Map Client Certificates by Using Active Directory Mapping (IIS 7)

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

When you want to use Windows Active Directory to authenticate domain users who have client certificates, configure Active Directory certificate mapping. If you use Active Directory certificate mapping, you cannot use IIS certificate mapping.

Before you start this procedure, make sure that you complete the following tasks:

  1. Install and configure a domain controller. For more information, see Using the Active Directory Installation Wizard on the Microsoft Windows TechCenter.

  2. Set up a certification authority (CA) for the domain. For more information, see Set Up a Certification Authority on the Microsoft Windows TechCenter.

  3. Submit a user certificate request to the domain CA. For more information, see Submit a user certificate request by way of the Web to a Windows Server CA on the Microsoft Windows TechCenter.

  4. Configure Secure Sockets Layer (SSL) for your site, application, virtual or physical directory, or file (URL). For more information, see Configuring Secure Sockets Layer in IIS 7.

  5. Map a certificate to a user account. For more information, see Map a certificate to a user account on the Microsoft Windows TechCenter.


Active Directory certificate mapping cannot be used with a self-signed certificate. You must use either a domain certificate or an Internet certificate.


For information about the levels at which you can perform this procedure, and the modules, handlers, and permissions that are required to perform this procedure, see Server Certificates Feature Requirements (IIS 7).

Exceptions to Feature Requirements

  • None


  • CertificateMappingAuthenticationModule

To map client certificates by using Active Directory mapping

You can perform this procedure by using the user interface (UI), by editing configuration files directly, or by writing WMI scripts.

User Interface

To use the UI

  1. Open IIS Manager and navigate to the server level. For information about opening IIS Manager, see Open IIS Manager (IIS 7). For information about navigating to locations in the UI, see Navigation in IIS Manager (IIS 7).

  2. In Features View, double-click Authentication.

  3. On the Authentication page, disable any authentication methods that are currently enabled.

  4. Select Active Directory Client Certificate Authentication from the list and then click Enable in the Actions pane.




The procedure in this topic affects the following configuration elements:

  • <clientCertificateMappingAuthentication>

For more information about IISĀ 7 configuration, see IIS 7.0: IIS Settings Schema on MSDN.


Use the following WMI classes, methods, or properties to perform this procedure:

  • ClientCertificateMappingAuthenticationSection class

  • SSLBinding.SSLUseDsMapper property

  • AccessSection.SSLFlags property

  • AuthenticationSection.Mode property (specifies Windows authentication)

For more information about WMI and IIS, see Windows Management Instrumentation (WMI) in IIS 7. For more information about the classes, methods, or properties associated with this procedure, see the IIS WMI Provider Reference on the MSDN site.

See Also


Create a Domain Server Certificate in IIS 7