Mapping Strategies

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Client certificate mapping is very flexible because any of the three mapping methods can be used to map client certificates to user accounts. You can map a client certificate to any number of user accounts. Likewise, you can map any number of client certificates to a single user account.

Certificate mapping can be used in several situations, including the following:

  • Large Networks. Networks with a large number of client certificates can use many-to-one or Directory Service (DS) mapping. You can create one or more matching rules to map certificates to one or more Windows user accounts.

  • Small Networks. Networks with very few users can use one-to-one mapping to provide greater control of certificate usage and revocation, or use many-to-one mapping to facilitate easier administration.

  • Additional Security. For resources that have few users and that require additional security, you can use one-to-one mapping. In this way, you can be sure that only selected certificates are used. This allows more stringent certificate revocation policies to be enforced.

  • Internet. Internet sites that use certificate authentication can use many-to-one mapping by accepting a wide range of certificates and mapping them all to an account with rights that are similar to the IUSR_ComputerName account.

  • By certification authority. To map all users who log on with a client certificate that was issued by a particular organization, you can use many-to-one mapping. Then you can define a matching rule that automatically maps any certificate issued by that organization to a user account.

If you are using mapping to integrate your Web sites into a Windows domain, the Windows Directory Service mapper will best suit your purpose. For more information, see "Mapping certificates to user accounts" in Help and Support Center for Windows Server 2003.