IIS Client Certificate Mapping Authentication <iisClientCertificateMappingAuthentication>
Overview
The <iisClientCertificateMappingAuthentication>
element of the <authentication>
element specifies the settings for Client Certificate Mapping authentication using IIS.
There are two different methods for mapping client certificates using IIS:
- One-To-One Mappings - these mappings match individual client certificates to individual user accounts on a one-to-one basis; each client certificate is mapped to a user account.
- Many-To-One Mappings - these mappings match multiple certificates to a user account based on subfields in client certificates.
Note
Client Certificate Mapping authentication using IIS differs from Client Certificate Mapping using Active Directory in the following ways:
- Client Certificate Mapping authentication using Active Directory - this method of authentication requires that the IIS 7 server and the client computer are members of an Active Directory domain, and user accounts are stored in Active Directory. This method of Client Certificate Mapping authentication has reduced performance because of the round-trip to the Active Directory server.
- IIS Client Certificate Mapping authentication - this method of authentication does not require Active Directory and therefore works with standalone servers. This method of Client Certificate Mapping authentication has increased performance, but requires more configuration and access to client certificates in order to create mappings.
For more information, see Configuring Authentication in IIS 7.0 on the Microsoft TechNet Web site.
Compatibility
Version | Notes |
---|---|
IIS 10.0 | The <iisClientCertificateMappingAuthentication> element was not modified in IIS 10.0. |
IIS 8.5 | The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.5. |
IIS 8.0 | The <iisClientCertificateMappingAuthentication> element was not modified in IIS 8.0. |
IIS 7.5 | The <iisClientCertificateMappingAuthentication> element was not modified in IIS 7.5. |
IIS 7.0 | The <iisClientCertificateMappingAuthentication> element of the <authentication> element was introduced in IIS 7.0. |
IIS 6.0 | The <iisClientCertificateMappingAuthentication> element replaces the IIS 6.0 IIsCertMapper metabase object. |
Setup
The <iisClientCertificateMappingAuthentication>
element is not available on the default installation of IIS 7 and later. To install it, use the following steps.
Windows Server 2012 or Windows Server 2012 R2
- On the taskbar, click Server Manager.
- In Server Manager, click the Manage menu, and then click Add Roles and Features.
- In the Add Roles and Features wizard, click Next. Select the installation type and click Next. Select the destination server and click Next.
- On the Server Roles page, expand Web Server (IIS), expand Web Server, expand Security, and then select IIS Client Certificate Mapping Authentication. Click Next.
- On the Select features page, click Next.
- On the Confirm installation selections page, click Install.
- On the Results page, click Close.
Windows 8 or Windows 8.1
- On the Start screen, move the pointer all the way to the lower left corner, right-click the Start button, and then click Control Panel.
- In Control Panel, click Programs and Features, and then click Turn Windows features on or off.
- Expand Internet Information Services, expand World Wide Web Services, expand Security, and then select IIS Client Certificate Mapping Authentication.
- Click OK.
- Click Close.
Windows Server 2008 or Windows Server 2008 R2
- On the taskbar, click Start, point to Administrative Tools, and then click Server Manager.
- In the Server Manager hierarchy pane, expand Roles, and then click Web Server (IIS).
- In the Web Server (IIS) pane, scroll to the Role Services section, and then click Add Role Services.
- On the Select Role Services page of the Add Role Services Wizard, select IIS Client Certificate Mapping Authentication, and then click Next.
- On the Confirm Installation Selections page, click Install.
- On the Results page, click Close.
Windows Vista or Windows 7
- On the taskbar, click Start, and then click Control Panel.
- In Control Panel, click Programs and Features, and then click Turn Windows Features on or off.
- Expand Internet Information Services, then select IIS Client Certificate Mapping Authentication, and then click OK.
How To
There is no user interface for configuring IIS Client Certificate Mapping authentication for IIS 7. For examples of how to configure IIS Client Certificate Mapping authentication programmatically, see the Code Samples section of this document.
Configuration
The <iisClientCertificateMappingAuthentication>
element of the <authentication>
element can be configured at the server and site level.
Attributes
Attribute | Description | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
defaultLogonDomain |
Optional String attribute. Specifies the default domain that the server uses to authenticate users. |
||||||||||
enabled |
Optional Boolean attribute. Specifies whether Client Certificate Mapping authentication using IIS is enabled. The default is false . |
||||||||||
logonMethod |
Optional enum attribute. The logonMethod attribute can be one of the following possible values. (For more information on these values, see LogonUser.) The default is ClearText .
|
||||||||||
manyToOneCertificateMappingsEnabled |
Optional Boolean attribute. Specifies whether many-to-one mapping is enabled The default value is true . |
||||||||||
oneToOneCertificateMappingsEnabled |
Optional Boolean attribute. Specifies whether one-to-one mapping is enabled The default value is true . |
Child Elements
Element | Description |
---|---|
manyToOneMappings |
Optional element. Maps client certificates to a set of wildcard criteria that authenticate the certificates and assign a user account. |
oneToOneMappings |
Optional element. Specifies one-to-one client certificate mappings. |
Configuration Sample
The following configuration sample performs the following actions for the Default Web Site:
- Enables IIS Client Certificate Mapping authentication using many-to-one certificate mapping.
- Creates a many-to-one certificate mapping rule for a user account based on the organization field in the subject of the client certificate matching Contoso.
- Configures the site to require SSL and to negotiate client certificates.
<location path="Default Web Site">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<basicAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="true"
manyToOneCertificateMappingsEnabled="true">
<manyToOneMappings>
<add name="Contoso Employees"
enabled="true"
permissionMode="Allow"
userName="Username"
password="[enc:AesProvider:57686f6120447564652c2049495320526f636b73:enc]">
<rules>
<add certificateField="Subject"
certificateSubField="O"
matchCriteria="Contoso"
compareCaseSensitive="true" />
</rules>
</add>
</manyToOneMappings>
</iisClientCertificateMappingAuthentication>
</authentication>
<access sslFlags="Ssl, SslNegotiateCert" />
</security>
</system.webServer>
</location>
The following configuration sample enables IIS Client Certificate Mapping authentication using one-to-one certificate mapping for the Default Web Site, creates a singe one-to-one certificate mapping for a user account, and configures the site to require SSL and to negotiate client certificates.
<location path="Default Web Site">
<system.webServer>
<security>
<access sslFlags="Ssl, SslNegotiateCert" />
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="false" />
<digestAuthentication enabled="false" />
<basicAuthentication enabled="false" />
<iisClientCertificateMappingAuthentication enabled="true"
oneToOneCertificateMappingsEnabled="true">
<oneToOneMappings>
<add enabled="true"
userName="administrator"
password="[enc:57686f6120447564652c2049495320526f636b73:enc]"
certificate="Base64-Encoded-Certificate-Data" />
</oneToOneMappings>
</iisClientCertificateMappingAuthentication>
</authentication>
</security>
</system.webServer>
</location>
How to retrieve Base-64 encoded string from a client certificate
Note
To retrieve a Base-64 encoded certificate data for all of the samples in this topic, you can export a certificate using the following steps:
Click Start, then Run.
Enter MMC, and then click OK.
When the Microsoft Management Console opens, click File, then Add/Remove Snap-ins.
In the Add or Remove Snap-ins dialog box:
- Highlight Certificates in the list of available snap-ins, then click Add.
- Choose to manage certificates for My user account, then click Finish.
- Click OK to close the dialog box.
In the Microsoft Management Console:
- Expand Certificates - Current User, then Personal, then Certificates.
- In the list of certificates, right-click the certificate that you want to export, then click All Tasks, and then click Export.
When the Certificate Export Wizard opens:
- Click Next.
- Choose No, do not export the private key, then click Next.
- Choose Base-64 encoded X.509 9 (.CER) for the export format, then click Next.
- Choose to save the certificate to your desktop as MyCertificate.cer, then click Next.
- Click Finish; you should see a dialog box that says the export was successful.
Close the Microsoft Management Console.
Open the MyCertificate.cer file that you exported using Windows Notepad:
- Remove "-----BEGIN CERTIFICATE-----" from the start of the text.
- Remove "-----END CERTIFICATE-----" from the end of the text.
- Concatenate all the lines into a single line of text - this is the Base-64 encoded certificate data that you will use for all of the samples in this topic.
Sample Code
The following code samples perform the following actions for the Default Web Site:
- Enable IIS Client Certificate Mapping authentication using many-to-one certificate mapping.
- Create a many-to-one certificate mapping rule for a user account based on the organization field in the subject of the client certificate matching Contoso.
- Configure the site to require SSL and to negotiate client certificates.
AppCmd.exe
appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /enabled:"True" /manyToOneCertificateMappingsEnabled:"True" /commit:apphost
appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /+"manyToOneMappings.[name='Contoso Employees',enabled='True',permissionMode='Allow',userName='Username',password='Password']" /commit:apphost
appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /+"manyToOneMappings.[name='Contoso Employees'].rules.[certificateField='Subject',certificateSubField='O',matchCriteria='Contoso',compareCaseSensitive='True']" /commit:apphost
appcmd.exe set config "Default Web Site" -section:system.webServer/security/access /sslFlags:"Ssl, SslNegotiateCert" /commit:apphost
Note
You must be sure to set the commit parameter to apphost
when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.
C#
using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample
{
private static void Main()
{
using (ServerManager serverManager = new ServerManager())
{
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection iisClientCertificateMappingAuthenticationSection = config.GetSection("system.webServer/security/authentication/iisClientCertificateMappingAuthentication", "Default Web Site");
iisClientCertificateMappingAuthenticationSection["enabled"] = true;
iisClientCertificateMappingAuthenticationSection["manyToOneCertificateMappingsEnabled"] = true;
ConfigurationElementCollection manyToOneMappingsCollection = iisClientCertificateMappingAuthenticationSection.GetCollection("manyToOneMappings");
ConfigurationElement addElement = manyToOneMappingsCollection.CreateElement("add");
addElement["name"] = @"Contoso Employees";
addElement["enabled"] = true;
addElement["permissionMode"] = @"Allow";
addElement["userName"] = @"Username";
addElement["password"] = @"Password";
ConfigurationElementCollection rulesCollection = addElement.GetCollection("rules");
ConfigurationElement addElement1 = rulesCollection.CreateElement("add");
addElement1["certificateField"] = @"Subject";
addElement1["certificateSubField"] = @"O";
addElement1["matchCriteria"] = @"Contoso";
addElement1["compareCaseSensitive"] = true;
rulesCollection.Add(addElement1);
manyToOneMappingsCollection.Add(addElement);
ConfigurationSection accessSection = config.GetSection("system.webServer/security/access", "Default Web Site");
accessSection["sslFlags"] = @"Ssl, SslNegotiateCert";
serverManager.CommitChanges();
}
}
}
VB.NET
Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample
Sub Main()
Dim serverManager As ServerManager = New ServerManager
Dim config As Configuration = serverManager.GetApplicationHostConfiguration
Dim iisClientCertificateMappingAuthenticationSection As ConfigurationSection = config.GetSection("system.webServer/security/authentication/iisClientCertificateMappingAuthentication", "Default Web Site")
iisClientCertificateMappingAuthenticationSection("enabled") = True
iisClientCertificateMappingAuthenticationSection("manyToOneCertificateMappingsEnabled") = True
Dim manyToOneMappingsCollection As ConfigurationElementCollection = iisClientCertificateMappingAuthenticationSection.GetCollection("manyToOneMappings")
Dim addElement As ConfigurationElement = manyToOneMappingsCollection.CreateElement("add")
addElement("name") = "Contoso Employees"
addElement("enabled") = True
addElement("permissionMode") = "Allow"
addElement("userName") = "Username"
addElement("password") = "Password"
Dim rulesCollection As ConfigurationElementCollection = addElement.GetCollection("rules")
Dim addElement1 As ConfigurationElement = rulesCollection.CreateElement("add")
addElement1("certificateField") = "Subject"
addElement1("certificateSubField") = "O"
addElement1("matchCriteria") = "Contoso"
addElement1("compareCaseSensitive") = True
rulesCollection.Add(addElement1)
manyToOneMappingsCollection.Add(addElement)
Dim accessSection As ConfigurationSection = config.GetSection("system.webServer/security/access", "Default Web Site")
accessSection("sslFlags") = "Ssl, SslNegotiateCert"
serverManager.CommitChanges()
End Sub
End Module
JavaScript
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var iisClientCertificateMappingAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/iisClientCertificateMappingAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site");
iisClientCertificateMappingAuthenticationSection.Properties.Item("enabled").Value = true;
iisClientCertificateMappingAuthenticationSection.Properties.Item("manyToOneCertificateMappingsEnabled").Value = true;
var manyToOneMappingsCollection = iisClientCertificateMappingAuthenticationSection.ChildElements.Item("manyToOneMappings").Collection;
var addElement = manyToOneMappingsCollection.CreateNewElement("add");
addElement.Properties.Item("name").Value = "Contoso Employees";
addElement.Properties.Item("enabled").Value = true;
addElement.Properties.Item("permissionMode").Value = "Allow";
addElement.Properties.Item("userName").Value = "Username";
addElement.Properties.Item("password").Value = "Password";
var rulesCollection = addElement.ChildElements.Item("rules").Collection;
var addElement1 = rulesCollection.CreateNewElement("add");
addElement1.Properties.Item("certificateField").Value = "Subject";
addElement1.Properties.Item("certificateSubField").Value = "O";
addElement1.Properties.Item("matchCriteria").Value = "Contoso";
addElement1.Properties.Item("compareCaseSensitive").Value = true;
rulesCollection.AddElement(addElement1);
manyToOneMappingsCollection.AddElement(addElement);
var accessSection = adminManager.GetAdminSection("system.webServer/security/access", "MACHINE/WEBROOT/APPHOST/Default Web Site");
accessSection.Properties.Item("sslFlags").Value = "Ssl, SslNegotiateCert";
adminManager.CommitChanges();
VBScript
Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set iisClientCertificateMappingAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/iisClientCertificateMappingAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site")
iisClientCertificateMappingAuthenticationSection.Properties.Item("enabled").Value = True
iisClientCertificateMappingAuthenticationSection.Properties.Item("manyToOneCertificateMappingsEnabled").Value = True
Set manyToOneMappingsCollection = iisClientCertificateMappingAuthenticationSection.ChildElements.Item("manyToOneMappings").Collection
Set addElement = manyToOneMappingsCollection.CreateNewElement("add")
addElement.Properties.Item("name").Value = "Contoso Employees"
addElement.Properties.Item("enabled").Value = True
addElement.Properties.Item("permissionMode").Value = "Allow"
addElement.Properties.Item("userName").Value = "Username"
addElement.Properties.Item("password").Value = "Password"
Set rulesCollection = addElement.ChildElements.Item("rules").Collection
Set addElement1 = rulesCollection.CreateNewElement("add")
addElement1.Properties.Item("certificateField").Value = "Subject"
addElement1.Properties.Item("certificateSubField").Value = "O"
addElement1.Properties.Item("matchCriteria").Value = "Contoso"
addElement1.Properties.Item("compareCaseSensitive").Value = True
rulesCollection.AddElement(addElement1)
manyToOneMappingsCollection.AddElement(addElement)
Set accessSection = adminManager.GetAdminSection("system.webServer/security/access", "MACHINE/WEBROOT/APPHOST/Default Web Site")
accessSection.Properties.Item("sslFlags").Value = "Ssl, SslNegotiateCert"
adminManager.CommitChanges()
The following code samples enable IIS Client Certificate Mapping authentication using one-to-one certificate mapping for the Default Web Site, create a single one-to-one certificate mapping for a user account, and configure the site to require SSL and to negotiate client certificates.
Note
To retrieve the Base-64 encoded certificate data for the code samples listed below, you can export a certificate using the steps listed in the Configuration Details section of this document.
AppCmd.exe
Note
Because of characters in certificate strings that cannot be parsed by AppCmd.exe, you should not use AppCmd.exe to configure IIS one-to-one certificate mappings.
C#
using System;
using System.Text;
using Microsoft.Web.Administration;
internal static class Sample
{
private static void Main()
{
using (ServerManager serverManager = new ServerManager())
{
Configuration config = serverManager.GetApplicationHostConfiguration();
ConfigurationSection iisClientCertificateMappingAuthenticationSection = config.GetSection("system.webServer/security/authentication/iisClientCertificateMappingAuthentication", "Default Web Site");
iisClientCertificateMappingAuthenticationSection["enabled"] = true;
iisClientCertificateMappingAuthenticationSection["oneToOneCertificateMappingsEnabled"] = true;
ConfigurationElementCollection oneToOneMappingsCollection = iisClientCertificateMappingAuthenticationSection.GetCollection("oneToOneMappings");
ConfigurationElement addElement = oneToOneMappingsCollection.CreateElement("add");
addElement["enabled"] = true;
addElement["userName"] = @"Username";
addElement["password"] = @"Password";
addElement["certificate"] = @"Base-64-Encoded-Certificate-Data";
oneToOneMappingsCollection.Add(addElement);
ConfigurationSection accessSection = config.GetSection("system.webServer/security/access", "Default Web Site");
accessSection["sslFlags"] = @"Ssl, SslNegotiateCert";
serverManager.CommitChanges();
}
}
}
VB.NET
Imports System
Imports System.Text
Imports Microsoft.Web.Administration
Module Sample
Sub Main()
Dim serverManager As ServerManager = New ServerManager
Dim config As Configuration = serverManager.GetApplicationHostConfiguration
Dim iisClientCertificateMappingAuthenticationSection As ConfigurationSection = config.GetSection("system.webServer/security/authentication/iisClientCertificateMappingAuthentication", "Default Web Site")
iisClientCertificateMappingAuthenticationSection("enabled") = True
iisClientCertificateMappingAuthenticationSection("oneToOneCertificateMappingsEnabled") = True
Dim oneToOneMappingsCollection As ConfigurationElementCollection = iisClientCertificateMappingAuthenticationSection.GetCollection("oneToOneMappings")
Dim addElement As ConfigurationElement = oneToOneMappingsCollection.CreateElement("add")
addElement("enabled") = True
addElement("userName") = "Username"
addElement("password") = "Password"
addElement("certificate") = "Base-64-Encoded-Certificate-Data"
oneToOneMappingsCollection.Add(addElement)
Dim accessSection As ConfigurationSection = config.GetSection("system.webServer/security/access", "Default Web Site")
accessSection("sslFlags") = "Ssl, SslNegotiateCert"
serverManager.CommitChanges()
End Sub
End Module
JavaScript
var adminManager = new ActiveXObject('Microsoft.ApplicationHost.WritableAdminManager');
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST";
var iisClientCertificateMappingAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/iisClientCertificateMappingAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site");
iisClientCertificateMappingAuthenticationSection.Properties.Item("enabled").Value = true;
iisClientCertificateMappingAuthenticationSection.Properties.Item("oneToOneCertificateMappingsEnabled").Value = true;
var oneToOneMappingsCollection = iisClientCertificateMappingAuthenticationSection.ChildElements.Item("oneToOneMappings").Collection;
var addElement = oneToOneMappingsCollection.CreateNewElement("add");
addElement.Properties.Item("enabled").Value = true;
addElement.Properties.Item("userName").Value = "Username";
addElement.Properties.Item("password").Value = "Password";
addElement.Properties.Item("certificate").Value = "Base-64-Encoded-Certificate-Data";
oneToOneMappingsCollection.AddElement(addElement);
var accessSection = adminManager.GetAdminSection("system.webServer/security/access", "MACHINE/WEBROOT/APPHOST/Default Web Site");
accessSection.Properties.Item("sslFlags").Value = "Ssl, SslNegotiateCert";
adminManager.CommitChanges();
VBScript
Set adminManager = WScript.CreateObject("Microsoft.ApplicationHost.WritableAdminManager")
adminManager.CommitPath = "MACHINE/WEBROOT/APPHOST"
Set iisClientCertificateMappingAuthenticationSection = adminManager.GetAdminSection("system.webServer/security/authentication/iisClientCertificateMappingAuthentication", "MACHINE/WEBROOT/APPHOST/Default Web Site")
iisClientCertificateMappingAuthenticationSection.Properties.Item("enabled").Value = True
iisClientCertificateMappingAuthenticationSection.Properties.Item("oneToOneCertificateMappingsEnabled").Value = True
Set oneToOneMappingsCollection = iisClientCertificateMappingAuthenticationSection.ChildElements.Item("oneToOneMappings").Collection
Set addElement = oneToOneMappingsCollection.CreateNewElement("add")
addElement.Properties.Item("enabled").Value = True
addElement.Properties.Item("userName").Value = "Username"
addElement.Properties.Item("password").Value = "Password"
addElement.Properties.Item("certificate").Value = "Base-64-Encoded-Certificate-Data"
oneToOneMappingsCollection.AddElement(addElement)
Set accessSection = adminManager.GetAdminSection("system.webServer/security/access", "MACHINE/WEBROOT/APPHOST/Default Web Site")
accessSection.Properties.Item("sslFlags").Value = "Ssl, SslNegotiateCert"
adminManager.CommitChanges()