I was running Windows Server 2008 R2 IIS7.5 with FTP site with configured clientCertificateMappingAuthentication - it's Active Directory mapping. It allowed users login to my FTP site by using certificates mapped to their AD accounts instead of username/password.
Now I have Windows Server 2012 with IIS8 and I can see that there is solution without using Active Directory - it's iisClientCertificateMappingAuthentication. I've tried to configure it, but it looks like it isn't abble to achieve this result for FTP site. Here's snap of my temporary config:
FTP Authorization Rules - Allow All users FTP Authentication: Anon - Disabled, Basic - Disabled, IisManagerAuth - Enabled FTP SSL Settings - Configured SSL Server Certificate, Require SSL connections, Use 128-bit encryption IIS Manager Permissions - Added user foo/***
With above config, I am abble to connect with ftp server using Alex FTP:
ftps.exe -h ipipipip -port 21 -U foo -P *** -ssl All -l
Now I want to map client with certificate. In Configuration Editor, in Section
system.webServer/security/authentication/iisClientCertificateMappingAuthentication From ApplicationHost.config <location path='ftpssite'>I've set following:
defaultLogonDomain - *blank* enabled - true logonMethod - clearText oneToOneCertificateMappingsEnnabled - True oneToOneMappings - (Count=1) *here are base64 encoded cert mapping for user/pass foo/***
Now, I am abble to login with:
ftps.exe -h ipipipip -port 21 -U foo -P *** -ssl All -l
and with:
ftps.exe -h ipipipip -port 21 -U foo -P *** -ssl All -sslClientCertPath "path\to\cert.pfx" -l
but can't log with:
ftps.exe -h ipipipip -port 21 -ssl All -sslClientCertPath "path\to\cert.pfx" -l ERROR: User cannot log in.
Soo it seems like iisClientCertificateMappingAuthentication affects nothing for my ftpssite.
Also, the
system.webServer/security/accesssection, attribute sslFlags seems to do nothing for my ftpssite connect policy. When
Ssl, SslNegotiateCert, SslRequireCertflags are set, nothing happens when client want to connect without his certificate.
Am I doing something wrong? Is it possible that iisClientCertificateMappingAuthentication affects only web applications, not ftp sites? Is using Active Directory only way to provide certificate authentication method for ftp site?
</div></div>