A lot of what your asking depends greatly on what your existing cert infrastructure looks like.
For security reasons I would highly suggest identifying the specific user via a mapping. If you've gone as far as to distribute certs for user auth, theres probably something worth securing. Any authorization or auditing you need should be per user.
The best way is to use the cert CN (common name). The thumbprint will identify as specific cert, but what happens when the cert expires?
This of course means when you issue certs the CN is controlled, and will relate to a specific person. I've found using email address to be very reliable, because you can create a validation routine by sending them confirmation emails. You can also enforce some uniqueness with the email address.
The hard part is distributing certs and getting IIS to ask the client for certs so your asp.net app can gain access to its information. Once you have that all your requests will have something in Request.ClientCertificate
which has all the details of their cert you'd need to authenticate them.