I am using IIS 8.0 on a Windows Server 2012 box. This is not a domain joined machine so Active Directory is not available to me.
I've successfully configured certificate authentication. When accessing the website, the user is presented with a list of certificates to choose from, and the Certificate Trust List (CTL) on the server has those intermediate and root CAs that it trusts.
My question is: how do I restrict only specific users to successfully authenticate? For example, if we have five users' certificates issued by the same CA, but I still want to only restrict access to the site to only three of the five people. It can be an access list based on any unique identifier located in X.509 certificates (e.g. email, key ID, thumbprint)
I'm not sure how to achieve this behavior. I found this but I'm not sure if this is the right path to go down…: http://www.iis.net/configreference/system.webserver/security/authentication/iisclientcertificatemappingauthentication
Can anyone point me in the right direction?
Best Answer
You're thinking about this from the wrong direction. Certificate authentication is a replacement or enhancement for username/password or AD authentication. When a user connects to your site and presents a certificate, then the user is logged in as the user that certificate is mapped to.
So if you have 3 users you want to be able to use your site, either your web application has to make the decision (just like it would if it used username/password authentication), or you can create an AD group and put the 3 people in it and set the security on the folder to only allow that group.