IIS supports two types of client-certificate mapping. The legacy mode introduced in Internet Information Server (IIS) 4.0 lets you map certificates to specific user accounts manually. The advantage of this mode is that you can use certificates from multiple CAs and map those certificates to any account you choose. You can also map multiple certificates to a single account. You create the mappings by using the Account Mappings dialog box, which appears when you click Edit in the Secure Communications dialog box's Enable client certificate mapping section. Unfortunately, this mode of operation becomes unwieldy when you work with many certificates and user accounts.
The second type of client-certificate mapping lets you instruct IIS to map the client certificates that an enterprise CA issues to user accounts in AD. To use this mode of operation, open the Internet Information Services snap-in, right-click the Web server (not a Web site), and select Properties. From the Master Properties menu, select WWW Service, click Edit, and select the Directory Security tab. Select Enable the Windows directory service mapper, as Figure 5 shows. The advantages of this mode include scalability and some automated management features: As the enterprise CA issues user certificates, they're stored automatically in AD. You don't need to manually load and manage the certificates, and when users renew their certificates, you don't need to update the mappings. Note that the two types of client-certificate mapping are mutually exclusive in IIS, so you must choose your scheme with care. . . .
jeaster July 13, 2004 (Article Rating: