Mapping Strategies (IIS 6.0)
Client certificate mapping is very flexible because any of the three mapping methods can be used to map client certificates to user accounts. You can map a client certificate to any number of user accounts. Likewise, you can map any number of client certificates to a single user account.
Certificate mapping can be used in several situations, including the following:
| • | Large Networks. Networks with a large number of client certificates can use many-to-one or Directory Service (DS) mapping. You can create one or more matching rules to map certificates to one or more Windows user accounts. |
| • | Small Networks. Networks with very few users can use one-to-one mapping to provide greater control of certificate usage and revocation, or use many-to-one mapping to facilitate easier administration. |
| • | Additional Security. For resources that have few users and that require additional security, you can use one-to-one mapping. In this way, you can be sure that only selected certificates are used. This allows more stringent certificate revocation policies to be enforced. |
| • | Internet. Internet sites that use certificate authentication can use many-to-one mapping by accepting a wide range of certificates and mapping them all to an account with rights that are similar to the IUSR_ComputerName account. |
| • | By certification authority. To map all users who log on with a client certificate that was issued by a particular organization, you can use many-to-one mapping. Then you can define a matching rule that automatically maps any certificate issued by that organization to a user account. |
If you are using mapping to integrate your Web sites into a Windows domain, the Windows Directory Service mapper will best suit your purpose. For more information, see "Mapping certificates to user accounts" in Help and Support Center for Windows Server 2003.
