Client Certificate Authentication in IIS 6

Client certificates are a cool technology that, once setup, eliminate the need to use your password on your own website from your own devices.

This article wont run through the entire procedure for setting up a web server, Windows domain, file permissions, server certificates, or a certificate authority.  I just want to convey some of the configuration pitfalls that exist in IIS 6.

Step 1: Enable Client Certificate Mapping

The IIS Secure Communciations dialog box
Start with these settings.

  1. In the IIS Manager, go to the properties of the Default Web Site (or other name).
  2. Click on the Directory Security tab.
  3. In the “Secure communications” section all the way at the bottom, click the Edit button.  If the Edit button isn’t enabled, you need to install a server certificate first.
  4. In the Secure Communications dialog box, select either “Accept client certificates” or “Require client certificates”.
  5. Select “Enable client certificate mapping.”
  6. If you want to use “1-to-1” static mapping then click the Edit button to complete your configuration.  Otherwise…
  7. Click OK and proceed to Step 2.

Step 2: Really Enable Client Certificate Mapping

IIS Manager showing how to open master properties for Web.
Important: Go here next.
  1. In the IIS Manager, go to the properties of the Web Sites folder.  Important: This is not the same as site properties.
  2. Click on the Directory Security tab.
  3. In the “Secure communications” section all the way at the bottom, there is now one magical option available to you called “Enable the Windows directory service mapper.”  Turn that on to enable the DS client mapping mode.
  4. Click OK.
Web Sites Properties dialog box.
Notice the difference here.

Step 3: Generate Certificates

As mentioned earlier, you need to have the Certification Authority (CA) fully up and running in your server.

Microsoft Certificate Services home page
This only works in Windows XP Internet Explorer
  1. Log in to your user account on Windows XP and open Internet Explorer.  This will not work in Chrome.
  2. Navigate to the web enrollment address http://server/CertSrv/
  3. Important: the Windows 2003 web enrollment software is not compatible with Windows 7 or Windows 8.  You must use a Windows XP computer for this step.
  4. Click the “Request a certificate” link.
  5. Click the “User Certificate” link.
  6. Click the “Submit >” button.
  7. You should be prompted at least twice: First to confirm that you want to generate a certificate request, and then to confirm installing the new certificate.
  8. You should now be able to log in to your encrypted website using Internet Explorer or Chrome without a password.

Step 4: Install Certificates on Other Devices

Export Private Key page in the Certificate Export Wizard
How to copy your certificate.
  1. Click Tools > Internet Options, or find the Internet Options control panel.
  2. Click the Content tab.
  3. Click the Certificates button.
  4. Highlight the certificate that was issued by your CA to your user.
  5. Click the Export button.
  6. Click Next.
  7. Select “Yes, export the private key”.  Note: The private key is the part of this whole system that does not leave your possession.  Never copy or import your private key file to a public computer.
  8. Complete the Certificate Export Wizard to create a PFX file.
  9. This PFX file can be imported into Firefox, iOS, etc.
  10. When importing the PFX into other Windows computers, be sure to mark the private key as exportable so that you can transfer the certificate to devices (e.g. BlackBerry) that require retrieval from the certificate store on that computer.
  11. You should now be able to log in to your HTTPS website using Firefox, Safari, BlackBerry, etc. without a Windows username and password.

Leave a Reply

Your email address will not be published. Required fields are marked *