IIS 7 and Above
Trying to set a Managed Service Accounts in iis Client Certificate Ma...
Last post Feb 13, 2019 07:14 AM by Jalpa Panchal
Feb 12, 2019 01:47 PM|ptkok|LINK
I am trying to add a new AD account of type "Managed Service Accounts" into IIS Web Service Client Certificate Validation using the "IIS Client Certificate Mapping Authentication" One-to-one implementation from Configuration Editor (system.webServer/security/authentication/iisClientCertificateMappingAuthentication).
I successfully added another simple account that has username/password, but when trying to add the MSA account, I am getting a communication 401 Unauthorised error when communicating with the Web Service.
Does IIS support using MSA accounts in "IIS Client Certificate Mapping Authentication One-to-one implementation"?.
Feb 13, 2019 02:02 AM|Jalpa Panchal|LINK
According to my opinion we couldn’t set MSA account with Client Certificate Mapping Authentication.thre are two ways to set Client Certificate Mapping Authentication in iis.first is One-To-One Mappings and second is Many-To-One Mappings.
Client Certificate Mapping authentication using IIS is different from Client Certificate Mapping using Active Directory.
example you deployed user with authentication certificates using AD CS and configured the Certificate Template to allow Active Directory storage. Now you can employ "non-IIS" Client Certificate Mapping Authentication on an AD member server with IIS installed,
and have IIS automatically map the certificate to a user by querying Active Directory.
"IIS Client Certificate Mapping Authentication" is considered for non-AD CS certificates and standalone servers.
Since Active Directory will not be used to map certificates to users in this scenario, you'll need to define the mappings in the configuration files, either as one-to-one mappings or many-to-one mappings.
You could prefer below article for more detail:
IIS Client Certificate Mapping Authentication
Feb 13, 2019 05:36 AM|ptkok|LINK
Feb 13, 2019 07:14 AM|Jalpa Panchal|LINK
My point is that I am trying to use the nonAD method but with an account that does not have a password -system account or a password that changes periodically.
If you are using non AD method you need username and password.