I'm trying to configure IIS client cert mapping on IIS 8, Windows Server 2012. I don't see the configuration showing up in applicationHost.config, and the cert I'm trying to present isn't offered up as an option by my browser.
Here's what I've tried so far:
In IIS, I created a top-level site called "PackageManager":
SSL Settings are as follows:
Authentication: Enabled Anonymous:
In Configuration Editor,
Section: system.webServer/security/authentication/iisClientCertificateMappingAuthentication
From: ApplicationHost.config <location path=’PackageManager’>
I set the following:
I wanted manyToOneMappings
so I could map the cert to my service account (a domain user):
Here I created 2 rules to match the Subject and Issuer CN's of the GoDaddy cert:
Then I generated a PowerShell script for all the above as follows:
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'PackageManager' -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" -name "enabled" -value "True"
Set-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'PackageManager' -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" -name "defaultLogonDomain" -value "CMC"
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'PackageManager' -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication/manyToOneMappings" -name "." -value @{name='My 1st Mapping';description='1st User Mapping';userName='DOMAIN\username';password='XXXXXXXXXXX'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'PackageManager' -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication/manyToOneMappings/add[@name='My 1st Mapping']/rules" -name "." -value @{certificateField='Subject';certificateSubField='CN';matchCriteria='*.mydomain.com';compareCaseSensitive='False'}
Add-WebConfigurationProperty -pspath 'MACHINE/WEBROOT/APPHOST' -location 'PackageManager' -filter "system.webServer/security/authentication/iisClientCertificateMappingAuthentication/manyToOneMappings/add[@name='My 1st Mapping']/rules" -name "." -value @{certificateField='Issuer';certificateSubField='CN';matchCriteria='Go Daddy Secure Certificate Authority - G2';compareCaseSensitive='False'}
What’s weird about all the above, is that I don’t see any references to this configuration in C:\Windows\System32\inetsrv\Config\applicationHost.config.
When browsing this site, I get prompted to use a cert, but IE doesn't present the cert I was expecting:
That was a self-signed cert I had been experimenting with.
Then I get hit with a lovely 403, so I’m at an impasse.
What am I doing wrong in the config that it doesn't show up in applicationHost.config, and why am I not given a choice to present my client cert (it's in my store)?
Best Answer
I experienced the same problem under Windows Server 2012 and I solved it by adding two additional registry keys under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\SecurityProviders\Schannel
:•
ClientAuthTrustMode
Value type:REG_DWORD
, Value data:2
•
SendTrustedIssuerList
Value type:REG_DWORD
, Value data:0
For more information see IIS 8.5 - Mutual certificates authentication fails with error 403.16