I have been googling this for hours. I cannot get my mapping to work on certain certificate fields. Fx this sample code:
<iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
<manyToOneMappings>
<add name="Contoso Employees"
enabled="true"
permissionMode="Allow"
userName="Username"
password="[enc:AesProvider:57686f6120447564652c2049495320526f636b73:enc]">
<rules>
<add certificateField="Subject"
certificateSubField="O"
matchCriteria="MyCompany A/S CVR:12345"
compareCaseSensitive="true" />
</rules>
</add>
</manyToOneMappings>
</iisClientCertificateMappingAuthentication>
This doesn't work. I am suspecting the special characters in matchCriteria="MyCompany A/S CVR:12345". If I map it on certificateSubField="C" and matchCriteria="DK" then it works. I have also tried with this combination matchCriteria="MyCompany*" where I am using the wildcard charachter * and it still doesn't work. If I use just the * as in matchCriteria="*" then it works, but then again this is a useless match.
I checked with the certutil to see what value it gives me for the subfields CN, O and C. CN and O have similar value: MyCompany A/S CVR:12345
They both contain spaces and special characters.
How can I do this matching in II 7.5? I should mention that this mapping on the exactly same value works fine in IIS 6.
Best Answer
I figured it out myself. It is because iisclientcertificate mapping fails if certificate issuer, subject are in UTF8 encoded string. This is a known issue with IIS 7 and 7.5.
There is a hotfix from Microsoft that fixes this. Take a look at KB article 2597665:
"A certificate mapping rule in IIS does not work for a client certificate that has Unicode encoding attributes in Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7"