How To Use Certificate Mapping

By Author: iris
Total Articles: 286
Comment this article

Directory Services mapping can be enabled from the Directory Security tab MCTS exam of the Web Sites Properties dialog box, as shown in Figure 13-9. If users have been issued certificates by a Windows Enterprise Certification Authority, the certificate will already be mapped to their user account in Active Directory.
Enable the use of certificates already mapped to accounts in Active Directory.
Alternatively, IIS mapping—either one-to-one or many-to-one—can be used. With IIS mapping, certificates must be mapped to a Windows account from within the IIS Web site property pages. Requirements for certificate mapping are configured by clicking on the Secure Communications box from the Directory Security page of the Web site prop?erties. As shown in Figure 13-10, there are two choices for certificate mapping: one-to-one and many-to-one.
One-to-one mapping requires a certificate to be explicitly mapped to a user account. To do this, you will need to export user certificates to a certificate file, and then add the certificate and specify a Windows account using ...
... the one-to-one property page Add button. The certificate is mapped for use on a specific IIS server. When a client presents a Windows Vista exam for authentication, it is checked against the copy of the certificate stored by the server. The map must be exact. If anything is different, authentication is denied.
Many-to-one mapping allows you to write wildcard rules that will then accept any certificate that meets the rules. In Figure 13-11, a rule to allow any certificate issued by the rootl CA is being written. Figure 13-12 shows the Many-To-1 tab after successful com?pletion of the mapping. The Web server will accept any client certificates issued by the CA. If users are issued new certificates from the CA, the certificates will be accepted. Notice that a single Windows account is chosen for the mapping.
IIS provides a range of authentication methods that allows the design of anonymous access or authenticated access by Windows account or .NET passport account. Each method is desirable for certain uses. The typical IIS installation will provide several IIS authentication methods depending on the data that site users will be accessing.
Network segmentation and firewall configuration are also important parts of Web server security. Review network segmentation and Web server location information in Chapter 4. Any Web site design should include reference to Web server location and firewall configuration, either to indicate the proposed server placement and necessary firewall controls or to indicate how the new application free Microsoft practice exam questions or Web site will need to work with the current environment.