Client Certificate Mapping Uses Multiple Organization Units

This article was previously published under Q197461
This article has been archived. It is offered "as is" and will no longer be updated.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:For more information about IIS 7.0, visit the following Microsoft Web site:
When you attempt to use a Client Certificate with multiple subjectOrganization Unit (OU) fields, Internet Information Server (IIS) may notread the certificate as expected.
IIS does not read more than the first field of Subject OUs for some non-Certificate Server certificate formats.

For example, if the Subject OU line contains multiple entries delimited bysemicolons, IIS will not recognize any entries beyond the first semicolon.

In the following example, Internet Information Server would detect MyCompany, but not Level 1 or Level 2:
My Company; Level 1; Level 2
To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack

Microsoft has confirmed this to be a problem in Internet InformationServer version 4.0. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.
More information
For additional information on Certificate Server and Client CertificateMapping, see the Windows NT Option Pack for the following onlinedocumentation:
   SSL Client Certificate Authentication   Microsoft Internet Information Server   Server Administration   Security   Authentication   About Authentication   Obtaining Client Certificate Information with ASP   Mapping Client Certificates to User Accounts				
For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
190157 Support for Windows NT 4.0 Option Pack on Terminal Server

Article ID: 197461 - Last Review: 10/26/2013 10:53:00 - Revision: 5.0

  • kbnosurvey kbarchive kbhotfixserver kbqfe kbbug kbfix KB197461