WCF - TRANSPORT SECURITY – IIS - HANDLING CLIENT CERTIFICATES
1:1 Mapping -2003
Performs the client certificate authentication and maps it to windows account.
Once the client certificate is mapped, it is authorized based on the windows account / identity associated with it.
- Client certificate with Public key – so that it can be attached to user Identity.
- Windows identity – which will be used to authorize the access to the service / application.
IIS -> Web Site -> Properties -> Directory Security -> Secure Communication - > Enable client certificate mapping
Add -> Select the certificate with Public key (.cer, .crt, .spc, .key) -> Give a name and identity
Many to 1 mapping - 2003
Good feature: Enable Wild Card Client certificate mapping.
We can define set of rules here with some specified criteria to allow or bock list of certificates.
So, if the certificate passes all the rules, the request is allowed to enter in the service.
In many to one mapping also, when we need to set accept this certificate option again, we have to specify the windows account or valid identity to handle Many to one mapping.
Refuse Access option does not require any identity, IIS will reject it directly.
if your users authenticated with a Windows user credential at your WCF service, you'll be able to find their credentials under
if your users authenticated with a certificate, you'll find their identity (which is going to be a CertificateIdentity instead of a WindowsIdentity) under
Current.PrimaryIdentity can be used to obtain the Mapped identity of the incoming client certificate and can be used for further authorization in service.
All incoming client certificates are first tried to mapped at IIS level.
If the mapping is not present than these certificate it will fall back to Authentication scheme – Anonymous needs to be set on IIS.
Because of Anonymous authentication scheme all the request will be allowed inside - as Anonymous.
But these request can be handled inside the WCF code using the Certificate custom validator http://msdn.microsoft.com/en-us/library/ms733806.aspx
I hope this helps in handling client certificates on IIS and inside WCF service.