3.1.4.1.35 Certificate Mapping

Web Services Management Protocol Extensions for Windows Vista servers MUST map the certificate it receives from clients to a local user on the server, whenever Certificate Authentication is the mechanism used to authenticate the client.

When using the wsman:secprofile/https/mutual profile for authentication, the Web Services Management Protocol Extensions for Windows Vista server MUST use the following algorithm to map the client’s certificate to the local user account:

  • First find all entries in the Certificate Mapping Table matching the following criteria:

    • The entry's Issuer field matches the issuer thumbprint from client's certificate.

    • The entry's URI field matches the resource URI of the client request, using the rules in section 2.2.4.3.

    • The entry's subject field matches the Subject field of the client request, using the rules in section 2.2.4.3.

    • Within those entries, choose the entry or entries with the longest Subject field.

    • If there are multiple entries with same longest length for Subject, choose (within that set) the entry or entries with the longest URI field.

If no matching entry is found, or the algorithm chose multiple matching entries, then the Web Services Management Protocol Extensions for Windows Vista MUST fail the request with wsman:AccessDenied.

If a single matching entry was chosen, then the server MUST verify that the username and password match a user account on the server, using implementation-specific means. If account verification fails, then the server MUST fail the request with wsman:AccessDenied.

If account verification succeeded, then the server MUST verify that the account is authorized for the request, using the rules in section 3.1.4.1.28.