Enabling Client Certificates in IIS 6.0
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1
You can require users attempting to access your Web site to log on with a client certificate. Requiring a client certificate is just one aspect of protecting your server against unauthorized access. Any user with a valid and trusted client certificate can establish a secure connection and access your resource. To protect your Web content from unauthorized access you must do one of the following:
Use Basic, Digest, or Integrated Windows authentication, in addition to requiring a client certificate.
Create a Windows account mapping for client certificates. For more information, see Mapping Client Certificates to User Accounts in IIS 6.0.
Important
You must be a member of the Administrators group on the local computer to perform the following procedure or procedures, or you must have been delegated the appropriate authority. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run IIS Manager as an administrator. At a command prompt, type runas /User:Administrative_AccountName "mmc systemroot\system32\inetsrv\iis.msc". For information about delegating administrative authority, see "Delegating administration" in Help and Support Center for Windows Server 2003.
Procedures
To enable client certificates
In IIS Manager, double-click the local computer, and then right-click the Web site, directory, or file that you want and click Properties.
If you have not previously obtained a server certificate, click the Directory Security tab, and then under Secure Communications, click Server Certificate. For more information, see Obtaining Server Certificates.
If you have previously obtained a server certificate, click the Directory Security or File Security tab, and then under Secure Communications, click Edit.
In the Secure Communications box, select the Require secure channel (SSL) check box. Requiring a secure channel means that users cannot connect to this site without using a secure link (that is, the link's URL must begin with https://).
Under Client certificates select one of the following to enable client Certificate authentication:
Accept client certificates Users can access the resource with a client certificate, but the certificate is not required.
Require client certificates The server will request a client certificate before connecting the user to the resource. Users without a valid client certificate will be denied access.
Ignore client certificates Users with or without a client certificate will be granted access.
Related Information
For information about obtaining client certificates, see Obtaining Client Certificates in IIS 6.0.
For information about backing up client certificates, see Backing Up Client Certificates in IIS 6.0.