Partager via

How to configure IIS client certificate mapping authentication for IIS7

  • Article

There are some articles about how to configure the Mutual Certificate authentication on IIS. But the steps are not very clear. Here is a detailed step by step procedure to configure the IIS client certification mapping authentication for IIS 7.

Firstly, there are several pre-requisites.

  1. Trusted CA root certificate.

  2. Server Certificate from a trusted CA.

  3. Client Certificate from a trusted CA.

Server side:

Install the server certificate on the server side.

1. Open mmc console, add the certificate for the Local Computer.

clip_image002

clip_image004

2. Import the CA root certificate to Trusted Root Certification Authorities and server certificate to Personal folder.

clip_image006

IIS configuration:

1. Open Inetmgr, click Server Certificates.

clip_image008

2. Import the server certificate as below.

clip_image010

3. Click the website which need mutual certificate authentication. Click bindings… and set it as below. Select the imported server certificate in the SSL certificate dropdown list.

clip_image012

4. Click SSL settings in the middle panel and select Require SSL and Require for Client certificates.

clip_image014

5. Double click the Authentication icon and disable all the Authentication method.

clip_image016

6. Make sure the IIS Client Certificate Mapping Authentication is installed.

clip_image018

If not, please install it as below.

clip_image020

7. Click the Configuration Editor in the middle panel and set the one to one mappings refer to this link https://blogs.iis.net/rlucero/archive/2008/05/23/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration.aspx .

You can also configure this by install the Client Certificates UI by this link. https://www.iis.net/downloads/community/2009/08/iis-70-ui-module-for-client-certificate-mapping

On the client side:

1. Open MMC console and import the client certificate and CA root certificate. Import them to the Current User account.

clip_image022

2. Check if the client certificate exist in the content->certificate as below.

clip_image024

3. Try to visit the website and the client certificate will pop up. This is not popped up if there is only one client certificate by default. Here I configure the IE browser to prompt the dialog even only one client certificate is available. Please do it as below.

clip_image026

clip_image028

4. Here you go.

clip_image030

 

Regards,

 

Chao Liang from GBSD DSI Team

Comments

  • Anonymous
    May 19, 2014
    Great helpthanks

  • Anonymous
    August 26, 2014
    Hi,  I followed your steps but I am getting the error message asError message that I am seeing is “(Error(HTTP 403 forbidden) means that Internet Explorer was able to connect to the website , but it does not have permission to view the web page)”Any Help

  • Anonymous
    September 25, 2014
    met too :( fighting for weeks this error

  • Anonymous
    October 07, 2014
    great help, it works!

  • Anonymous
    November 24, 2014
    You may want to check the IE settings:Configuring IE with client certificateOn the workstation open IE -> go to internet options -> Content -> CertificatesClick on import and select the client certificate Under Internet Options -> Security -> select Custom level and enable the setting “Don’t prompt for client certificate selection when only one certificate exists” When there only one client certificate in personal store the site connection would not prompt for client certificate selection when the above option is selected

  • Anonymous
    January 11, 2015
    is there a way to call for authentication in one button on dot net for example ? I need to sign a xml document, do not need in logging or authentication.