Hi
there are detailed instructions how to get Client Certificate Mapping Authentication (mapping to AD accounts) to work.
While the instructions for the GUI are ok, I think there is a missleading instruction in the xml config (web.config / applicationHost.config) and appcmd examples.
The examples state, that the setting clientCertificateMappingAuthentication enabled="true" has to be set on the website you want to modify (against the instruction "In the server'sHome pane, double-click Authentication.").
<location path="Default Web Site"><system.webServer><security><access sslFlags="Ssl, SslNegotiateCert" /><authentication><windowsAuthentication enabled="false" /><anonymousAuthentication enabled="false" /><digestAuthentication enabled="false" /><basicAuthentication enabled="false" /><clientCertificateMappingAuthentication enabled="true" /></authentication></security></system.webServer></location>
same with the appcmd example that activates the clientCertificateMappingAuthentication:
appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphostAt least for me (2012 R2, IIS 8), it failed with a status code 401 2 (server configuration issue) when I did it as in the example. Once changed to the root of IIS, then it worked
It should be (as described in the GUI example) on the root of IIS (home), therefore the xml config should be like this in applicationHost.config ("C:\Windows\System32\inetsrv\config\applicationHost.config")
<configuration>
...
SNIP non elevant content
...
<system.webServer> ...
SNIP non elevant content ...
<security><applicationDependencies /><authentication><basicAuthentication enabled="false" /><clientCertificateMappingAuthentication enabled="true" /> ... ...
which can be set using this appcmd example (using "" as config that points to the root)
appcmd.exe set config "" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphostWith that, it works like a charm.
The other configuration examples are all fine.
Maybe also good to mention, that beside the client certificates have to have Key Usage "Client Authentication" (which is obvious) also need to have a Subject Alternate Name of type UserPrincipalName with the actual UserPrincipalName of the AD user to be mapped to.
Just wanted to share.
cheers, John Flower