Windows Server 2008 R2, IIS 7.5. I configured an FTP site that requires SSL connections, and uses client SSL certificates (in applicationHost.config, <clientCertAuthentication enabled="true" />, <sslClientCertificates clientCertificatePolicy="CertRequire"
useActiveDirectoryMapping="true" />). Everything works, except the fact that the certificate is theonly thing checked when the user logs on - no matter which username/password are supplied (including anonymous), as long as a valid client certificate is shown, the user logs on, and gets mapped to the proper folder (user
isolation is set to user name directory).
Is it possible to have IIS check both the username/password and certificate, or is it inherently limited to one type of credentials per session?
Edit: Okay, I figured out one thing, but now stuck on another. I set clientCertAuthentication enabled="false" while leaving clientCertificatePolicy="CertRequire", and now the users' passwords are correctly challenged, and a client certificate is required, but any valid client certificate issued by the enterprise CA is accepted, not just the one mapped to the specific user in AD name mappings. Is there a way to configure IIS FTP to require (a) username, (b) password, and (c) a client certificate issued to that specific user?