How to Map Roles to Certificates

- J.D. Meier, Carlos Farre, Jason Taylor, Prashant Bansode, Steve Gregersen, Madhu Sundararajan, Rob Boucher

If you are using Certificates authentication you can map the certificate to a windows account and authorize based on this account.

Use the following steps to associate roles with a certificate:
  1. Configure IIS to enable client certificate mapping.
    1. Open the IIS service applet
    2. Right-click on the web site you will be using for your service and select Properties
    3. Select the Directory Security tab and click Edit button within the Secure Communications section.
    4. Check the “Enable Client Certificate Mapping” checkbox. Click the mapping edit button and fill in 1-1 or Many-to-1 depending on your configuration.
  2. Configure the service to require ClientCredentialType = “Certificate”. This will require clients to connect using Certificate authentication.

<message clientCredentialType="Certificate" />
  1. Configure the service to map certificates to user accounts in the web.config or app.config file. Set the mapClientCertificateToWindowsAccount to “true”.
<serviceBehaviors>
 <behavior name="MappingBehavior">
  <serviceCredentials>
   <clientCertificate>
    <authentication certificateValidationMode="None" mapClientCertificateToWindowsAccount="true" />
   </clientCertificate>
  </serviceCredentials>
 </behavior>
</serviceBehaviors>
  1. Configure clients to supply a certificate. The incoming client requests will contain a certificate name and thumbprint ID. IIS will map the client certificates to a Windows user account.

<message clientCredentialType="Certificate" />
  1. Authorize the windows group required by adding the PrincipalPermission attribute above each service method that requires authorization. Specify the Windows user group required to access the method in the Role field.
[PrincipalPermission(SecurityAction.Demand, Role = "accounting")]
public double Add(double a, double b)
{
    return a + b;
}

Additional Resources

Last edited Jun 13, 2008 at 6:30 PM by prashantbansode, version 1

Comments

No comments yet.