A feature of Internet Information Server (IIS) version 4 that allows mapping between user accounts and digital certificates. This is useful when an organization issues client certificates to users. Client certificates are digital certificates that verify the identity of client software (Web browsers) belonging to users. Client certificates are often used in situations in which mobile clients using laptops require secure access to a corporate intranet site.
Before users can be granted remote access to the corporate intranet, they must be authenticated by the Web server they are connecting to. IIS supports four kinds of Web authentication mechanisms:
Client certificates provide verification of identity, while certificate mapping associates a user’s account with the user’s client certificate and permits the user to log on to the network. The user typically utilizes a Web browser with SSL protocol to connect to a secure company Web site. The company Web server checks the Web browser’s client certificate. If the certificate is valid, the user is automatically logged on using his or her user account without ever having to enter credentials, and can access whatever intranet resources for which the account has permissions.
Certificate mapping is also supported by Active Directory in the Windows 2000 operating system. The Active Directory Users and Computers administrative tool can be used for this purpose.
IIS allows two kinds of client certificate mappings: