IIS Client Certificate Mapping

Microsoft IIS supports an access control feature known as client certificate mapping. What's client certificate mapping, and how can I configure it?

When you authenticate a user who logs on to your Web server with a Secure Sockets Layer (SSL) or X.509 client certificate, you can map the information in that certificate to a Windows security identity (i.e., a Windows user account) and apply access control settings defined for that identity. Microsoft calls this feature client certificate mapping.

Client certificate mapping is available only if you've enabled SSL to secure access to your Web site. You can use the Microsoft Management Console (MMC) Internet Services Manager (ISM) snap-in to configure SSL. To access the SSL configuration options, right-click your Web site in the snap-in, select Properties, select the Directory Security tab, then select the Edit button that appears in the Secure communications section at the bottom of the tab. The Edit button will appear only if you've successfully installed an SSL server certificate on your Web server.

You define client certificate mapping either in the IIS metabase or in Active Directory (AD). You can enable IIS metabase-based client certificate mapping from the ISM Secure Communications dialog box, which Figure 1 shows, by selecting the Enable client certificate mapping check box. The Edit button next to this option becomes available only after you've selected this check box.

You can set up client certificate mappings defined in the IIS metabase in one of two modes: 1-to-1 mapping and many-to-1 mapping. When you use 1-to-1 client certificate mapping, IIS looks at the complete contents of the client certificate to map it to a Windows security identity. With many-to-1 client certificate mapping, IIS looks at particular attributes of the client certificate, as defined by rules that you create, to map the certificate to a Windows security identity. Figure 2 shows the dialog box for creating these many-to-1 rules.

AD-based client certificate mapping uses a service known as the Windows directory service mapper, which you can define from the Active Directory Users and Computers snap-in: Right-click an account object and select Name mappings (this option will be available only if the snap-in is in Advanced Features viewing mode). AD-based client certificate mapping allows for only 1-to-1 mapping. To enable AD-based mapping, open the ISM snap-in, right-click your Web site, select Properties, select the Directory Security tab, then select the Enable the Windows directory service mapper in the Secure communications section at the bottom of the tab, as Figure 3 shows. AD-based client certificate mapping is a good option if you have multiple Web servers that all need to have client certificate mappings defined. Instead of defining the mappings on each Web server, you can define them once in the central AD repository.