Re: Can IIS Log username from client certificate?

From: David Wang [Msft] (
Date: 09/07/03

Date: Sat, 6 Sep 2003 15:20:13 -0700

IIS *requires* some authenticated Windows user to be used for every request.
i.e. "Anonymous" authentication means that IIS uses a built in IUSR account.
Any other authentication implies some Windows user identity is authenticated
through a variety of protocols

To use client certificates for authentication, you must provide some way to
map a cert user identity to some Windows user. Without this mapping, IIS
will not know what authenticated Windows identity to use for that request.
If you do not want a 1-1 mapping, what about a many-to-1 mapping?

In other words -- if you want a Authorization model (i.e.
list/read/write/execute) based on cert user identity, you will need a 1-1
mapping so that NT ACLs can work for you. If you plan to have all cert user
identity have similar authorization, use a many-to-1 mapping (with a couple
of exceptions to allow administrators, etc).

This posting is provided "AS IS" with no warranties, and confers no rights.
"Ohaya" <> wrote in message
Ohaya wrote:
> Hi,
> I'm running IIS under Win2003 Server, and have "client authentication
> required" enabled but with mapping from the client cert to the Windows
> username NOT enabled.
> Is there any way to have IIS log the username from the client's
> certificate logged to the IIS log file, without the user having to enter
> username/password (basic authentication)?
> If not, is it possible to get the username from the certificate
> programmatically, e.g., using ASP?
> Thanks in advance!!!
I've done some further experimentation and it looks like if I
enable/configure mapping from the client certificate to Windows
username, the user name does appear in the IIS logs.
However, as indicated in my original post, we would really like to
accomplish this (have name from the client cert appear in the IIS logs)
without having to setup the mapping.
Is there any way to do this?
I've also found that .NET has an HTTPClientCertificate class that might
allow us to retrieve the DN from the client cert, but here again, we'd
like to not have to go to .NET just yet.  Is there anything with
"regular" ASP that would allow us to do this?
Thanks again in advance!!!

Relevant Pages

  • Re: AzMan Still the way to go?
    ... The thing to know with Windows authentication (IWA in IIS) in ASP.NET is ... simple approach is to create a simple mapping between AD groups and your ... I can use windows authentication IIS, and was actually planing on it. ...
  • Re: HELP PLEASE The request failed with HTTP status 401: Access Denied.
    ... Web Security: Part 2: Introducing the Web Application Manager, Client ... Authentication Options, and Process Isolation ... It introduces the Web Application Manager in IIS that ... logon session, which is dangerous. ...
  • RE: Can no longer access ActiveSync
    ... OMA and Exchange/Exchange-OMA virtual directory. ... Please verify Authentication settings by the following steps. ... Open IIS Manager ... issue may be caused by the Exchange attribute of original user account. ...
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... I didn't realise the Web Sites folder in IIS manager threw up a global ... sure that Basic Authentication is allowed to function on your server. ... ACCOUNTNAME, this is the account that I am trying to grant access to: ... Account: COMPUTERNAME\ACCOUNTNAME Access type: FULL ...
  • Re: SBS2k3 and activesync over the air
    ... the Exchweb virtual directory. ... ONLY 'Basic authentication' is selected ... please restart your IIS service and test your issue again. ... Regarding ActiveSync issue, support code 0x85010014 means error HTTP 500. ...