IIS client certificate mapping and authentication methods

Apart from the well-known authentication methods available in IIS:

  • Anonymous
  • Basic
  • Digest
  • Integrated Windows

you can enable Client Certificate mapping, to map users holding a specific certificate to a pre-defines user account. For some reason, this method is not alway mentioned in IIS documentation under “authentication” topic. It is, however, very useful for authenticating users across companies, or to grant access to applications – it’s hard to expect a service to type in its username and password.

You can enable all the authentication methods (including certificate mapping) independently. As you probably know, anonymous authentication “always wins” – if you enable it and any other authentication scheme, user will always come as anonymous.

The reason for that is how HTTP authentication is implemented. If an HTTP client, e.g. a web browser, requests a page that is part of a protected realm, the server responds with a 401 Unauthorized status code and includes a WWW-Authenticate header field in his response. This header field must contain at least one authentication challenge applicable to the requested page. Next, the client makes another request, this time including an Authentication header field which contains the client’s credentials applicable to the server’s authentication challenge. If the server accepts the credentials, it returns the requested page. Otherwise, it returns another 401 Unauthorized response to inform the client the authentication has failed.

If you enable anonymous authentication, client is not replied with 401 HTTP code, it gets the content instead – so it has no chance to provide the authentication information.

How does that relate to certificate client mapping? It’s different. Client certificate is sent by the browser with first request, without being asked for. This means – if you enable any “regular” authentication scheme and client certificate mapping, client certificate always wins. The first request will come with the certificate – so the web server will not responds with HTTP 401 and the WWW-Authenticate header.

If you want to do some tests, I recommend, as usual, the small but powerful WFetch tool. It can send any “generic” certificate to the web server or use a certificate you already have installed.

Leave a Reply

Your email address will not be published. Required fields are marked *