Client Certificate Mapping
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 with SP1
You can authenticate users who log on with a client certificate by creating mappings, which relate the certificate information to a Windows user account. After you create and enable a certificate mapping, each time a user logs on with a client certificate, your Web server automatically associates that user with the appropriate Windows user account. This way, you can automatically authenticate users who log on with client certificates, without requiring the use of other supported authentication methods such as Basic, Digest, or Integrated Windows authentication. There are three ways to map client certificates: Directory Service (DS) mapping, one-to-one mapping, and many-to-one mapping.
Directory Service Mapping
Directory Service (DS) certificate mapping uses native Windows Active Directory features to authenticate users with client certificates. There are advantages and disadvantages to using DS mapping. For example, an advantage is that the client certificate information is shared across many servers. A disadvantage, however, is that wildcard matching is not as advanced as it is in the IIS mapper.
You can enable DS mapping only at the Master properties level, and only if you are a member of a Windows domain. Activating DS mapping will exclude the use of one-to-one and many-to-one mapping for the entire World Wide Web Publishing Service (WWW service).
One-to-one mapping maps individual client certificates to accounts. The server compares the copy of the client certificate it holds with the client certificate that is sent by the browser. The two must be absolutely identical for the mapping to proceed. If a client gets another certificate containing all of the same user information, it must be mapped again.
Many-to-one mapping uses wildcard matching rules that verify whether a client certificate contains specific information, such as issuer or subject. This mapping does not compare the actual client certificate, but rather accepts all client certificates that fulfill the specific criteria. If a client gets another certificate containing all of the same user information, the existing mapping will work.