I have a https service hosted in IIS 10 which previously was using windows authentication, and was working good.
Now, we need to implement Client Certificate Authentication. Currently i have enabled both Client Certificate Mapping Authentication and Windows Authentication, and configured the service to accept client certificate.
Everything works good like this, but when i log in with Client Certificate, the process for windows authentication is skipped (I have checked this with Wireshark and I can see only SSL packages)How I can implement protection with Client Certificate Mapping Authentication, but also Windows Authentication can be used?
My intention is to make the website more secure if some user loses his certificate, so the lost certificate cannot be used for accessing the website by a person who has somehow obtained the lost certificate.
Answer
You would have to use Client Certificate Mapping Authentication,(AD integrated) and not IIS Client Certificate Mapping Authentication. Windows auth will grab users logged on credentials and pass them through. When you use IIS Client Certificate Mappting Authentication you are entering in a username and password. You would use basic auth for this.
Attribution
Source : Link , Question Author : dimee , Answer Author : David Armstrong
