Client Certificate Mapping Uses Multiple Organization Units

ID: Q197461

The information in this article applies to:

Microsoft Internet Information Server version 4.0
Microsoft Windows NT Server version 4.0, Terminal Server Edition

SYMPTOMS

When you attempt to use a Client Certificate with multiple subject Organization Unit (OU) fields, Internet Information Server (IIS) may not read the certificate as expected.

CAUSE

IIS does not read more than the first field of Subject OUs for some non- Certificate Server certificate formats.

For example, if the Subject OU line contains multiple entries delimited by semicolons, IIS will not recognize any entries beyond the first semicolon.

In the following example, Internet Information Server would detect My Company, but not Level 1 or Level 2:

My Company; Level 1; Level 2

RESOLUTION

To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, please see the following article in the Microsoft Knowledge Base:

Q152734 How to Obtain the Latest Windows NT 4.0 Service Pack

STATUS

Microsoft has confirmed this to be a problem in Internet Information Server version 4.0. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.

MORE INFORMATION

For additional information on Certificate Server and Client Certificate Mapping, see the Windows NT Option Pack for the following online documentation:


   SSL Client Certificate Authentication
   Microsoft Internet Information Server
   Server Administration
   Security
   Authentication
   About Authentication
   Obtaining Client Certificate Information with ASP
   Mapping Client Certificates to User Accounts

Keywords : NT4SP4Fix
Version : WINNT:4.0
Platform : winnt
Issue type : kbbug