Hi,
I am working on setting up Client Certificate Authentication in IIS. For some reason, if I use a server certificate from a trusted Certification Authority (DigiCert), the client certificate mapping is not recognized and authentication falls back to anonymous.
The client certificate I am using is issued by a self-signed CA and a one-to-one mapping has been configured for a local SAM account. Everything works if I also use a self-signedserver certificate. But when I use the certificate issued by DigiCert, it does not. The only difference I can see is the trusted CA root is a wildcard certificate (*.domain.com) whereas the self-signed certificate is specific (server1.internaldomain.local).
The Enhanced Key Usage of the *.domain.com certificate lists "Server Authentication" and "Client Authentication", so it is a valid certificate for this task.
To prove the client certificate mapping is correct, I created a separate binding on thesame site to test:
- If the client connects to host.domain.com (which uses the *.domain.com certificate), authentication falls back to anonymous.
- If the client connects to server1.internaldomain.local:10443 (custom binding using the server1.internaldomain.local self-signed certificate), client certificate authentication succeeds.
- No other certificate-related changes are made other than switching trusts on the client side.
Any ideas why this may be occurring? I was surprised that a trusted CA certificate caused more grief than testing in isolation with a self-signed certificate.
The SSL Setting is set to "Accept" for Client Certificates. If I switch to "Required", the host.domain.com address returns an HTTP 403.7 from the IIS logs. However, the certificate is valid and is being passed to the server since it works on server1.internaldomain.local. The server1 address works for both "Accept" and "Required" settings. The logs show the username in the entry and an HTTP 200 code.
Any help is greatly appreciated.
Thanks.