valid, here’s the credentials.” And AD has the user, so it authenticated the user and let them through.

     

    When we did some testing with customer-domain (cust.y.z) generated certificates, only certificates that were mapped in AD were allowed pass-through authentication.

    Friday, September 30, 2011 1:32 PM

All replies

  • After months of consultation with MS engineers, we figured it out. IIS 7 is smarter than IIS 6.

     

    We have been using domain-local (x.y.z) generated certificates for testing. IIS 6 on Windows Server 2003r2 didn’t appear to check, or care, that the OU in the cert was local. IIS 7 appears to check that, and presumes since the cert is local, and the user exists, to grant through-access under the account. No AD mapping, because the cert says, “this person is valid, here’s the credentials.” And AD has the user, so it authenticated the user and let them through.

     

    When we did some testing with customer-domain (cust.y.z) generated certificates, only certificates that were mapped in AD were allowed pass-through authentication.

    Friday, September 30, 2011 1:32 PM
  • I am confused by the entire statement here. When you specify AD Mapping to be used in either IIS 6 or IIS 7. It will not check it against any local account. There is no mapping present in IIS. It relies on the AD for mapping the certificiates to the respective accounts.

    May be you already no, there are baseically 2 types of mappings in both IIS and IIS 7,

    1. AD Client cert mapping, where the mappings are done in the AD.

    2. IIS client cert Mapping, which is again categorized into :
           a. One to One Mapping.

           b. Many to One Mapping.

    If I used AD mapping, it is supposed to contact the AD to check for authentication and never checks it locally. And all this is never done, by IIS. In fact none of the authentication mechanisms is ever handled by IIS. All authentication is handled by LSASS.EXE.

    IIS 7 is smarter, but not in regards to this. Hope this clears some doubts.

     


    Regards, Kaushal Blog: http://blogs.msdn.com/b/kaushal/
    Wednesday, October 5, 2011 4:43 PM