If you are mapping client certificates to Windows user accounts, use the "Enable client certificate mapping" option....
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The server will compare its client certificate to the one the browser sent and they must be identical for the mapping to proceed. Therefore, if a user obtains a new certificate it must be remapped -- even if it contains all of the same user information. Also, some client certificates will need to be exported in order to use IIS's one-to-one mapping feature.
To export a client certificate for one-to-one mapping, open Internet Explorer, go to the tools menu, select Internet Options and then the Content tab. Next select Certificates, and then the Personal tab. Once you're there, select the certificates that you want and click Export. This will start the Certificate Export Wizard. Once this process has started, it's important to select the following options -- "No, do not include any private keys in the export" and "Base64 Encoded X.509 (*.CER)." The exported certificate will need to be copied to a secure location on the Web server so it can be mapped to a user account on the Web server.
You could have also received this error message if the Certificate Authority's (CA) client certificate has not been installed. Your Web server has a list of trusted CA certificates that determines which certificates the server will accept. If the CA that issued the client certificate is not on this list, the client won't be authenticated. On a final note, you mention that there is more than one site on the server, and each site will need its own Web server certificate. I recommend checking the validity of the client certificate's start and end dates, and whether it has been revoked.
Dig Deeper on Web Authentication and Access Control
Related Q&A from Michael Cobb
The TLS protocol has fallen on hard times, but expert Michael Cobb explains how client puzzles can help fix some of the problems.continue reading
Microsoft's Wi-Fi Sense for Windows 10 can share encrypted passwords for Wi-Fi networks, but is it safe? Expert Michael Cobb has the answer.continue reading
Several security vendors and providers have been hacked over the last year. Expert Michael Cobb explains how enterprises should prepare for a vendor ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.