How to Map Windows Accounts with Certificates

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

If you are using certificates authentication you can map certificates to Windows accounts to enable authentication and authorization based upon the Windows account.

You can map an X509 certificate to windows account by setting the mapClientCertificateToWindowsAccount property to true. By default, when using the certificate client credential type on bindings, the certificate is not mapped to Windows accounts.

Use the following steps to map certificates to Windows accounts:
  1. Select IIS vs Active Directory Mapping.
    1. IIS Mapping is useful if you need only a limited number of mappings or a different mapping on each WCF Service.
    2. Use Active Directory mapping when the account mappings are identical on all IIS servers. Active Directory mapping is easier to maintain than IIS mapping because you only have to create the mapping in one location.
  2. Configure the IIS / Active directory for mapping the certificates.
  3. Once you have enabled the client certificate mapping feature, set the mapClientCertificateToWindowsAccount property to true.
<serviceBehaviors>
  <behavior name="MyServiceBehaviorForWebHttp">

     <serviceCredentials>
      <clientCertificate>
*       <authentication mapClientCertificateToWindowsAccount="true" />*
      </clientCertificate>
     </serviceCredentials>

  </behavior>
</serviceBehaviors>

Additional Resources

Last edited Jun 13, 2008 at 6:36 PM by prashantbansode, version 1

Comments

No comments yet.