We configure authentication in IIS using OneToOne certificates
Good day to all. It just so happened, at work it was necessary to configure the server with IIS, and not just configure, but hang up authorization on different services using only a certificate specific to the service. This problem can be solved by using several generation centers, but we will not complicate everything and proceed to configure the "One-to-One" of our IIS.
The generation of the necessary keys is described in great detail on the Internet ( an article on the hub) and should not cause any special problems, so I will omit this part.
Let's get down to business:
1) Install IIS and the necessary components. Be sure to check "IIS Client Certificate Authentication Mapping."
2) For binding, we need a base64-encoded client certificate, it is very simple to export it from the certificate (certmgr.msc) “Certificates” or from “Internet Options”.
3) We open the received certificate in a text editor and stand in one line, after deleting the lines “BEGIN CERTIFICATE” and “END CERTIFICATE”.
With the preparation finished, go to the server.
4) Run the inetmgr “IIS Manager” and install the server certificate. In my case, the CN certificate is Localhost.
5) After that, we can bind this certificate to services. We go to the bindings and selecting Https indicate the necessary port and certificate.
6) In the SSL parameters, check “Require SSL” and the client certificate “require”.
7) Now any certificate issued by our CA is suitable for authorization, but the purpose of this article is just to show the next step when customers with certificates need to be divided. We go to the “Configuration Editor” at the address: “system.webServer / security / authentication / iisClientCertificateMappingAuthentication”.
8) Here you have to make a choice, or we start by specific certificates or by a specific field in the certificate (for example, a unique OID).
9) Consider the parameter "oneToOneCertificateMappingsEnabled". By setting its value to “True” we can bind a specific certificate to the user.
10) The certificate obtained in the second paragraph is inserted into the "certificate" field. Fill the fields "userName" and "password" with the account that you previously created.
11) Now upon presentation of the entered client certificate, we will gain access with the rights of the specified account. However, all other certificates will continue to work quietly and receive anonymous access, in order to avoid this it is necessary in iis to disable anonymous authentication.
At this stage, authorization should only take place on a given certificate.
Code for appcmd:
The generation of the necessary keys is described in great detail on the Internet ( an article on the hub) and should not cause any special problems, so I will omit this part.
Let's get down to business:
1) Install IIS and the necessary components. Be sure to check "IIS Client Certificate Authentication Mapping."
2) For binding, we need a base64-encoded client certificate, it is very simple to export it from the certificate (certmgr.msc) “Certificates” or from “Internet Options”.
3) We open the received certificate in a text editor and stand in one line, after deleting the lines “BEGIN CERTIFICATE” and “END CERTIFICATE”.
With the preparation finished, go to the server.
4) Run the inetmgr “IIS Manager” and install the server certificate. In my case, the CN certificate is Localhost.
5) After that, we can bind this certificate to services. We go to the bindings and selecting Https indicate the necessary port and certificate.
6) In the SSL parameters, check “Require SSL” and the client certificate “require”.
7) Now any certificate issued by our CA is suitable for authorization, but the purpose of this article is just to show the next step when customers with certificates need to be divided. We go to the “Configuration Editor” at the address: “system.webServer / security / authentication / iisClientCertificateMappingAuthentication”.
8) Here you have to make a choice, or we start by specific certificates or by a specific field in the certificate (for example, a unique OID).
9) Consider the parameter "oneToOneCertificateMappingsEnabled". By setting its value to “True” we can bind a specific certificate to the user.
10) The certificate obtained in the second paragraph is inserted into the "certificate" field. Fill the fields "userName" and "password" with the account that you previously created.
11) Now upon presentation of the entered client certificate, we will gain access with the rights of the specified account. However, all other certificates will continue to work quietly and receive anonymous access, in order to avoid this it is necessary in iis to disable anonymous authentication.
At this stage, authorization should only take place on a given certificate.
Code for appcmd:
appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /enabled:"True" /oneToOneCertificateMappingsEnabled:"True" /commit:apphost
appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /+"oneToOneMappings.[userName='22',password='22',certificate='текст сертификата в кодировке base64']" /commit:apphost
appcmd.exe set config "Default Web Site" -section:system.webServer/security/access /sslFlags:"Ssl, SslNegotiateCert, SslRequireCert" /commit:apphost