IIS/TLS, accept or reject certificates using end user certificate field values

UV 6 Reputation points


I would like to know, is it possible to filter IIS/TLS traffic by using any certificate field like policy identifier number in end user certificate. My goal is to accept only certificates with specific policy identifier numbers and reject all other requests.



Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,712 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Vicky Wang 2,646 Reputation points

    Thank you for posting in our forum.

    This article may help you


    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
    Best wishes

    0 comments No comments

  2. Vadims Podāns 8,866 Reputation points MVP

    The answer is no, you cannot use custom policy authentication on IIS side. It must be done inside particular application only. This is due to how client certificate authentication works in Windows: certificate is mapped to a security principal using implicit or explicit mapping.

    In implicit mapping, client certificate is mapped to security principal with UPN contained in client certificate's SAN extension. Of course, issuing CA must be trusted for client authentication (added to NTAuthCertificate DS store). This is a default authentication method on IIS and Windows in general (smart cards use implicit mapping using UPNs only).

    In explicit mapping, a certificate is compared either with one configured in 1:1 mapping or *:1 (many to one). In 1:1 mapping, reference certificate is added to IIS configuration and mapped to security principal. Exact certificate match is required. The downside of this method is that you will have to use this procedure for every certificate and principal and repeat every time client certificate is renewed.

    In many to one mapping, you can define either, subject or issuer, or a combination of both to map to single security principal. this allows different certificates to match criteria, but criterias aren't flexible and use only Issuer/Subject field combination. No support for certificate extensions.

    So, again, the answer is no, if you have access, then implement extension authorization policy inside web application.

    0 comments No comments

  3. Vicky Wang 2,646 Reputation points


    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    0 comments No comments