Authenticate Clients Using Smart Cards

Applies To: Windows Server 2008

If you are using smart cards in your organization to provide additional security and control over user credentials, users can now use those smart cards with authentication credentials to obtain rights account certificates (RACs) and use licenses from servers in the AD RMS cluster.

Note

The steps in this procedure assume that a Secure Sockets Layer (SSL) certificate has already been installed. For more information about adding SSL, see Import an SSL Certificate Using Internet Information Services (IIS) Manager.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To add Client Certificate Mapping Authentication role service

  1. Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. Expand Roles, and then click Web Server (IIS).

  4. In the results pane under Role Services, click Add Role Services.

  5. Select the Client Certificate Mapping Authentication check box, and then click Next.

  6. Click Install.

  7. When the role service is added, click Close.

Next, configure the authentication method in IIS:

To configure the authentication method in IIS

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the console tree, expand the server name.

  4. In the results pane of the server Home page, double-click Authentication to open the Authentication page.

  5. In the results pane of the Authentication page, right-click AD Client Certificate Authentication, and then click Enable.

  6. Close IIS Manager.

Finally, enable client authentication for the Web site that is hosting AD RMS:

To enable client authentication on a Web site hosting AD RMS

  1. Click Start, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the console tree, expand the server name.

  4. Expand Sites, and then expand the Web site that is hosting AD RMS. By default, the Web site name is Default Web site.

  5. In the console tree, expand _wmcs, right-click either the certification virtual directory (to support RACs or the licensing virtual directory (to support use licenses), and then click Switch to Content View.

  6. In the results pane of the ContentView, right-click certification.asmx or license.asmx as appropriate, and then choose Switch to Features View.

  7. In the results pane on the Home page, double-click SSL Settings.

  8. Choose the appropriate Client certificates setting (Accept or Require). You should accept client certificates if you want clients to have the option to supply authentication credentials by using either a smart card certificate or a user name and password. You should require client certificates if you want only clients with client-side certificates such as smart cards to be able to connect to the service.

  9. Click Apply.

  10. If you want to use client authentication for both certification and licensing, repeat this procedure but select the alternate virtual directory the second time.

  11. Close IIS Manager.

  12. Repeat steps 1–10 for every server in the AD RMS cluster.

Next, you need to force the authentication method to use Client Certificate Mapping Authentication for the AD RMS cluster.

To force the client authentication method in the applicationhost.config file

  1. To open an elevated Command Prompt window, click Start, point to All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. Navigate to %windir%\system32\inetsrv\config.

  3. Type notepad applicationhost.config, and then press ENTER.

Warning

You should make a backup copy of this file before making changes.

  1. Go to the section similar to <location path="Default Web Site/_wmcs/certification/certification.asmx"> section of the applicationhost.config file.

Note

The location of the file above depends on the file or virtual directory that where you are trying to enforce client certificate mapping.

  1. If you want to allow smart card authentication in addition to Windows authentication, do the following:

    1. Change:

      <access sslFlags="Ssl, SslNegotiateCert, SslRequireCert, Ssl128" />

      To:

      <access sslFlags="Ssl, SslNegotiateCert, Ssl128" />

    2. Add a new line under <windowsAuthentication enabled="true" />, and then type:

      <clientCertificateMappingAuthentication enabled="true" />

  2. If you want to allow only smart card authentication, do the following. Ensure that SSL client authentication with Internet Information Services is required.

    1. Add a new line under <windowsAuthentication enabled="true" />, and then type:

      <clientCertificateMappingAuthentication enabled="true" />

    2. Change:

      <windowsAuthentication enabled="true" />

      To:

      <windowsAuthentication enabled="false" />

    3. Click File, click Save, and then close Notepad.

    4. In the command prompt window, type iisreset, and then press ENTER.

Warning

Running iisreset from a command prompt will restart the services associated with Internet Information Services.

  1. Repeat steps 1–5 for every server in the AD RMS cluster.

After these settings have been configured, a user who attempts to open rights-protected content published by this AD RMS cluster is prompted to provide authentication credentials before the cluster provides the user with a RAC or use license.

Additional references