IIS7 – Configuring iisClientCertificateMappingAuthentication using appcmd
As you know there is no UI to configure iisClientCertificateMappingAuthentication in IIS7, it takes a little more time to configure the site for the same. Here is an article in the iis.net site which explains the steps one by one.
Configuring One-to-One Client Certificate Mappings
You can also use Ulad’s VBScript to configure the mapping of the certificate, and the user credentials. I was working with one of my colleague who was trying to automate this configuration. One interesting thing to note here is these one-to-one certificate configurations MUST be present in the website level. So, if you want only your virtual directory to be using this iisClientCertificateMappingAuthentication, you need to specify the certificate-useraccount mapping configurations on the website level, and set the iisClientCertificateMappingAuthentication not enabled. And, just enable the iisClientCertificateMappingAuthentication only on the virtual directory (or application) level.
Below are the appcmd commands needed for the same (after configuring the one-to-one configuration using Ulad’s VBScript):
In this example, we will configure the IIS client certificate authentication only on the Virtual Directory level:
// disable the IIS client certificate authentication at the website level (our website is “Default Web Site”, and Vdir is “Myapplication”)
appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /enabled:false /commit:appHost
// disable anonymous authentication on the virtual directory
appcmd.exe set config "Default Web Site/Myapplication" -section:system.webServer/security/authentication/anonymousAuthentication /enabled:false /commit:appHost
// disable windows authentication on the virtual directory
appcmd.exe set config “Default Web Site/Myapplication" -section:system.webServer/security/authentication/windowsAuthentication /enabled:false /commit:appHost
// enable iisClientCertificateMappingAuthentication, and oneToOneCertificateMappingsEnabled for the virtual directory
appcmd.exe set config "Default Web Site/Myapplication" -section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /enabled:true /oneToOneCertificateMappingsEnabled:true /commit:appHost
// set the SSL flags to require Client Certificates from the client connections
appcmd.exe set config "Default Web Site/Myapplication" -section:system.webServer/security/access /sslFlags:"Ssl, SslNegotiateCert, SslRequireCert" /commit:apphost
Hope this helps!