1

I have been googling this for hours. I cannot get my mapping to work on certain certificate fields. Fx this sample code:

<iisClientCertificateMappingAuthentication enabled="true" manyToOneCertificateMappingsEnabled="true">
  <manyToOneMappings>
    <add name="Contoso Employees"
         enabled="true"
         permissionMode="Allow"
         userName="Username"
         password="[enc:AesProvider:57686f6120447564652c2049495320526f636b73:enc]">
      <rules>
        <add certificateField="Subject"
             certificateSubField="O"
             matchCriteria="MyCompany A/S CVR:12345"
             compareCaseSensitive="true" />
      </rules>
     </add>
   </manyToOneMappings>
</iisClientCertificateMappingAuthentication>

This doesn't work. I am suspecting the special characters in matchCriteria="MyCompany A/S CVR:12345". If I map it on certificateSubField="C" and matchCriteria="DK" then it works. I have also tried with this combination matchCriteria="MyCompany*" where I am using the wildcard charachter * and it still doesn't work. If I use just the * as in matchCriteria="*" then it works, but then again this is a useless match.

I checked with the certutil to see what value it gives me for the subfields CN, O and C. CN and O have similar value: MyCompany A/S CVR:12345 They both contain spaces and special characters.

How can I do this matching in II 7.5? I should mention that this mapping on the exactly same value works fine in IIS 6.

Oliver Nilsen
  • 205
  • 2
  • 8

1 Answers1

1

I figured it out myself. It is because iisclientcertificate mapping fails if certificate issuer, subject are in UTF8 encoded string. This is a known issue with IIS 7 and 7.5.

There is a hotfix from Microsoft that fixes this. Take a look at KB article 2597665:

"A certificate mapping rule in IIS does not work for a client certificate that has Unicode encoding attributes in Windows Server 2008, Windows Vista, Windows Server 2008 R2, or Windows 7"

Oliver Nilsen
  • 205
  • 2
  • 8