I have a requirement that I have to set up a site with IIS Client Cert Auth and I have a couple of questions.
The site/app pool runs under a given user account, the same account is used to access MSSQL db.
I intend to do a One to One mapping, because we only want to allow one external user. In the related documentation I see that I need to assign a certificate thumbprint to a user.
Am I right to think this user must be different from the app pool identity? So if the app pool runs under the account SVC_WEBACCOUNT, I still need to create an account something like EXTERNAL_USER, and in the configuration assign the certificate to EXTERNAL_USER. And the web app will still run under SVC_WEBACCOUNT, it just makes sure the incoming request is coming from an authenticated source?
Also, I received 3 .cer certificate files. They are named _auth.cer, _intermediate.cer, and _root.cer. I assume I need to put the _root in the Trusted Root Certification Authorities on the machine, and I need to put the contents of _auth into the IIS config for EXTERNAL_USER.
I also see an Intermediate Certification Authorities in the Certification Manager where I assume I need to put the _intermediate cert, but what is the purpose of this I wonder?
And as a final question, after enabling the IIS Client Cert Auth in the features, I still don't see this option in the Authentication page of IIS. Should I be concerned about this, or I can just go ahead and set up the web.config appropriately and it should work?