Certificate mapping rule in IIS does not work for a client certificate that contains more than 64 characters in Windows

Applies to: Windows Server 2012 DatacenterWindows Server 2012 DatacenterWindows Server 2012 Standard More

Symptoms



Consider the following scenario:
  • You install Internet Information Services (IIS) 7 or a later version on a computer that is running Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, or Windows Server 2012.
  • You install the IIS Client Certificate Mapping module.
  • You configure client certificate mappings and certificate mapping rules on the computer.
    Note You can use client certificates for user authentication purposes. For more information about this, go to the "References" section.
  • The client certificate field (compared with the matchCriteria property) is a string that is longer than 64 characters and that includes the terminating NULL. For example, the name of the user ("Issued to") is a string that contains more than 64 characters.
In this scenario, the certificate mapping rule does not work correctly.

Cause


This issue occurs because the Authmap.dll file has a buffer for the client certificate field that compares with the matchCriteria property and that equals 64 characters. When the client certificate field contains more than 64 characters, only the first 64 characters are compared with the string that is set in the matchCriteria property.

Resolution


Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem.

If the hotfix is available for download, there is a "Hotfix Download Available" section at the top of this Knowledge Base article. If this section does not appear, submit a request to Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix Download Available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running one of the following operating systems:
  • Windows Vista Service Pack 2 (SP2)
  • Windows Server 2008 SP2
  • Windows 7 SP1
  • Windows Server 2008 R2
  • Windows 8
  • Windows Server 2012

Registry information

To apply this hotfix, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


For more information about how to configure Many-to-One client certificate mapping for IIS 7 and IIS 7.5, go to the following Microsoft website:

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:
824684 Description of the standard terminology that is used to describe Microsoft software updates