Did you know: Configure Client Certificate Mapping in FTP 7.5 - Part 4

by Vivek 3/5/2010 9:09:00 AM

In this post, we will install a User Certificate, enable Named Mapping and test FTPS using a tool.

Install User Certificate:

  1. Open Internet Explorer, and open the website https://server1/certsrv
  2. Click Request a Certificate
  3. Click User Certificate
  4. Click Yes on Web Access Confirmation (if it prompts)
  5. Click Submit
  6. Click Install this certificate
  7. You will get a confirmation that a user Certificate has been installed

Confirm Client Certificate has been installed:

  1. Open Internet Explorer
  2. Click Tools -> Internet Options
  3. Click Content and click Certificates
  4. You will find a certificate with the User Name in the Personal tab

  5. You can also confirm the same from Certificate MMC

  6. Export Client Certificate, by clicking on certificate and click Export…
  7. Follow Certificate Export Wizard
  8. Select No, do not export the private key, click Next
  9. Select Base-64 encoded X.509 (.CER)
  10. Browse to location where you want to save the certificate, click Save
  11. Click Next, click Finish


Map user certificate against the user account:

Export user certificate:

  1. Go to the CA Server (in our case it’s the DC)
  2. Open Server Manager -> expand Roles -> expand Active Directory Certificate Services -> expand CA (contoso-Issuing-CA01)
  3. Click on Issued Certificates, on the right hand pane you will see the client certificate issued

  4. Right click on the certificate -> click Open
  5. Click Details -> click Copy to File…
  6. The Certificate Export Wizard appears, click Next
  7. Select Base-64 encoded X.509 (.CER), click Next
  8. Select the location for the certificate and name it (bmayer.cer in our case).
  9. Click Next -> click Finish the Export Wizard.

Map the certificate:

  1. Go to the DC Server
  2. Open Server Manager -> expand Roles -> expand Active Directory Domain Services -> expand Active Directory Users and Computers -> expand domain (contoso.com)
  3. I have a OU for the user accounts “People”
  4. To view the Advanced Feature, click View -> Advanced Features

  5. Right click on user name (in our case Barbara Mayer) and click Name Mappings…

  6. Security Identity Mapping dialog appears

  7. Under X.509 Certificates, click Add…
  8. Browse to the location you have saved the user certificate, click Open
  9. Click OK

  10. Click OK

We now have a client certificate mapped against the user account.

Access FTPS site:

We will use AlexFTPS-1.0.2 (http://ftps.codeplex.com) client to verify our setup. I have it under C: drive. I have a DNS entry for ftp.contoso.com against the IP of Server2.

The command we will use is:

ftps -h ftp.contoso.com -port 21 -ssl All -sslClientCertPath C:\Users\bmayer\Documents\bmayer.cer –l

Here is the actual connection:

C:\AlexFTPS-1.0.2>ftps -h ftp.contoso.com -port 21 -ssl All -sslClientCertPath C:\Users\bmayer\Documents\bmayer.cer -lAlex FTPS version 1.0.2Copyright (C) Alessandro Pilotti 2008-2009http://www.codeplex.com/ftpsinfo@pilotti.itThis is free software, you may use it under the terms ofthe LGPL licenseWARNING: SSL/TLS remote certificate name mismatchSSL/TLS Server certificate details:[Subject]CN=newftpsite, OU=FTP Unit, O=contoso, L=Bangalore, S=Karnataka, C=IN[Issuer]CN=contoso-Issuing-CA01, DC=contoso, DC=com[Serial Number]619877AD000000000015[Not Before]27-10-2009 08:22:31[Not After]27-10-2011 08:22:31[Thumbprint]FE3ABE6A25AB447972B769A0C084B92D8DE098F2Accept invalid server certificate? (Y/N) YRemote directory: /10-27-09  10:40AM       <dir>          myFolder10-27-09  10:42AM                 1944 sample.txt10-27-09  10:42AM                 8748 sample1.txt10-27-09  10:42AM               518454 snap.bmp

Looking good.

We have successfully configured FTPS in IIS 7 & IIS 7.5 using Active Directory enabled One-to-One Client Certificate mapping.

Hope this helps,
Vivek Kumbhar

Quote of the day:
I shot an arrow into the air, and it stuck. - Graffito

Tags: , , ,

Did you know | IIS | Tips and Tricks | Web Server

blog comments powered by Disqus