4.4 Configuring IIS client certificates

IIS has a several different mechanisms available for specifying client SSL certificate requirements:

• Client Certificate Mapping Authentication – this maps client certificates to associated domain accounts. This guide does not discuss how to configure Client Certificate Mapping Authentication, except to highlight that it is a feature that is distinct from IIS Client Certificate Mapping Authentication. For the purposes of this guide, Client Certificate Mapping Authentication is expected to be set to disabled (its default state).

• IIS Client Certificate Mapping Authentication one-to-one mapping – configure a list of distinct client certificates that are allowed to authenticate, and map them to a Windows user account. A typical use case is to configure a client certificate that is allowed to connect to the MyIDEnroll web service, which maps to the MyID Web Service user account; the certificate must map to the account used for the web service's application pool.

• IIS Client Certificate Mapping Authentication many-to-one mapping – configure rules to ensure that any client certificate that meets the rules will be mapped to the MyID Web Service user account. A typical use case is for configuring clients that have been issued client certificates by a specific CA, where the subject belongs to a particular OU, the ability to access MyID.

  IIS Client Certificate Mapping Authentication is an optional feature of IIS – you must ensure this feature is installed for it to be available. Verify this feature is enabled in Server Manager – in Add Roles and Features, on the Server Roles page, under Web Server (IIS) > Web Server > Security, select IIS Client Certificate Mapping Authentication.

Note: The user interface for configuring IIS Client Certificate Mapping Authentication has some quirks, which are important to understand in order to configure correctly.

• The Configuration Editor option is used to configure IIS Client Certificate Mapping Authentication – in the IIS Manager it is possible to access the Configuration Editor at any level of the tree (server, website or virtual directory). However the IIS Client Certificate Mapping Authentication feature will work properly only when it is configured at the website level. This means that it is possible to configure one-to-one or many-to-one mappings for the Default website to determine which client certificates may authenticate, and then configure individual virtual directories to require client certificates, but it is a limitation of IIS that it is not possible to configure different multiple virtual directories/applications that require different client certificates to connect.

• If you have a requirement for accepting different client certificates to connect to different virtual directories, you must:

  • Create an additional website in IIS – this will be assigned on a different port.

  • Configure IIS Client Certificate Mapping Authentication for the new website – determining which client certificates may connect.

  • Create a virtual directory/application in the new website to represent the feature, pointed at the same file location of the original version. Disable other authentication mechanisms (to force authentication to go through IIS Client Certificate Mapping Authentication).

  • Disable or remove access to the original virtual directory/application that has been duplicated – you must not create a new locked down copy while still leaving open another route that bypasses the new IIS Client Certificate Mapping Authentication rules.

4.4.1 Configuring IIS Client Certificate Mapping Authentication one-to-one mapping

To configure one-to-one mapping for IIS Client Certificate Mapping Authentication:

1. In Internet Information Services (IIS) Manager, select the Default Web Site.

   Alternatively, select the website you created as described in section 4.4, Configuring IIS client certificates.

2. Select Configuration Editor.

   

3. From the Section drop-down list, select the following:

   system.webserver > security > authentication > iisClientCertificateMappingAuthentication

4. From the From drop-down list, select ApplicationHost.config.

   The following screen shows the (default) disabled state where this feature is disabled (False).

   

5. Set the following:

   • enabled – True

   • manyToOneCertificateMappingsEnabled – False

   • oneToOneCertificateMappingsEnabled – True

6. Select the oneToOneMappings option and click the browse button.
7. In the Collection Editor dialog, click Add.

8. In the certificate box, enter the Base 64 certificate.

   Note: This must be processed so that it fits on a single line, without any whitespace and without PEM headers.

   For more information, see:

   www.iis.net/learn/manage/configuring-security/configuring-one-to-one-client-certificate-mappings

9. Set enabled to True.

10. In the userName box, type the MyID Web Service user account name, and type the account password in the password box.

    This is the Windows user account to which the certificate will be mapped.

    

    Note: If you change the password on the MyID Web Service user account, you must update the password on this screen; the MyID Password Change Tool does not affect the configuration of client certificates.

11. Close the dialog.

    The oneToOneMappings will now be updated to show how many certificates are mapped.

    

12. Click Apply to save the changes.

13. In the tree, select the virtual directory that is to use this rule for client certificate authentication, and select SSL Settings.

    

14. Click the Require SSL option, then in the Client certificates list select the Require option and click Apply.

15. In the tree, select the virtual directory, and select Authentication.

    • For websites or ASP.NET web services, disable all authentication mechanisms.

    • For WCF web services, you must have Anonymous Access enabled; without this option, IIS Client Certificate Mapping Authentication will not work.

    

To confirm that the web service is configured correctly, Test that the web service is inaccessible except when the configured client certificate is used to authenticate.

If testing with a browser it is advisable to connect with a private browsing option, since this enforces that a new session is authenticated; otherwise an authentication made before IIS was reconfigured may still be granting access.

Since the client certificates will expire, ensure there is a plan in place for renewing or replacing them before they expire, to ensure continuity of service.

For WCF web services, review the web.config settings for the web service; see section 5, Additional configuration for WCF web services.

4.4.2 Configuring IIS Client Certificate Mapping Authentication many-to-one mapping

This is identical to configuring one-to-one mapping, as described in section 4.4.1, Configuring IIS Client Certificate Mapping Authentication one-to-one mapping, except for the following:

• Set oneToOneMappingEnabled to False.

• Set manyToOneMappingsEnabled to True.

• Configure manyToOneMappings – typically a rule will be configured to map issuer DN to a Windows user account.

Further information on configuring manyToOneMappings rules is available on the Microsoft website in Knowledge Base article 2026113 Configuring Many-to-One Client Certificate Mappings for Internet Information Services (IIS) 7.0 and 7.5.