If you are mapping client certificates to Windows user accounts, use the "Enable client certificate mapping" option....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The server will compare its client certificate to the one the browser sent and they must be identical for the mapping to proceed. Therefore, if a user obtains a new certificate it must be remapped -- even if it contains all of the same user information. Also, some client certificates will need to be exported in order to use IIS's one-to-one mapping feature.
To export a client certificate for one-to-one mapping, open Internet Explorer, go to the tools menu, select Internet Options and then the Content tab. Next select Certificates, and then the Personal tab. Once you're there, select the certificates that you want and click Export. This will start the Certificate Export Wizard. Once this process has started, it's important to select the following options -- "No, do not include any private keys in the export" and "Base64 Encoded X.509 (*.CER)." The exported certificate will need to be copied to a secure location on the Web server so it can be mapped to a user account on the Web server.
You could have also received this error message if the Certificate Authority's (CA) client certificate has not been installed. Your Web server has a list of trusted CA certificates that determines which certificates the server will accept. If the CA that issued the client certificate is not on this list, the client won't be authenticated. On a final note, you mention that there is more than one site on the server, and each site will need its own Web server certificate. I recommend checking the validity of the client certificate's start and end dates, and whether it has been revoked.
Dig Deeper on Web Authentication and Access Control
Related Q&A from Michael Cobb
Microsoft is banning weak passwords on many of its services with the Smart Password Lockout feature. Expert Michael Cobb explains how it works, and ...continue reading
A malicious app called Black Jack Free was able to bypass Google Play's app store security. Expert Michael Cobb explains the threat and how ...continue reading
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.