Steps for client certificate mapping to AD accounts using IIS 6.0
Just a really quick entry because this had been bugging me on the back burner for a while now. How do you set up IIS 6.0 to do the certificate to user mapping for Authentication again Active Directory in Windows Server 2003. All of these sorts of infrastructure things are always a bit odd for me, coming from a developer background.
All the information is out there on how to do this, but it’s usually shrouded in a ton of other information making it difficult to find the 3 steps you actually need to make things just work. So, what are those steps:
1) Enable Active Directory name mapping for certificates, and don’t forget that the certificates you need to use must be suitable for client authentication.
2) In IIS 6.0, enable the Windows directory Service mapper
3) On the web virtual directory you want to use mapping, enable certificates as an acceptable form of authentication on the properties tab. If mapped certificates is going to be the only way you will access the site, then you can actually turn off all other forms of authentication. In the secure communication directory setting, you need to accept certificates and simply click the ‘Enable client certificate mapping’ but don’t bother changing anything under the ‘Edit…’ button or changing any options there.
This is pretty much all in this document, but there are too many steps for this little thing when I wanted just to do some testing!
I’ve not mentioned some of the periphery things that you need to make this happen like SSL, Auto enrolment for certificates (if you want it), certificate trust lists etc etc but the above are the crucial nugggets to make sure it works.
It’s cool and it worked for me in the end ;-)