Mapping Client Certificates
Whenever my service receives a message the service operation fails because the user identity is not mapped to a Windows identity. How can I make this mapping?
What's probably going wrong is that the user identity is specified by a certificate but there's no active mapping from the client certificate to a Windows account. By default, no mapping is performed. You can enable certificate mapping by setting mapClientCertificateToWindowsAccount on the service credentials to be true.
<serviceCredentials>
<clientCertificate>
<authentication mapClientCertificateToWindowsAccount="true" />
</clientCertificate>
</serviceCredentials>
The actual mappings are not provided by the service configuration. Mappings are typically defined using the certificate mapping features of either IIS or Active Directory. IIS mappings can be varied from web site to web site but it's difficult to manage more than a small number of mappings. Active Directory mappings are the same all across the directory but the centralized directory makes the mappings easier to manage.
Next time: How WebServiceHost Works
Comments
- Anonymous
June 20, 2008
How should I represent raw XML content in a contract? It seems like it would be really easy to have within