How to setup IIS and AD for Client certificate authentication

Hi All,

This post talks about how Client certificates are configured on websites. I have seen a lot of incidents where people get into issues with client certificate in particular, although server (website) certificates can give a scare at times.

Here I will be walking you through the steps of configuring client certificates in your Windows 2003 environment (although there is not much of a difference in Windows 2000).

Environment

Windows 2003 (Web server) IIS6.0

Windows 2000/XP/2003 (Client)

Windows 2003 (Microsoft Certificate server)

Walkthrough

1. To enable SSL transaction between the server and the client, you need to have a server certificate installed on IIS website. Websites can get the server certificate from a trusted root Certificate Authority (CA). We will be focusing on the steps for acquiring client certificates and setting them in IIS for user authentication.

2. Here I will show the screenshot of the steps that one needs to follow with brief explanation of the steps.

Client Workstation: WIN2kIIS-VPC

CA server: WIN2K3DC

IIA Web Server: WIN2K3OWA

DC: WIN2K3DC

Domain: Anjenya.local

Requesting a client certificate from a Trusted root Certificate Authority (CA):

Access the CA Website from your client machine as http://Win2k3dc/certsrv

image

 

There are two ways of obtaining client certificate.

Click on the link: Request a Certificate.

image

 

Click on “Select a certificate type: User certificate”.

You can also obtain the certificate by clicking on “advanced certificate request” to add more specific details about the client certificate.

image

Click on More Options >>

image

Go ahead and hit Submit >

image

Click on “Yes”

image

Go ahead and click on the link to install the certificate. You might get the certificate directly as above or through email etc when in case of a 3rd party after verification.

image

Click on “Yes”

image

Now the User certificate is successfully installed on your client machine.

You can check the certificate in two ways:

1. Goto IE->Tools->Internet Options->Content->Certificates.

You should see the certificate there under Personal store, which was installed on your client machine.

image

1. Or else you can open the Certificate snap-in through Start->Run->Mmc->Console->Add/Remove Snap-in->Add… -> Certificates.

image

Go ahead and add the certificates snap-in.

image

Double click on the certificate and you should see the details about it:

image

Enhanced Key usage will show you the purpose of this certificate.

image

The above picture shows that this certificate is meant for Client Authentication.

image

So here we finish the process of acquiring the client certificate.

Now the next step is to map the client certificate in IIS manager, depending upon one’s requirements. It can be one of the following:

 

  • Option to accept the client certificate from the user by the IIS website (with no mapping enabled).
  • Option to have 1-to-1 mapping for client certificate.
  • Option to have Many-to-one mapping for client certificate.
  • Option to have Active Directory Mapping for client certificate.

1-to-1 and Many-to-1 mapping are simple to setup.

Here I will walk you through the process of setting up the above configuration for 1-to-1 mapping and Active directory mapping.

Let’s say that you have a website in IIS for which you want to enable client certificate.

You need to go to IIS Manager->Default Website-> right click and go to Properties->Directory Security-> Under Secure Communications section , click on Edit.

image

image

Here in the picture above, you have three options for Client Certificates:

  • Ignore client certificates: IIS will ignore client certificate when a request reaches IIS website, even though web request has the certificate in it.
  • Accept Client certificates: IIS website will accept any client certificate from the user, if it is along with the web request.
  • Require Client certificates: IIS website will check for client certificate along with web request. If no client certificate is in the web request, users shall see 403.7 – Client certificate required, as the error message in the web page response.

Now in the next section in the same picture above, if you want your website to be configured such that a client certificate is mapped to a user account, you can check on “Enable client certificate mapping”. What it means is that request will be executed in the context of an account.

image

Now, when you enable 1-to -1 Mapping, an individual client certificate will be mapped to a specific Windows account. So in case you don’t want any of the IIS authentication methods to be used, like Anonymous, Basic, Digest or Windows Integrated authentication, you can rely upon client certificate authentication based on 1-to -1 or Many-to-1 mappings.

We will first go ahead with 1-to-1 mapping:

Click on “Add… ” in the Account Mappings window shown above.

Now before you map a client certificate with a windows account, you need to have the corresponding client certificate on the server.

Export the client certificate from the CA or the client machine (where you have the certificate installed) as follows:

1) From Client machine: Open Certificate snap-in as earlier and go to Certificates – Current User -> Personal -> Certificates.

image

Double click on the selected certificate and Click on Details and go to “Copy to File… ”.

Follow the Export wizard.

image

image

You can either Export the private key or not export it. You should know the meaning of exporting the private key.

image

Go ahead and save the client certificate somewhere on your workstation (client).

image

2) From CA:

Go to the Certificate Authority Snap-in and check the following location:

image

image

Double click to display the certificate. Click on “Copy to File... ” and follow the Certificate Export Wizard, and save the file to the server as shown below:

image

Now copy the saved certificate from any of the above location to the IIS server, where we need to map it a windows account.

Back to IIS manager console for certificate mapping:

image

Now map a specific windows account with this certificate as shown below:

image

image

Once the 1 to 1 mapping is set in place go ahead and try browsing the site.

Here I have used an ASP script to render the server variables pertaining to the web request.

This script will display the logged on user name and the authentication type used along with some other information.

Also when you want to use Client certificate authentication you can clear all other authentication options in the IIS manager Directory Security setting as show below:

image

Here you won’t get 401.2 server configuration error because we are using some sort of authentication mechanism (client certificate mapping) to authenticate the user. Had we been not using client certificate mapping we would have got 401.2 if we try to access the site with no authentication method selected in IIS manager.

Had there not been Client cert mapping and we had tried to browse to the web page with all the options cleared as shown above, you would have got error 401.2.

Here is the sample logoninfo.asp page which displays server variables. Try accessing this page.

<%

response.write ("LOGON_USER: ")

response.write (request.servervariables("LOGON_USER"))

response.write ("<BR>")

response.write ("AUTH_USER: ")

response.write (request.servervariables("AUTH_USER"))

response.write ("<BR>")

response.write ("AUTH_TYPE: ")

response.write (request.servervariables("AUTH_TYPE"))

response.write ("<BR>")

response.write ("CERT_COOKIE: ")

response.write (request.servervariables("CERT_COOKIE"))

response.write ("<BR>")

response.write ("CERT_ISSUER: ")

response.write (request.servervariables("CERT_ISSUER"))

response.write ("<BR>")

response.write ("CERT_KEYSIZE: ")

response.write (request.servervariables("CERT_KEYSIZE"))

response.write ("<BR>")

response.write ("CERT_SERIALNUMBER: ")

response.write (request.servervariables("CERT_SERIALNUMBER"))

response.write ("<BR>")

response.write ("CERT_SERVER_ISSUER: ")

response.write (request.servervariables("CERT_SERVER_ISSUER"))

response.write ("<BR>")

response.write ("CERT_SERVER_SUBJECT: ")

response.write (request.servervariables("CERT_SERVER_SUBJECT"))

response.write ("<BR>")

response.write ("CERT_SUBJECT: ")

response.write (request.servervariables("CERT_SUBJECT"))

%>

Now in our example we try accessing the above script and we get the following response:

image

In the above step, if you disable Client cert and enable windows integrated authentication only, you should see something similar to the one shown below:

Check the Authentication type.

image

Similarly you can try Many-to-1 mapping, please read MSDN/KB articles that talk about how to set it up…it’s very similar to 1 to 1 mapping.

I would like to discuss Active Directory Mapping in particular here:

We need to have Client certificate enabled, we can remove 1-to-1 and many-to-1 mapping from IIS Manager since we need to enable AD mapping.

In AD mapping we need to follow the following steps:

Go to the IIS Manager, right click on root level WEBSITES->Properties->Directory Security.

Select “Enable the windows directory service mapper”.

image

Now go to Active directory, open Active directory users and computers, go to Users, and then select the user for which you want to map the certificate.

Right click on the user name, go to Name Mappings. Add the client certificate. Now we have a mapping for that certificate to a user account in the AD.

Go to the client machine and logon with the user credentials , and then try accessing the site now, and now you should be able to access the page and you should see the Logon name in the webpage, here the logon name will correspond to the same user with which we have associated the client certificate in the AD.

Now you should see something like this:

image

Remember this:

Here is an excerpt from a TechNet article:

In Active Directory mapping, when the IIS server receives a certificate from the user, it passes it on to Active Directory, which maps it to a Windows 2000/2003 user account. The IIS server then logs this account on.

Active directory mapping is most useful when the account mappings are the same on all IIS servers. Administration is simplified because the mapping is done in only one place.

Mapping in Active Directory can happen in one of two ways. The administrator can explicitly map a certificate to a user's account. This certificate can come from any source--as long as the root CA for that certificate is trusted for client authentication.

UPN mapping can also be used. A UPN is automatically put into a certificate issued by an enterprise CA. If a certificate is passed to Active Directory for mapping, it is first examined for UPN mapping. If UPN mapping is not possible, the mapping set by the administrator is used.

UPNs are in the form of userid@domain. If the certificate contains a UPN, the domain is within the hierarchy of the directory, and the CA that issued the certificate is trusted to put UPNs in the certificate, then the user's account is retrieved from the directory and logged on. All these conditions must be true before the user's account is retrieved. If any of these conditions is false, the directory is searched for a mapping set by the administrator.

In Active Directory mapping, when the IIS server receives a certificate from the user, it passes it on to Active Directory, which maps it to a Windows 2000 or Windows Server 2003 user account. The IIS server then logs on the account.

You can create an Active Directory mapping in one of two ways. You can rely on UPN mapping, or, if UPN mapping is not possible, you can manually map a certificate to the account of a user.

Use Active Directory mapping when the account mappings are identical on all IIS servers. Active Directory mapping is easier to maintain than IIS mapping because you only have to create the mapping in one location.

NOTE: Let’s assume that the user account with which we are trying to access the site doesn’t have a UPN name in the AD (this might happen in the case where the logged on user is a local user and not a Domain user) then in that case the logon credentials for the request will be the mapped user account for the certificate in the AD. Else, if the client certificate’s “Issued to” is a domain user account, then logon credentials will use that Account and not the mapped account associated with certificate. Also it will not respect user’s logged on credentials or server authentication method in IIS manager.