Overview<clientCertificateMappingAuthentication> element of the <authentication> element specifies whether client certificate mapping using Active Directory is enabled for Internet Information Services (IIS) 7.Note: Client Certificate Mapping authentication using Active Directory differs from Client Certificate Mapping authentication using IIS in the following ways:Client Certificate Mapping authentication using Active Directory - this method of authentication requires that the IIS 7 server and client computer are members of an Active Directory domain, and user accounts are stored in Active Directory. This method of client certificate authentication has reduced performance due to the round-trip to the Active Directory server.IIS Client Certificate Mapping authentication - this method of authentication does not require Active Directory and therefore works with standalone servers. This method of client certificate authentication has increased performance, but required more configuration and requires access to client certificates in order to create mappings.For more information, see Configuring Authentication in IIS 7.0 on the Microsoft TechNet Web site.CompatibilityVersionNotesIIS 7.5The <clientCertificateMappingAuthentication> element was not modified in IIS 7.5.IIS 7.0The <clientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0.IIS 6.0N/ASetupThe <clientCertificateMappingAuthentication> element is not available on the default installation of IIS 7. To install it, use the following steps.WINDOWS SERVER 2008 OR WINDOWS SERVER 2008 R2On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.On the Select Role Services page of the Add Role Services Wizard, select Client Certificate Mapping Authentication, and then click Next.
On the Confirm Installation Selections page, click Install.On the Results page, click Close.WINDOWS VISTA OR WINDOWS 7On the taskbar, click Start, and then click Control Panel.In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.Expand Internet Information Services, then select Client Certificate Mapping Authentication, and then click OK.
How ToHOW TO ENABLE CLIENT CERTIFICATE MAPPING AUTHENTICATION FOR A SERVEROpen Internet Information Services (IIS) Manager:If you are using Windows Server 2008 or Windows Server 2008 R2:On the taskbar, click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.If you are using Windows Vista or Windows 7:On the taskbar, click Start, and then click Control Panel.Double-click Administrative Tools, and then double-click Internet Information Services (IIS) Manager.In the Connections pane, click the server name.In the server's Home pane, double-click Authentication.
On the Authentication page, click Enable in the Actions pane.
ConfigurationATTRIBUTESAttributeDescriptionenabledOptional Boolean attribute.Specifies whether Client Certificate Mapping authentication using Active Directory is enabled. For this setting to take effect, you must set this attribute with IIS Manager. If you use any other method to set this attribute, you must restart the Web server for the setting to take effect.The default value is false.CHILD ELEMENTSNone.CONFIGURATION SAMPLEThe following configuration sample enables client certificate mapping authentication using Active Directory for the Default Web Site, and configures the site to require SSL and negotiate client certificates.<location path="Default Web Site"><system.webServer><security><access sslFlags="Ssl, SslNegotiateCert" /><authentication><windowsAuthentication enabled="false" /><anonymousAuthentication enabled="false" /><digestAuthentication enabled="false" /><basicAuthentication enabled="false" /><clientCertificateMappingAuthentication enabled="true" /></authentication></security></system.webServer></location>Sample CodeThe following code samples enable client certificate mapping authentication using Active Directory for the Default Web Site, and configure the site to require SSL and negotiate client certificates.APPCMD.EXEappcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:"True" /commit:apphostappcmd.exe set config "Default Web Site" -section:system.webServer/security/access /sslFlags:"Ssl, SslNegotiateCert" /commit:apphostNote: You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.C#using System;using System.Text;using Microsoft.Web.Administration;internal static class Sample{private static void Main(){using (ServerManager serverManager = new ServerManager()){Configuration config = serverManager.GetApplicationHostConfiguration();ConfigurationSection clientCertificateMappingAuthenticationSection = config.GetSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", "Default Web Site");clientCertificateMappingAuthenticationSection["enabled"] = true;ConfigurationSection accessSection = config.GetSection("system.webServer/security/access", "Default Web Site");accessSection["sslFlags"] = @"Ssl, SslNegotiateCert";serverManager.CommitChanges();}}}VB.NETImports SystemImports System.TextImports Microsoft.Web.AdministrationModule SampleSub Main()Dim serverManager As ServerManager = New ServerManagerDim config As Configuration = serverManager.GetApplicationHostConfigurationDim clientCertificateMappingAuthenticationSection As ConfigurationSection = config.GetSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", "Default Web Site")clientCertificateMappingAuthenticationSection("enabled") = TrueDim accessSection As ConfigurationSection = config.GetSection("system.webServer/security/access", "Default Web Site")accessSection("sslFlags") = "Ssl, SslNegotiateCert"serverManager.CommitChanges()End SubEnd ModuleJAVASCRIPTvar adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";var clientCertificateMappingAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site");clientCertificateMappingAuthenticationSection.Properties.Item("enabled").Value = true;var accessSection = adminManager.GetAdminSection("system.webServer/security/access", "MACHINE/WEBROOT/APPHOST/Default Web Site");accessSection.Properties.Item("sslFlags").Value = "Ssl, SslNegotiateCert";adminManager.CommitChanges();VBSCRIPTSet adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"Set clientCertificateMappingAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/clientCertificateMappingAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site")clientCertificateMappingAuthenticationSection.Properties.Item("enabled").Value = TrueSet accessSection = adminManager.GetAdminSection("system.webServer/security/access", "MACHINE/WEBROOT/APPHOST/Default Web Site")accessSection.Properties.Item("sslFlags").Value = "Ssl, SslNegotiateCert"adminManager.CommitChanges()
