> Has anyone set up a system wher users authenticate using
> PKI Client Certificates?

> I am doing such a thing right now and using the Many-to-One
> mapping feature for IIS to map all certificates from a
> particular Issuer to the "\Everyone" user account. I have
> required Client Certificates as well.

> problem is, no matter what I put in as long
> as the user has a certificate IIS allows access,
> regauardless of the rules, where the certificate came from,
> or who the subject is.

> Chances are I'm just missing
> something, any ideas on what that might be?

wrote:

>Has anyone set up a system wher users authenticate using
>PKI Client Certificates?
>
>I am doing such a thing right now and using the Many-to-One
>mapping feature for IIS to map all certificates from a
>particular Issuer to the "\Everyone" user account. I have
>required Client Certificates as well.
>
>The problem is: I tried to change the Issuer wildcard
>rules so that the certificate would fail (just testing to
>see if this would keep out intruders with certificates from
>other issuers), problem is, no matter what I put in as long
>as the user has a certificate IIS allows access,
>regauardless of the rules, where the certificate came from,
>or who the subject is.
>
>If this is the case then this is a MAJOR security flaw in
>the IIS security model. Chances are I'm just missing
>something, any ideas on what that might be?
>
>Thanks
>David Smith
>dlsjr@dlsjr.com