Windows IIS failed to configure client certificates
I succeeded in adding the following configuration in the Nginx server, it works fine after I install the client certificate in the client side.
ssl_client_certificate /home/test/clientkey/client.crt;
ssl_verify_client on;
But I have another Windows IIS server, which needs similar operations. I followed the web tutorial.
1. Enable IIS Client Certificate Mapping Authentication in Windows
2. IIS SSL setting: Require SSL
3. Disable Anonymous Authentication
4. set system.webServer/security/authentication/iisClientCertificateMappingAuthentication
but it still failed, probably I misunderstood the mechanism of IIS, so I have the following questions:
- why and what do I need to input username and password here?
- I didn't find a place to input the client certificate just as Ngnix configuration.
- I cannot figure out the diff between ManyToOne and OneToOne, if the later one means "Windows account", does it mean I cannot access it via a Linux client?
1.why and what do I need to input username and password here?
Because you need to map the certificate to a windows user account, it will ask you for the following information:
userName => account that will be used to log in.
password => password for this account.
When you set userName=testuser, if the client provides a valid certificate, it will enter the website as your "testuser" account.
2.I didn't find a place to input the client certificate just as Ngnix configuration.
If you enable one-to-one certificate mapping, you need to enter the Base-64 encoded string of the certificate into the Certificate field in the configuration editor.
If you enable many-to-one certificate mapping, this mapping mechanism uses wildcard matching rules to verify that the client certificate contains certain information, such as the issuer or subject. This mapping does not identify individual client certificates; it accepts all client certificates fulfilling the specific criteria. If a client gets another certificate containing all the same user information, the existing mapping will still work. Certificates do not need to be exported for use in many-to-one mappings.
3.I cannot figure out the diff between ManyToOne and OneToOne, if the later one means "Windows account", does it mean I cannot access it via a Linux client?
One-to-One Client Mapping => each individual trusted user certificate is mapped to a Windows user account.
As long as your client imports the same server certificate and selects the correct certificate when making the request, the server will match the certificate's Base-64 encoded string. A successful match means that the client presented a valid certificate. It will enter the website with the windows account "testuser" you set up.
Many-to-One Client Mapping => Multiple trusted user certificates are mapped to a single Windows user account.
As long as your client certificate matches the rules you set in the configuration editor, the certificate is considered valid and will log you in as the user you set.
Reference link:
IIS Client Certificate Mapping Authentication
- Math.Sin() gives incorrect value
- How to run my python script when the sunOS is start booting
- Express-session: not resetting cookie expiration on each request
- Getting a stack overflow exception when normalizing a vector
- Edit default summary function in R gives error for multiple variables
- What was a For loop? Why isn't it needed in R?
- How to use download button in shiny and save results in various formats (csv, texte, pdf, spss...)?
- Why are there two assignment operators, `<-` and `->` in R?
- lm()$assign: what is it?
- How to get the value of list(...) in R and S functions
- Design matrix for MLM from library(lme4) with fixed and random effects
- how to generate elements not included in my sample
- Create a matrix with gradually changing values without a for loop
- Emacs ESS and S-plus ( S+ ) 8.1 compatability
- How to lag date-index in a time-series in R?
- Nonlinear regression in R / S
- Calling R from S-Plus?