Hi IIS Gurus,
I am trying to implement client cert authentication using iisClientCertificateMappingAuthentication ManyToOne, below are the steps we implemented, but we are still getting error below.
Appreciate the help to point out what could be configured wrong/missed.
Thanks.
HTTP Error 401.2 - Unauthorized
You are not authorized to view this page due to invalid authentication headers.
- We first enable the feature from server manager.
- IIS > Website > configuration editor > system.webServer/security/authentication/iisClientCertificateMappingAuthentication and enable the manyToOneCertificateMappings
- Add a line item in the collection
- drill down and create the rules for Issuer CN and Subject CN
- Open MMC and import the client certificate > Manage Private Keys > ensure NETWORK SERVICE, application pool user and aws-11\svc_acc_wbs ha at least read privilege.
Below are the application host config for the above changes:
<location path="TXSCPRD"><system.webServer><security><authentication><anonymousAuthentication enabled="false" userName="" /><iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="false"><manyToOneMappings><add name="2SSLWBS" description="Webseal SG3" userName="aws-11\svc_acc_wbs" password="[enc:AesProvider:8jeda7+ijeasd76as:enc]" lockItem="true"><rules><add certificateField="Subject" certificateSubField="CN" matchCriteria="AWS1PRDWBS.11.tntx.net" compareCaseSensitive="false" lockItem="true" /><add certificateField="Issuer" certificateSubField="CN" matchCriteria="AWS1-IssuingCA" compareCaseSensitive="false" lockItem="true" /></rules></add><add name="2SSLWBS" description="Webseal GDC" userName="aws-11\svc_acc_wbs" password="[enc:AesProvider:asRve5rQ1+c+rDh23rGlQbLnZ008jsemrf7:enc]" lockItem="true"><rules><add certificateField="Subject" certificateSubField="CN" matchCriteria="AWS2PRDWBS.11.tntx.net" compareCaseSensitive="false" lockItem="true" /><add certificateField="Issuer" certificateSubField="CN" matchCriteria="AWS2-IssuingCA" compareCaseSensitive="false" lockItem="true" /></rules></add><add name="2SSLSCD" description="Sitecore GDC" userName="aws-11\svc_acc_wbs" password="[enc:AesProvider:CkhsW/GYvM1`hy+asCpauFvZe9sTZCu494T3Qi3yEWCIxXyT0ols==:enc]" lockItem="true"><rules><add certificateField="Subject" certificateSubField="CN" matchCriteria="AWS1PRDSCD.11.tntx.net" compareCaseSensitive="false" lockItem="true" /></rules></add></manyToOneMappings></iisClientCertificateMappingAuthentication></authentication><access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" /></security></system.webServer></location>