]> IIS Client Certificate mapping - Unauthorized 🌐:aligrant.com

IIS Client Certificate mapping - Unauthorized

Alastair Grant | Wed 2 Mar 2016

I have wasted a couple of days trying to setup client-certificate mapping in IIS8.5 to authenticate and ultimately authorise client connections. Whilst I thought I was doing everything correctly I was receiving an 401.2 - Unauthorized error from IIS 8.5. Digging in a little further the cause was a very generic 0x80070005 - aka "Access is denied.".

For the uninformed client certificate mapping is a method in IIS to associate a client (not server) provided x509 certificate to a Windows user account. A certificate (either self-signed or signed by a certificate authority) is presented by the client connection, derived from their private key. It authenticates that the connection has they private key (which one hopes is in turn password protected and not taking the form of the digital version of a post-it-note).

To setup Client Certificate Mapping you need to add the Windows Role: Web Server (IIS) / Security / IIS Client Certificate Mapping Authentication. NB. there is also 'Client Certificate Mapping Authentication' - this version plugs into certificates bound to AD accounts and works in a different fashion - not what I'm talking about here.

This authentication mechanism isn't enabled through the Authentication tab of your IIS directly, but instead helpfully buried in the config. So you have to add the details through the Configuration Editor icon in IIS. Now the crucial thing here that had me wound up for days is that you must do this on the Site Root level and not on the (virtual) directory that you want to secure. Whilst there is nothing stopping you from configuring at the directory level it simply won't work and you'll get a vague 'Access is denied' error. Finally alluded to me with thanks to MSDN Blog post by Saur212.

To add in the certificate mapping you need to navigate to system.webServer/security/authentication/iisClientCertificateMappingAuthentication in the IIS Configuration Editor (at the site level), set Enabled to true, oneToOneCertificateMappingsEnabled to true and then expand the mappings property.

You can then add as many mappings as you want, and despite the name, you can map multiple certificates to one login. What you need to enter is fairly self-explanatory apart from the certificate field itself. For this you need to enter the Base64 encoded version of the certificate without the BEGIN/END CERTIFICATE lines that traditionally wrap them. The dialogue seems to struggle with spaces too, so you'll need to unwrap and clean out any spaces when you export your certificate.

For the directory you do want to secure you need to set the SSL settings to Require Client Certificates (which means you need to Require SSL). Disable any other authentication mechanisms for that directory, especially Anonymous, and you should be good to go.

You can utilise certificate authentication then to authorise access to objects. For a standard web-directory you can set file permissions on the file-system to only allow the accounts you want to pass. Or if you're using ASP.NET etc., then you will have the authenticated user information passed into the application to use.

Breaking from the voyeuristic norms of the Internet, any comments can be made in private by contacting me.