Enable Client Certificates

Applies To: Windows Server 2008

You can use this procedure to enable client certificates for Message Queuing HTTPS messaging. Client certificates are used by Message Queuing for message authentication and message encryption.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To enable client certificates for Message Queuing

  1. On the receiving computer, open the Internet Information Services snap-in as follows: click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS) Manager.

  2. Under Connections, click the MSMQ virtual directory.

    Where?

    • *YourInternet Information ServicesComputer/*Web Sites/Default Web Site/MSMQ
  3. Double-click the SSL Settings feature available in the IIS section of the workspace for the MSMQ virtual directory to display the SSL Settings for the MSMQ virtual directory.

  4. To require that a secure link be used for a site resource, click Require SSL.

  5. Under Client certificates, select one of the following to enable client certificate authentication:

    • To grant access to users with or without a client certificate, click Ignore.

    • To enable clients to access a resource with a client certificate, click Accept. Note that a client certificate is not required.

    • To ensure that users without a valid client certificate will be denied access to the site resource, click Require.

  6. For information about enabling client certificate mapping, refer to the IIS documentation.

Additional considerations

  • By default, anonymous access is enabled for the MSMQ virtual directory using the account IUSR_computername. To prevent both authenticated and unauthenticated HTTP messages from being sent, disable anonymous access. For instructions, see Change the Security Settings for Internet Information Services.

  • By default, IUSR_computername user has write permission for the physical MSMQ directory (default is %SystemDrive%\Inetpub\wwwroot\msmq), and Ignore client certificates is selected, thus allowing everyone to send HTTPS messages. You can control access to MSMQ virtual directory by configuring security settings for the physical Message Queuing directory.

  • Requiring a secure channel means that a user cannot connect to a site resource without using a secure link (that is, the link's URL must begin with https://).

Additional references