Topics| Topics |
Domino for IIS supports using client certificates alone or in combination with any of the other authentication options. In all cases we rely on IIS to verify the certificate signer. The certificates do not have to be stored in the Domino Directory since Domino for IIS uses the common name from the certificate sent from IIS. No configuration of Domino is necessary other than enabling client certificates on the SSL port.
Here is a step-of-step description of how authentication works with client certificates:
2. IIS verifies the certificate signer.
3. On every Domino request made during the SSL session, IIS passes the client certificate to Domino. IIS will also pass a user name with the request if any of the following conditions is true:
5. If Domino does not find the certificate common name in the directory, but IIS also passed a user name with the request, then Domino does a lookup of the user name in the directory. If that lookup succeeds, Domino maps the user to the distinguished name as described above. If the lookup fails, then Domino returns a 401 error.
6. If Domino does not find the certificate common name in the directory, and IIS did not send a user name with the request, then Domino authenticates the user as Anonymous, if Anonymous is enabled for the SSL port. If it is not enabled then Domino returns a 401 error.
This scenario represents an existing MS IIS configuration with SSL, including client certificates already in use and mapped to NT accounts. All users requiring access to protected Domino databases that are defined by an existing NT user account mapped with a client certificate need a corresponding Person document in the Domino Directory. Domino needs to authenticate the user by verifying the name in the user name field of the Person document. The user name field must either include the certificate's common name or NT account name as an alias, and then be mapped to a Domino Distinguished Name.
The first example below demonstrates the common name on the user certificate mapped to a Domino Distinguished Name. The second example below demonstrates the NT account name mapped to the Domino Distinguished Name. The ACL setting on the database only authorizes the first entry in the user name field. In this scenario, IIS validates the client certificate, and if it exists in the Domino directory it would not be used. The SSL port settings in Domino are honored and are enabled by default for anonymous, basic and client certificate authentication.
Joe Smith/CorpSales
Joe Smith
.....any other aliases
or
Joe Smith/CorpSales
SALES\JSmith
......any other aliases
Scenario 2: How do I use my existing Domino client certificates currently registered in Domino and continue to register new users?
When using Domino for IIS, IIS handles the actual SSL connection. If you currently use SSL and have a Domino Server Key Ring configured, it is not used and you need to create one for IIS. All users registered in the Domino Directory with a client certificate continue to use their existing client certificates for database authorization to protected Domino databases. To achieve this, IIS's Directory Security must be enabled for Anonymous access and set to Accept Client Certificates. Users with client certificates must be able to authenticate with the IIS server "Anonymously" and also send the client certificate following the request from IIS. Domino must also have client certificate authentication enabled in the Server document. Registering new client certificates may continue, using the Domino CA Application, after creating Person documents in the Domino Directory. The user name field for this scenario may be the same as scenario 1. If the user has an NT Account, this may also be used as an alias.
Benefits for implementing this option: