This tip was submitted to the SearchWin2000.com tip exchange by member Craig Humphrey. Please let other users know how useful it is by rating it below.
Here are a few pointers to watch out for when you're setting up Web sites that use client certificates for authentication.
1. If the site uses both login (Basic or NTLM) authentication and certificate mappings, then the login over-rides the certificate mapping.
2. There are two types of certificate mapping (as of IIS5). One is built into IIS and uses a strong comparison between the stored certificate credentials and the certificate presented by the user. However, any administrator of the server can enumerate all usernames/passwords of certificate mappings. If a certificate is renewed or replaced, it will need to be re-imported into IIS.
The second type of certificate mapping is done in Active Directory, however it uses a weak mapping ("subject" component of certificate) between the stored certificate credentials and the presented client certificate. This allows it to transparently support renewed or replaced certificates and no password information can be enumerated. However, if two certificates are requested from the same CA, using the same textual (name, e-mail, etc.) credentials, AD is unable to differentiate between them.
3. If you're using AD-based certificate mapping, to view the certificates, you'll need to turn on the advanced options
Good luck and have fun with certificates.
This was first published in January 2004