
	Home > Ask the Security Experts > Platform Security Questions & Answers > Mapping Windows client certificates

Ask The Security Expert: Questions & Answers

EMAIL THIS

Mapping Windows client certificates

EXPERT RESPONSE FROM: Michael Cobb, featured expert

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 01 February 2006
I have a Windows 2003 server, which has a certificate and is configured to require client certificates for the Web site. I followed Microsoft's procedures to map client certificates, and researched workarounds to replace expired certificates in the certificate stores. I tried moving certificates to different stores in order to get the client certificates to work. When I attempt to access a site, I receive a "client certificates required" error. If I check "accept client certificates," I can connect from the client, but if I select "require client certificates," I can't. Each site I browse to has a different response. One displays the message that I need a certificate and the other informs me that I must use one of the certificates in the list, but the list is empty. I have the client certificates on my client workstation and have even tried exporting/importing to my trusted root store on the client. I am on the same internal network as the server. It has two NIC's (internal and external) and I get the same response whether I try to connect internally or externally. It has the same problem from a Windows 2000 client or Windows XP client.

Since you're running Microsoft Windows Server 2003, I assume you're also running Internet Information Services (IIS) version 6.0, which is good because it's more secure than earlier versions. The reason you can connect to the server from the client when you select the "Accept client certificates" option is because your server will let you access the resource, even if you don't have a valid client certificate. When you select the "Require client certificates" option, your server will request to see a client certificate before connecting to the resource. If a valid certificate is not presented, access will be denied.

If you are mapping client certificates to Windows user accounts, use the "Enable client certificate mapping" option. The server will compare its client certificate to the one the browser sent and they must be identical for the mapping to proceed. Therefore, if a user obtains a new certificate it must be remapped -- even if it contains all of the same user information. Also, some client certificates will need to be exported in order to use IIS's one-to-one mapping feature.

To export a client certificate for one-to-one mapping, open Internet Explorer, go to the tools menu, select Internet Options and then the Content tab. Next select Certificates, and then the Personal tab. Once you're there, select the certificates that you want and click Export. This will start the Certificate Export Wizard. Once this process has started, it's important to select the following options -- "No, do not include any private keys in the export" and "Base64 Encoded X.509 (*.CER)." The exported certificate will need to be copied to a secure location on the Web server so it can be mapped to a user account on the Web server.

You could have also received this error message if the Certificate Authority's (CA) client certificate has not been installed. Your Web server has a list of trusted CA certificates that determines which certificates the server will accept. If the CA that issued the client certificate is not on this list, the client won't be authenticated. On a final note, you mention that there is more than one site on the server, and each site will need its own Web server certificate. I recommend checking the validity of the client certificate's start and end dates, and whether it has been revoked.

BROWSE BY TAG

Platform Security, Web Authentication and Access Control, Enterprise Identity and Access Management, PKI and Digital Certificates, User Authentication Services, Application and Platform Security, Web Security Tools and Best Practices, Web Application and Web 2.0 Threats, Web Server Threats and Countermeasures, Web Browser Security, VIEW ALL TAGS

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Platform Security
	What patch management metrics does Project Quant use?
	Should developers create libraries of common cryptographic algorithms?
	How to secure USB ports on Windows machines
	What is the best database patch management process?
	What is an encryption collision?
	What are new and commonly used public-key cryptography algorithms?
	Should management processes change based on a patch release schedule?
	Does an EULA make it truly illegal to decompile software?
	Should businesses delay Windows Vista adoption and just buy Windows 7?
	Why should we place data files on a separate partition than the OS?

Web Authentication and Access Control

Group to shed light on secure identity management threats

How to confirm the receipt of an email with security protocols

Schneier-Ranum Face-Off: Is Perfect Access Control Possible?

Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat

Changing times for identity management

How to use single sign-on for Web access control to prevent malware

IBM USB banking device stops keyloggers, malware

Can mutual authentication beat phishing or man-in-the-middle attacks?

Could someone place a rootkit on an internal network through a router?

Sun launches open source OpenSSO for identity management

PKI and Digital Certificates

Best Authentication Products

DoD urges less network anonymity, more PKI use

Researchers to demonstrate new EV SSL man-in-the-middle hacks

Portable security storage device could replace OTP devices

What is most misunderstood about EV SSL certificates?

VeriSign addresses MD5 flaw

Rogue digital certificates strike blow to Internet security

Can any firm or organization get a digital signature certificate?

How to obtain a digital certificate for a server

PKI and digital certificates: Security, authentication and implementation

PKI and Digital Certificates Research

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

access log (SearchSecurity.com)

anonymous Web surfing (SearchSecurity.com)

authentication, authorization, and accounting (SearchSecurity.com)

identity chaos (SearchSecurity.com)

knowledge-based authentication (SearchSecurity.com)

multifactor authentication (MFA) (SearchSecurity.com)

walled garden (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.


TechTarget Corporate Web Site \| Media Kits \| Site Map All Rights Reserved, Copyright 2003 - 2009, TechTarget \| Read our Privacy Policy