Share via


Avoid this confusion around Client certificate mapping in IIS 6.0/7.0

I just wanted to add this quick post around Client certificate Mapping on IIS. This is focused on 1-to-1/Many-to-1 mapping in IIS 6.0/7.0.

If you are interested to know more about configuring Client certificate mapping in IIS 6.0 please check this post of mine and for IIS 7.0 this is an excellent article.

Recently a colleague of mine and I was working on this issue for one of our internal teams and after some real slogging we figured out that one *cannot* set this mapping at any Virtual directory/Application level in IIS.

One has to set the Client certificate mapping at the specific Web site level only!

image This is wrong!

image This is right!

I couldn't find a documentation on this so thought of putting this as a short post for general audience in case someone is scratching their head over this.

Cheers!

Comments

  • Anonymous
    December 09, 2013
    Thank you! I spent a week trying to figure this out. I can't understand why the option is even present at the virtual directory or application level.

  • Anonymous
    October 07, 2014
    That's Microsoft for ya.  You would think they could do a much better job with client certificate mapping.  Why do I even have to associate an account with a mapping?  All I want is for iis to verify that the client cert is in the list!

  • Anonymous
    November 20, 2014
    The comment has been removed

  • Anonymous
    October 26, 2016
    THanks a lot, this really helped me. However, so far, I have to configure this mapping at both web site AND application to make it work (but my application is already a "sub application" of an application of this web site).