IIS FTPS with client authentication and OneToOneMappings

Richard L 1 Reputation point
2022-02-04T10:41:26.317+00:00

I'm trying to implement an FTPS service on Windows 10 (i know ... i know ...), with client certificate authentication and authorization (if possible)

Environment :

  • Windows 10 LTSC 2019 (1809)
  • IIS (version 10 normally)
  • Self Signed Certificate (CA will be available later)
  • PC-A > Will host FTPS service
  • PC-B > Will generate certificates and execute FTP client

Certificate setup :

  • On PC-A, root certificate creation (RootCert), then import RootCert public key on PC-B
  • On PC-A, generate server auth certificate (ServCert) with RootCert as Signer, then import private key to PC-B
  • On PC-A, generate client auth certificate (ClientCert) with RootCert as Signer.

IIS setup :
(At this moment, i don't have hands on my lab)

  • FTP site configured with anonymous (read/write permission) auth >> Working
  • Configure FTPS by requiring SSL >> Working
  • Require client authentication >> Working
  • Map client authentication for authorization based on mapped user >> Not Working

OneToOneMapping is mapping ClientCert signature to local user ftpwrite.

I removed NTFS permissions on my FTP folder (only leaving System and Administrators permissions), giving specific permission to ftpwrite account

Result:
I can connect and have a write permission. But I cannot modify, create or delete content.

For me, OneToOneMapping is here to connect a client certificate to an account. That will allow to manage authorization.

Do I miss something ? or misinterpret the functionality ? Is there a specific log to know if the mapping is successful ?

R.L.

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,606 questions
Internet Information Services
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 39,351 Reputation points
    2022-02-11T08:22:12.68+00:00

    Hi there,

    Maybe it's time to re-check the steps you have performed by following the below articles and see if that makes any change.

    Configuring One-to-One Client Certificate Mappings
    https://learn.microsoft.com/en-us/iis/manage/configuring-security/configuring-one-to-one-client-certificate-mappings

    Configuring Many-to-One client certificate mappings for IIS 7.0 and 7.5
    https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/www-authentication-authorization/configure-many-to-one-client-mappings

    ----------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer--

    0 comments No comments