Certificate Mapping

Certificate Mapping is a feature of Internet Information Server (IIS) that allows mapping between user accounts and digital certificates.

What is Certificate Mapping (in computer networking)?

A feature of Internet Information Server (IIS) version 4 that allows mapping between user accounts and digital certificates. This is useful when an organization issues client certificates to users. Client certificates are digital certificates that verify the identity of client software (Web browsers) belonging to users. Client certificates are often used in situations in which mobile clients using laptops require secure access to a corporate intranet site.

How Certificate Mapping Works

Before users can be granted remote access to the corporate intranet, they must be authenticated by the Web server they are connecting to. IIS supports four kinds of Web authentication mechanisms:

  • Anonymous access:
    Allows anonymous users access to Web sites—such as public sites on the Internet.

     

  • Basic Authentication:
    Passes a user’s credentials over the network as clear text. Although this mechanism is not very secure, it has the advantage of being able to work through a firewall or a proxy server.

     

  • Windows NT Challenge/Response Authentication (called Integrated Windows Authentication in Windows 2000):
    A secure authentication method that does not actually pass the user’s credentials over the network but uses a cryptographic exchange instead. The only Web browser that supports this authentication method is Microsoft Internet Explorer. This method cannot work through a firewall or a proxy server.

     

  • Certificate mapping:
    Uses the Secure Sockets Layer (SSL) protocol to authenticate users by examining the contents of their client certificate in order to log them on to the network without requiring them to enter their credentials.

     

Client certificates provide verification of identity, while certificate mapping associates a user’s account with the user’s client certificate and permits the user to log on to the network. The user typically utilizes a Web browser with SSL protocol to connect to a secure company Web site. The company Web server checks the Web browser’s client certificate. If the certificate is valid, the user is automatically logged on using his or her user account without ever having to enter credentials, and can access whatever intranet resources for which the account has permissions.

NOTE

Certificate mapping is also supported by Active Directory in the Windows 2000 operating system. The Active Directory Users and Computers administrative tool can be used for this purpose.

TIP

IIS allows two kinds of client certificate mappings:

  • One-to-one mappings between user accounts and client certificates on the user’s browser. This type of mapping is typically used to allow users secure access to corporate intranet resources; for example, to view or modify their employee information.
  • One-to-many mappings of several client certificates to a single user account. One-to-many mappings have the advantage of permitting administrators to allow a single certificate (issued by a specific organization to a particular user account) to be used to grant all users access to the corporate intranet. For example, an agency that provides your company with temps can assign the same client certificate to all temps who share one user account on your company’s network.