in

ASP.NET Weblogs

MikeShaw's WebLog

Developer Security and other stuff

Steps for client certificate mapping to AD accounts using IIS 6.0

Just a really quick entry because this had been bugging me on the back burner for a while now.  How do you set up IIS 6.0 to do the certificate to user mapping for Authentication again Active Directory in Windows Server 2003.  All of these sorts of infrastructure things are always a bit odd for me, coming from a developer background.

 

All the information is out there on how to do this, but it’s usually shrouded in a ton of other information making it difficult to find the 3 steps you actually need to make things just work.  So, what are those steps:

 

1)      Enable Active Directory name mapping for certificates, and don’t forget that the certificates you need to use must be suitable for client authentication.

2)      In IIS 6.0, enable the Windows directory Service mapper

3)      On the web virtual directory you want to use mapping, enable certificates as an acceptable form of authentication on the properties tab.  If mapped certificates is going to be the only way you will access the site, then you can actually turn off all other forms of authentication.  In the secure communication directory setting, you need to accept certificates and simply click the ‘Enable client certificate mapping’ but don’t bother changing anything under the ‘Edit…’ button or changing any options there.

 

This is pretty much all in this document, but there are too many steps for this little thing when I wanted just to do some testing!

 

I’ve not mentioned some of the periphery things that you need to make this happen like SSL, Auto enrolment for certificates (if you want it), certificate trust lists etc etc but the above are the crucial nugggets to make sure it works.

 

It’s cool and it worked for me in the end ;-)

Published Jul 14 2004, 03:16 PM by mikeshaw
Filed under: ,

Comments

 

TrackBack said:

July 14, 2004 8:50 AM
 

Morgan said:

When using client certificates you should read the following article FIX: ASP.NET Web application cannot deliver a client certificate to a secure Web site
http://support.microsoft.com/default.aspx?scid=kb;EN-US;817854
July 15, 2004 5:18 PM
 

MikeShaw said:

Thanks for pointing that our Morgan. The fix is useful only when using ASP.NET as a client to a remote web server that requires certs for authentication. The fix you mention is also included in the Service Pack 1 Technology Preview http://msdn.microsoft.com/netframework/downloads/updates/sptechpreview/default.aspx
July 16, 2004 4:13 AM
 

Brett said:

As long as we are talking about certs via ASP.NET, I implemented the cert method (in http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/secnetht13.asp) and found it to be very slow. The Win32 method: UnloadUserProfile takes 30-60 seconds. Absolutely unacceptable for a web method (that could be called several hundred times a minute).

Instead, I used a service to start the COM+ component, using the credentials specified for the COM+ component. Then when the ASP.NET user called the serviced component method, it was running under the correct permissions already. There was no need to impersonate anyone from the serviced component and performance was acceptable.
July 21, 2004 2:14 PM
 

MikeShaw said:

Hey Brett, it sounds like you are using a 'Trusted Subsystem' rather than a fully integrated impersonation approach. One of the decision points on choosing between the two is scalability - impersontion will always be slower because a context/profile has to be loaded and unloaded for each different user rather than sharing a common context/profile. Very little in this world comes without a cost.
Mike
July 22, 2004 7:49 AM

Leave a Comment

(required)  
(optional)
(required)  
Add
Terms of Use