Tip

Heads up on Web-based certificate mapping

This tip was submitted to the SearchWin2000.com tip exchange by member Craig Humphrey. Please let other users know how useful it is by rating it below.


Here are a few pointers to watch out for when you're setting up Web sites that use client certificates for authentication.

 

1. If the site uses both login (Basic or NTLM) authentication and certificate mappings, then the login over-rides the certificate mapping.

2. There are two types of certificate mapping (as of IIS5). One is built into IIS and uses a strong comparison between the stored certificate credentials and the certificate presented by the user. However, any administrator of the server can enumerate all usernames/passwords of certificate mappings. If a certificate is renewed or replaced, it will need to be re-imported into IIS.

The second type of certificate mapping is done in Active Directory, however it uses a weak mapping ("subject" component of certificate) between the stored certificate credentials and the presented client certificate. This allows it to transparently support renewed or replaced certificates and no password information can be enumerated. However, if two certificates are requested from the same CA, using the same textual (name, e-mail, etc.) credentials, AD is unable to differentiate between them.

3. If you're using AD-based certificate mapping, to view the certificates, you'll need to turn on the advanced options

    Requires Free Membership to View

in AD: Users and Groups and then right click a user and select the Name Mappings item.

Good luck and have fun with certificates.

This was first published in January 2004

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.