Configuring Client Certificate Authentication

Client Certificate authentication works by having a client present a user authentication certificate issued by a trusted root Certificate Authority, which is then mapped to a Windows security principal (user account).

The Client Certificate is presented by the client to the server as part of an SSL or TLS handshake. As such, use of Client Certificates for authentication requires enabling SSL/TLS on a website. For more information on SSL/TLS, see Chapter 15.

IIS 8.0 supports three Client Certificate authentication mechanisms:

  • One-to-One Client Mapping—When this is enabled, each individual trusted user certificate is mapped, one by one, to a Windows user account. Some certificates may be mapped to a shared user account, or each certificate may be mapped to an individual user account. When the certificate is presented to IIS 8.0, it logs on the corresponding user.
  • Many-to-One Client Mapping—When this is enabled, multiple trusted user certificates are mapped to a single Windows user account. This is similar to the One-to-One mapping but doesn't provide the fine-grained options of restricting certain users to certain parts of the website. Instead, all certificates that are trusted will be permitted the same access. This option provides less flexibility but reduces administration.
  • Active Directory Mapping—When enabled, certificates are passed to Active Directory. If the certificate has been explicitly assigned by a domain Administrator ...

Get Professional Microsoft IIS 8 now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.