Mapping Client Certificates to User Accounts

You can authenticate user's who log on with a client certificate by creating mappings that relate the information contained in the certificate to a Windows NT user account. Using your Web server's certificate mapping feature, you can either map a specific user's client certificate to an account (a one-to-one mapping), or map multiple certificates to an account. To map multiple certificates, you can define wildcard matching rules that create a mapping by verifying only whether a certificate contains certain items information. For example, to map all users who log on with client certificate issued by a particular organization, you could define a matching rule that automatically maps any certificate issued by that organization to a user account, rather than creating a separate mapping each client certificate.

To map a specific client certificate to a user account
  1. In Internet Service Manager, select a Web site, directory, or file, and open its property sheets.
  2. If you have not previously created a server key pair and certificate request, select the Directory Security or File Security property sheet, under Secure Communications, click Key Manager. For procedural information about using Key Manager, see Creating and Managing Server Key Pairs.
  3. If you have previously created a server key pair and certificate request, select the Directory Security or File Security property sheet, under Secure Communications, click Edit.
  4. In the Secure Communications dialog box, determine whether you want to require a secure channel, and if so, whether you want to require client certificate authentication. Alternatively, you can configure your Web server only to accept, and not require, client certificates. For more information, see Enabling Client Certificates and Enabling Encryption.
  5. Select the Enable Client Certificate Mapping, then click Edit.
  6. In the Basic property sheet, click Add.
  7. In the Open dialog box, select a certificate file. Click Open.

    8. Note   User client certificate files may not always be available, especially if your users obtain certificates from an external certificate authority. In such cases, you can use ASP to extract the contents of a user's client certificate and save this information in a file, which you can then use to create a mapping. For more information, see Obtaining Client Certificate Information with ASP.

  8. In the Map to Account dialog box, assign the mapping a name and enter the name in the Map Name text box. Enter a Windows NT account and password. Click OK.

    9. Note   You can map multiple certificates to the same account by repeating the previous procedure for each account mapping.

 

To map multiple client certificates to user accounts by defining wildcard criteria
  1. Follow steps 1 through 5 of the previous procedure.
  2. In the Advanced property sheet, select the Enable Wildcard Client Certificate Matching check box, then click Add.
  3. In the General dialog box, enter a descriptive name name for the mapping rule.
  4. Under Issuers, select either Match on all Certificate Issuers which I trust to check client certificates against all certificates authorities contained on your Web server's list, or select Match on selected certificate issuers and then click Select to choose specific certificate authorities from the list. Click Next.
  5. Under Rules, click New. In the Edit Rule Element dialog box, in the Certificate Field and Sub Field item lists, select the certificate sub-fields that you want your Web server to match. In the Criteria text box, type a text string containing the matching criteria, then click OK. Add new rules as needed, the click Next.

    6. Note


  6. In the Mapping dialog box, select the appropriate action for your server to take when a client certificate matches your criteria. Type a Windows NT account user name and password, then click OK.

© 1997 by Microsoft Corporation. All rights reserved.