- Article
Overview
<clientCertificateMappingAuthentication> element of the <authentication> element specifies whether client certificate mapping using Active Directory is enabled for Internet Information Services (IIS) 7.
Note
Client Certificate Mapping authentication using Active Directory differs from Client Certificate Mapping authentication using IIS in the following ways:
- Client Certificate Mapping authentication using Active Directory - this method of authentication requires that the IIS 7 server is a member of an Active Directory domain, and user accounts are stored in Active Directory. This method of client certificate authentication has reduced performance due to the round-trip to the Active Directory server.
- IIS Client Certificate Mapping authentication - this method of authentication does not require Active Directory and therefore works with standalone servers. This method of client certificate authentication has increased performance, but required more configuration and requires access to client certificates in order to create mappings.
For more information, see Configuring Authentication in IIS 7.0 on the Microsoft TechNet Web site.
Compatibility
| Version | Notes |
|---|---|
| IIS 10.0 | The <clientCertificateMappingAuthentication> element was not modified in IIS 10.0. |
| IIS 8.5 | The <clientCertificateMappingAuthentication> element was not modified in IIS 8.5. |
| IIS 8.0 | The <clientCertificateMappingAuthentication> element was not modified in IIS 8.0. |
| IIS 7.5 | The <clientCertificateMappingAuthentication> element was not modified in IIS 7.5. |
| IIS 7.0 | The <clientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0. |
| IIS 6.0 | N/A |
Setup
The <clientCertificateMappingAuthentication> element is not available on the default installation of IIS 7 and later. To install it, use the following steps.
Windows Server 2012 or Windows Server 2012 R2
- On the taskbar, click Server Manager.
- In Server Manager, click the Manage menu, and then click Add Roles and Features.
- In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
- On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select Client Certificate Mapping Authentication. Click Next.
. - On the Select features page, click Next.
- On the Confirm installation selections page, click Install.
- On the Results page, click Close.
Windows 8 or Windows 8.1
- On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.
- In Control Panel, click Programs and Features, and then click Turn Windows features on or off.
- Expand Internet Information Services, expand World Wide Web Services, expand Security, and then select Client Certificate Mapping Authentication.
- Click OK.
- Click Close.
Windows Server 2008 or Windows Server 2008 R2
- On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
- In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
- In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
- On the Select Role Services page of the Add Role Services Wizard, select Client Certificate Mapping Authentication, and then click Next.
- On the Confirm Installation Selections page, click Install.
- On the Results page, click Close.
Windows Vista or Windows 7
- On the taskbar, click Start, and then click Control Panel.
- In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
- Expand Internet Information Services, then select Client Certificate Mapping Authentication, and then click OK.
How To
How to enable client certificate mapping authentication for a server
Open Internet Information Services (IIS) Manager:
If you are using Windows Server 2012 or Windows Server 2012 R2:
- On the taskbar, click Server Manager, click Tools, and then click Internet Information Services (IIS) Manager.
If you are using Windows 8 or Windows 8.1:
- Hold down the Windows key, press the letter X, and then click Control Panel.
- Click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
If you are using Windows Server 2008 or Windows Server 2008 R2:
- On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.
If you are using Windows Vista or Windows 7:
- On the taskbar, click Start, and then click Control Panel.
- Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.
In the Connections pane, click the server name.
In the server's Home pane, double-click Authentication.
On the Authentication page, click Enable in the Actions pane.
Configuration
Attributes
| Attribute | Description |
|---|---|
enabled | Optional Boolean attribute. Specifies whether Client Certificate Mapping authentication using Active Directory is enabled. For this setting to take effect, you must set this attribute with IIS Manager. If you use any other method to set this attribute, you must restart the Web server for the setting to take effect. The default value is |
Child Elements
None.
Configuration Sample
The following configuration sample enables client certificate mapping authentication using Active Directory for the Default Web Site, and configures the site to require SSL and negotiate client certificates.
<location path="Default Web Site"> <system.webServer> <security> <access sslFlags="Ssl, SslNegotiateCert" /> <authentication> <windowsAuthentication enabled="false" /> <anonymousAuthentication enabled="false" /> <digestAuthentication enabled="false" /> <basicAuthentication enabled="false" /> <clientCertificateMappingAuthentication enabled="true" /> </authentication> </security> </system.webServer></location>Sample Code
The following code samples enable client certificate mapping authentication using Active Directory for the Default Web Site, and configure the site to require SSL and negotiate client certificates.
AppCmd.exe
appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphostappcmd.exe set config "Default Web Site" -section:system.webServer/security/access /sslFlags:"Ssl, SslNegotiateCert" /commit:apphostNote
You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.
C#
using System;using System.Text;using Microsoft.Web.Administration;internal static class Sample{ private static void Main() { using (ServerManager serverManager = new ServerManager()) { Configuration config = serverManager.GetApplicationHostConfiguration(); ConfigurationSection clientCertificateMappingAuthenticationSection = config.GetSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", "Default Web Site"); clientCertificateMappingAuthenticationSection["enabled"] = true; ConfigurationSection accessSection = config.GetSection("system.webServer/security/access", "Default Web Site"); accessSection["sslFlags"] = @"Ssl, SslNegotiateCert"; serverManager.CommitChanges(); } }}VB.NET
Imports SystemImports System.TextImports Microsoft.Web.AdministrationModule Sample Sub Main() Dim serverManager As ServerManager = New ServerManager Dim config As Configuration = serverManager.GetApplicationHostConfiguration Dim clientCertificateMappingAuthenticationSection As ConfigurationSection = config.GetSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", "Default Web Site") clientCertificateMappingAuthenticationSection("enabled") = True Dim accessSection As ConfigurationSection = config.GetSection("system.webServer/security/access", "Default Web Site") accessSection("sslFlags") = "Ssl, SslNegotiateCert" serverManager.CommitChanges() End SubEnd ModuleJavaScript
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";var clientCertificateMappingAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site");clientCertificateMappingAuthenticationSection.Properties.Item("enabled").Value = true;var accessSection = adminManager.GetAdminSection("system.webServer/security/access", "MACHINE/WEBROOT/APPHOST/Default Web Site");accessSection.Properties.Item("sslFlags").Value = "Ssl, SslNegotiateCert";adminManager.CommitChanges();VBScript
Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"Set clientCertificateMappingAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site")clientCertificateMappingAuthenticationSection.Properties.Item("enabled").Value = TrueSet accessSection = adminManager.GetAdminSection("system.webServer/security/access", "MACHINE/WEBROOT/APPHOST/Default Web Site")accessSection.Properties.Item("sslFlags").Value = "Ssl, SslNegotiateCert"adminManager.CommitChanges()