Search code examples
iisssl-certificateclient-certificates

IIS Client Certificate Mapping Rule not being respected

I am running IIS 8.5 on a Windows Server 2012 R2. I have configured a WebAPI (built on ASP.net) web site to use HTTPS (self-signed) with IIS Client Certificate Mapping for client certificate authentication. I am using the ManyToOneMapping where I have defined one local account to be associated to the client certificate with the incoming request. Furthermore, I have defined a Rule in the mapping so that if the "Subject" field in the certificate contains a certain string then it should allow the request.

Now, when I hit the url in the API application, Firefox prompts me to select the certificate to be used (as expected). And when i select one of the certificates that does not contain that string defined in the mapping Rule, the browser is still served with the resource. I was expected a forbidden response instead. So, it would appear that the Client Certificate mapping is not working as expected.

As I am new to IIS, I am wondering how I could go about to find out how to troubleshoot this situation. Thanks in advance.

Here is snippet from the applicationhost.config file:

<location path="SimpleApi" overrideMode="Allow">
    <system.webServer>
        <security>
            <authentication>
                <iisClientCertificateMappingAuthentication enabled="true" oneToOneCertificateMappingsEnabled="false">
                    <manyToOneMappings>
                        <add name="Authorized Access" description="Some long description" userName="SomeUser" password="[enc:AesProvider:removed:enc]">
                            <rules>
                                <clear />
                                <add certificateField="Subject" certificateSubField="OU" matchCriteria="Admin" />
                            </rules>
                        </add>
                    </manyToOneMappings>
                    <oneToOneMappings />
                </iisClientCertificateMappingAuthentication>
            </authentication>
        </security>
    </system.webServer>
</location>
<location path="SimpleApi">
    <system.webServer>
        <security>
            <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert" />
        </security>
    </system.webServer>
</location>
Solution

  • The only possibility is you have other authentication mechanism enabled for your website and it is simply falling back to that authentication mechanism.

    Check the Authentication module for your website in IIS and disable all other authentication mechanism.