Problem solve Get help with specific problems with your technologies, process and projects.

Heads up on Web-based certificate mapping

Heads up on Web-based certificate mapping

This tip was submitted to the tip exchange by member Craig Humphrey. Please let other users know...

how useful it is by rating it below.

Here are a few pointers to watch out for when you're setting up Web sites that use client certificates for authentication.


1. If the site uses both login (Basic or NTLM) authentication and certificate mappings, then the login over-rides the certificate mapping.

2. There are two types of certificate mapping (as of IIS5). One is built into IIS and uses a strong comparison between the stored certificate credentials and the certificate presented by the user. However, any administrator of the server can enumerate all usernames/passwords of certificate mappings. If a certificate is renewed or replaced, it will need to be re-imported into IIS.

The second type of certificate mapping is done in Active Directory, however it uses a weak mapping ("subject" component of certificate) between the stored certificate credentials and the presented client certificate. This allows it to transparently support renewed or replaced certificates and no password information can be enumerated. However, if two certificates are requested from the same CA, using the same textual (name, e-mail, etc.) credentials, AD is unable to differentiate between them.

3. If you're using AD-based certificate mapping, to view the certificates, you'll need to turn on the advanced options in AD: Users and Groups and then right click a user and select the Name Mappings item.

Good luck and have fun with certificates.

This was last published in January 2004

Dig Deeper on Windows Server storage management

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.