Adding a Client Certificate Mapping Using Wildcard Rules

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

When you create wildcard rules to map client certificates, you should use matching rules that are as specific as possible. A good wildcard rule matches information from several different fields and subfields. For example, the names "Accounting", "Shipping", and "Sales" can appear in the organization unit subfield of more than one company's client certificate. A matching rule that maps certificates based exclusively on this subfield would probably result in unintended mappings.

Important

You must be a member of the Administrators group on the local computer to perform the following procedure or procedures. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /user:Administrative_AccountName "mmc %systemroot%\system32\inetsrv\iis.msc".

Procedures

To add a client certificate mapping using wildcard rules

1. In IIS Manager, double-click the local computer, and then double-click the Web Sites folder.

2. Right-click the Web site for which you want to configure wildcard certificate mapping, and then click Properties.

3. Click the Directory Security tab, and then in the Secure Communications section, click Edit.

4. In the Secure Communications box, select the Enable client certificate mapping check box, and then click Edit.

5. In the Account Mappings box, click the Many-to-1 tab, and then click Add.

6. In the General box, type a name for the rule. This is the name that will be displayed in the selection list on the Account Mappings box. You can create rules for future use or disable rules without deleting them by selecting or clearing the Enable this wildcard rule check box. Click Next.

7. In the Rules box, click New.

8. In the Edit Rule Element box, select the appropriate criteria and click OK.

   Note

   Steps 6 and 7 can be repeated to define the rule more stringently.

9. When you have finished editing the rule, click Next.

10. In the Mapping box, either type or browse to a Windows user account. Type the password of the account to which the rule is being mapped.

    Note

    If the account you are mapping to is on a computer that is a member of a workgroup, you must specify the computer name and the account name. For example, if you are mapping to the "RegionalSales" account on the computer called "Sales1", the mapping account name would be "Sales1\RegionalSales".

11. Click OK.

12. Repeat these steps to create other mapping rules.

13. Use the Move Up and Move Down buttons to establish the precedence given to the rules. Rules that are higher in the list take precedence.

Related Information

• For information about how to map a specific client certificate to a user account, see Mapping Client Certificates One-to-One.

• For information about when to use each type of client certificate mapping, see Mapping Strategies.

• For general information about certificates, see SSL and Certificates.