IIS7 – Configuring iisClientCertificateMappingAuthentication using appcmd

  • Article

As you know there is no UI to configure iisClientCertificateMappingAuthentication in IIS7, it takes a little more time to configure the site for the same. Here is an article in the iis.net site which explains the steps one by one.

Configuring One-to-One Client Certificate Mappings
https://learn.iis.net/page.aspx/478/configuring-one-to-one-client-certificate-mappings/

You can also use Ulad’s VBScript to configure the mapping of the certificate, and the user credentials. I was working with one of my colleague who was trying to automate this configuration. One interesting thing to note here is these one-to-one certificate configurations MUST be present in the website level. So, if you want only your virtual directory to be using this iisClientCertificateMappingAuthentication, you need to specify the certificate-useraccount mapping configurations on the website level, and set the iisClientCertificateMappingAuthentication not enabled. And, just enable the iisClientCertificateMappingAuthentication only on the virtual directory (or application) level.

Below are the appcmd commands needed for the same (after configuring the one-to-one configuration using Ulad’s VBScript):

In this example, we will configure the IIS client certificate authentication only on the Virtual Directory level:

// disable the IIS client certificate authentication at the website level (our website is “Default Web Site”, and Vdir is “Myapplication”)

appcmd.exe set config "Default Web Site" -section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /enabled:false /commit:appHost

// disable anonymous authentication on the virtual directory

appcmd.exe set config "Default Web Site/Myapplication" -section:system.webServer/security/authentication/anonymousAuthentication /enabled:false /commit:appHost

// disable windows authentication on the virtual directory

appcmd.exe set config “Default Web Site/Myapplication" -section:system.webServer/security/authentication/windowsAuthentication /enabled:false /commit:appHost

// enable iisClientCertificateMappingAuthentication, and oneToOneCertificateMappingsEnabled for the virtual directory

appcmd.exe set config "Default Web Site/Myapplication" -section:system.webServer/security/authentication/iisClientCertificateMappingAuthentication /enabled:true /oneToOneCertificateMappingsEnabled:true /commit:appHost

// set the SSL flags to require Client Certificates from the client connections

appcmd.exe set config "Default Web Site/Myapplication" -section:system.webServer/security/access /sslFlags:"Ssl, SslNegotiateCert, SslRequireCert" /commit:apphost

Hope this helps!