How to configure client certificate authentication in IIS
I have the following suggestion, based on using IIS Client Certificate Mapping to map many certificates to a single Windows account:
-
Enable SSL.
-
Require SSL certificates.
-
Enable Windows Authentication and disable all other forms of authentication.
-
Create a local Windows user with limited privileges (user belongs to the Guests group)
-
Enable IIS Client Certificate Mapping. This has to be done through the command line or through the Configuration Editor in IIS Manager.
IIS Client Certificate Mapping Authentication (Microsoft Docs)
-
Add mapping entries so that your desired certificates are mapped to the Windows account that you created in step 4.
Related videos on Youtube
user76678
Updated on September 18, 2022Comments
-
user76678 over 1 year
For me it is trivial to configure Tomcat for client authentication. But trying it to do it in an IIS 7 server (running in Win2008R2 Server) it seems imposible.
In tomcat all I have to do is configure the container with my truststore. How is this done in IIS?
All I can find is in SSL settings to request client authentication, but I can not see how can I install certificates my server will trust. What I want to do, is configure IIS to trust specific (client) certificates (not created by the domain controller though. I.e. be of any user).
How can I do this?
UPDATE
I followed the links, but could not get it to work. Is there somewhere I can post, that IIS gurus could help?
-
user76678 about 13 yearsI tried all the directions in your link.I created a server certificate and a client certificate from the same root CA.I installed root CA in the system (I could see it in Explorer).I did the mapping.As user name and password I used the user name and password of the administrator in the domain, just to see if it will work.The request client certificate was enabled in SSL setting.But I could not access the server.Got rejected.It seems that the certificate send by the browser was rejected.But I have configured browser to send the certificate from trusted root ca.How does it work in IIS?