sslClientCertificates Element for security for ftpServer for site for sites [IIS Settings Schema]

Note

For more information about the sslClientCertificates element, see the following topic on the Microsoft IIS.net Web site: FTP SSL Client Certificates <sslClientCertificates>.

Specifies the SSL client certificate options for an FTP site.

Syntax

Attributes and Elements

The following sections describe attributes, child elements, and parent elements for this section.

Attributes

Attribute	Description
clientCertificatePolicy	Optional enum attribute. Specifies the client certificate policy. Value Description CertIgnore Specifies that client certificates will not be negotiated for SSL session. The numeric value is 0. CertAllow Specifies that client certificates will be allowed. If the client chooses to send a certificate, then certificate must be valid and the server must be able to successfully validate it. The numeric value is 1. CertRequire Specifies that client certificates will be required. FTP clients will not be allowed to connect unless they send a valid client certificate to the server. The numeric value is 2. The default value is CertIgnore.
validationFlags	Optional flags attribute. Specifies the flags that affect client certificate validation. Value Description NoRevocationCheck Specifies that certificate revocation checks will be skipped. Note It is not recommended to skip revocation validation. The numeric value is 1. CertChainRevocationCheckCacheOnly Specifies that revocation checking only accesses cached URLs. The numeric value is 2. CertChainCacheOnlyUrlRetrieval Specifies only cached URLs in building a certificate chain. The Internet and intranet are not searched for URL-based objects. The numeric value is 4. CertNoUsageCheck Does not check client certificate for usage flags. Usage check is enabled by default and it is meant to assure that only client certificates that allow "Client authentication" are allowed. The numeric value is 8. There is no default value.
revocationFreshnessTime	Optional timeSpan attribute. Specifies the amount of time the revocation list is valid. The default value is 00:00:00.
revocationUrlRetrievalTimeout	Optional timeSpan attribute. Specifies the timeout for retrieving certificate revocation information. The default value is 00:01:00.
useActiveDirectoryMapping	Optional Boolean attribute. true if Active Directory mapping should be allowed for client certificates; otherwise, false. Active Directory mapping allows domain users to log on by using a client certificate that is configured in Active Directory. Note This feature only allows the SSL layer to attempt to map a client certificate to a user token; the token will not be used automatically. The clientCertAuthentication element is used to enable the mapped token for use by FTP instead of credentials specified through "USER" and "PASS" commands. The default value is false.

Child Elements

None.

Parent Elements

Element	Description
configuration	Specifies the root element in every configuration file that is used by IIS 7.
system.applicationHost	Specifies the root element for configuring Web process settings.
sites	Defines all sites on the server, and all applications and virtual directories in those sites.
site	Specifies configuration settings for a site.
ftpServer	Specifies the site-level settings for FTP features for FTP sites.
security	Specifies the site-level security options for an FTP site.

Remarks

For more information about the sslClientCertificates element, see the following topic on the Microsoft IIS.net Web site: FTP SSL Client Certificates <sslClientCertificates>.

Element Information

Configuration locations	ApplicationHost.config
Requirements	IIS 7

See Also

Reference

security Element for ftpServer for site for sites [IIS Settings Schema]