Mapping Client Certificates to User Accounts

You can authenticate users who log on with a client certificate by creating mappings that relate the information contained in the certificate to a Windows user account. There are two ways to map certificates: one-to-one and many-to-one. You can use the Internet Information Services snap-in for both mapping types.

About Mapping
Mapping Strategies
Exporting a Certificate
How To Map Certificates

Important

A server certificate must be installed in order for certificate mapping to be enabled. For more information on installing a server certificate, see Obtaining a Server Certificate.
To ensure that changes to mapping rules are enacted, you must stop and restart your Web site. To do this: In the IIS snap-in, select the Web site and either select Stop from the Action menu, or click the Stop icon on the tool bar. Then select Start from the Action menu, or click the Start icon on the tool bar.

About Mapping

One-to-One mapping

One-to-one mapping maps individual client certificates to accounts. The server compares the copy of the client certificate it holds with the client certificate sent by the browser. The two must be absolutely identical for the mapping to proceed. If a client gets another certificate containing all of the same user information, it must be mapped again.

Many-to-One mapping

Many-to-one mapping uses wildcard matching rules that verify whether a client certificate contains specific information, such as issuer or subject. This mapping does not compare the actual client certificate, but rather accepts all client certificates fulfilling the specific criteria. If a client gets another certificate containing all of the same user information, the existing mapping will work.

Directory Service (DS) mapping

Directory Service (DS) certificate mapping uses native Windows 2000 Active Directory features to authenticate users with client certificates. There are both advantages and disadvantages to using DS mapping. For example, and advantage is that the client certificate information is shared across many servers. A disadvantage is that wildcard matching is not as advanced as in the IIS mapper. For more information about DS mapping, see the Windows 2000 documentation.

You can enable DS mapping only at the Master properties level, and only if you are a member of a Windows 2000 domain. Activating DS mapping will exclude the use of one-to-one and many-to-one mapping for the entire Web service.

Mapping Strategies

Client certificate mapping is very flexible in that any of the three mapping methods can be used to map client certificates to user accounts. You can a map client certificate to any number of user accounts and any number of client certificates to a single user account. Certificate mapping can be used in several situations, including:

Large Networks Networks with a large number of client certificates might use many-to-one or DS mapping. The administrator could create one or more matching rules to map certificates to one or more Windows user accounts.
Small Networks Networks with very few users could use one-to-one mapping to provide greater control of certificate usage and revocation, or many-to-one mapping to facilitate easier administration.
Additional Security For resources that have few users and require additional security, the administrator might use one-to-one mapping. In this way, the administrator could be sure that only particular certificates are used. This allows better certificate revocation policies to be enforced.
Internet Internet sites that use certificate authentication could use many-to-one mapping by accepting a wide range of certificates and mapping them all to an account with rights similar to the IUSR_computername account.
By Certification Authority To map all users who log on with client certificate issued by a particular organization, you could use many-to-one mapping and define a matching rule that automatically maps any certificate issued by that organization to a user account.

Note If you require the flexibility of wildcard mapping, use the IIS mapping feature. If you are using mapping to integrate your Web sites into a Windows domain, the Windows DS mapper might be better suit your purpose. For more information, see the Windows documentation.

Exporting a Certificate

Some certificates need to be exported for use in IIS one-to-one mapping. Certificates do not need to be exported for use in many-to-one mapping. Contact your certification authority for more information.

To export a certificate using Internet Explorer, version 4.0 or later

Note You can also use this procedure to create a backup copy of your certificate.

In Internet Explorer, click View and then Internet Options.
In the Internet Options property sheets, click Contents.
On the Contents property sheet click either Personal (Internet Explorer version 4.0) or Certificates and then the Personal tab (Internet Explorer version 5).
Select the certificate from the list and click Export.
In the wizard, select Next and then select No, do not include any private keys in the export and click Next.
On the next page, select Base64 Encoded X.509 (*.CER) and click Next. Complete the procedure as outlined in the wizard.

The certificate is now ready for any subsequent IIS one-to-one mapping. This procedure needs to be done only once for each certificate.

How To Map Certificates

One-to-one mapping maps individual client certificates to accounts. Many-to-one mapping uses wildcard matching rules that verify whether a client certificate contains specific information, such as issuer or subject.

To map a specific client certificate to a user account (one-to-one mapping)

In the Internet Information Services snap-in, select the Web site you want to configure authentication for, and open its property sheets.
On the Directory Security property sheet, under Secure Communications, click Edit.
In the Secure Communications dialog box, select the Enable client certificate mapping check box if not already selected. Click Edit.
On the 1-to-1 tab of the Account Mappings dialog box, either add a new certificate by clicking Add, or edit an existing mapping by selecting the mapping and clicking Edit Map.
If you are adding a new certificate, browse to the certificate file and open it.

Note If you cannot find the certificate file, then it might need to be exported.

In the Map to Account dialog box, enter a map name for the mapping. This is the name that will be displayed in the selection list on the Account Mappings dialog box.
Either type or browse to a Windows user account. Type the password of the account that the certificate is mapping to.
Click OK.
Repeat these steps to map other certificates or to map this certificate to other accounts.

To add a client certificate mapping using wildcard rules (many-to-one mapping)

Note Certificates do not need to be exported for use in many-to-one mapping.

In the Internet Information Services snap-in, select the Web site you want to configure authentication for, and open its property sheets.
On the Directory Security property sheet, under Secure Communications, click Edit.
In the Secure Communications dialog box, select the Enable client certificate mapping check box if not already selected. Click Edit.
On the Many-to-one tab of the Account Mappings dialog box, click Add.
In the General dialog box, type a name for the rule. This is the name that will be displayed in the selection list on the Account Mappings dialog box. You can create rules for future use or disable rules without deleting them by selecting or clearing the Enable this wildcard rule check box. Click Next.
In the Rules dialog box, click New.
In the Edit Rule Element dialog box, select the appropriate criteria and click OK.

Note Steps 6 and 7 can be repeated to define the rule more stringently.

When finished, click Next.
In the Mapping dialog box, either type or browse to a Windows user account. Type the password of the account that the rule is mapping to.

Note If the account you are mapping to is on a computer that is a member of a workgroup, you will need to specify the computer name and the account name. For example, if you are mapping to the RegionalSales account on the computer called Sales1, the mapping account name would be Sales1\RegionalSales.

Click OK.
Repeat these steps to create other mapping rules.
Use the Move Up and Move Down buttons to establish the precedence given to the rules. Rules higher in the list take precedence.

To edit an existing wildcard rule (many-to-one mapping)

In the Internet Information Services snap-in, select the Web site you want to configure authentication for, and open its property sheets.
On the Directory Security property sheet, click Edit under Secure Communications.
In the Secure Communications dialog box, select the Enable client certificate mapping check box, if not already selected. Click Edit.
On the Many-to-one tab of the Account Mappings dialog box, select the rule and click Edit Rule.
Make necessary changes.
When finished, click OK.

Notes

Specific client certificate mappings always take precedence over wildcard mappings.
Some client certificates offer a greater amount of identification information and may contain additional, custom subfields. For information about certificate formats, see your certification authority.
Use matching rules that are as specific as possible. A good wildcard rule matches information from several different fields and subfields. For example, the names Accounting, Shipping, and Sales can appear in the organization unit subfield of more than one company's client certificate. A matching rule that mapped certificates based exclusively on this subfield would probably result in unintended mappings.