I’d like to use IIS 8.5 built into Server 2012 R2 to perform client authentication and authorization, and am having difficulty finding a way to accomplish it.
I have a website configured with a server certificate, and the SSL settings require SSL and require a client certificate. I want to be able to specify which certificates are accepted. I can restrict the set of valid certificates to those that have been issued by a specific CA, but we need more granularity. Specifically, I want to be able to restrict specific web pages and web actions (e.g. POST) to users who supply a certificate with a specific content in their SubjectDN Common Name of their certificate.
I’ve used the IIS Configuration Editor for this web instance to enable:
clientCertificateMappingAuthentication,
iisClientCertificateMappingAuthentication, and
manyToOneMappings>
I want users whose CN starts with “no” and ends with “ocp” to be permitted to access a webpage, and any other certificate presented to be denied access. So these CNs should be permitted to access the website content:
cn-nob-12345-rocp
cn-nod-67890-wocp
cn-nop-33333-qocp
and these should not be permitted to access that content:
cn-xwy-12345-rocx
cn-xod-67890-wocp
cn-nop-33333-qocx
Here’s a snip from the applicationHost.config file in C:\Windows\System32\inetsrv\config
<location path="tpkir-web">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
<authentication>
<clientCertificateMappingAuthentication enabled="true" />
<iisClientCertificateMappingAuthentication enabled="true">
<manyToOneMappings>
<add name="process writers" description="process writers" password="[enc:AesProvider:Kt7hIIEme01kp/BrWurfbfPV8rJgQAR369nL0uB/b6Q=:enc]">
<rules>
<add certificateField="Subject" certificateSubField="CN" matchCriteria="NO*OCP" compareCaseSensitive="false" />
</rules>
</add>
</manyToOneMappings>
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
</system.webServer>
</location>
<location path="tpkir-write">
<system.webServer>
<security>
<authentication>
<clientCertificateMappingAuthentication enabled="true" />
<iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="false">
<manyToOneMappings>
<add name="subset of issued certs" description="only some certs" userName="webwriter" password="[enc:AesProvider:mBwjbYWUdmjml2tFtyuQi93XLlU82iis6TqKT68CXWQf1fvZ3uSNbTk8Zpu9mV84:enc]">
<rules>
<add certificateField="Subject" certificateSubField="CN" matchCriteria="no*ocp" compareCaseSensitive="false" />
</rules>
</add>
</manyToOneMappings>
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
</system.webServer>
</location>
The two problems I’m having is that with this is (1) all trusted certificates are being accepted to have access to the web page, and the log file shows that a client cert that matches that criteria does not map to the webwriter account. I configured the log to report the IIS system variable for the client certificate subject DN.(2) The log file shows the correct Subject DN, but it does not show it being mapped to the “webwriter” account, as I expected.
Please let me know what I am doing wrong, and how to accomplish my goal.