Avoid this confusion around Client certificate mapping in IIS 6.0/7.0

I just wanted to add this quick post around Client certificate Mapping on IIS. This is focused on 1-to-1/Many-to-1 mapping in IIS 6.0/7.0.

If you are interested to know more about configuring Client certificate mapping in IIS 6.0 please check this post of mine and for IIS 7.0 this is an excellent article.

Recently a colleague of mine and I was working on this issue for one of our internal teams and after some real slogging we figured out that one *cannot* set this mapping at any Virtual directory/Application level in IIS.

One has to set the Client certificate mapping at the specific Web site level only!

image This is wrong!

image This is right!

I couldn't find a documentation on this so thought of putting this as a short post for general audience in case someone is scratching their head over this.


Comments (4)
  1. Craig says:

    Thank you! I spent a week trying to figure this out. I can't understand why the option is even present at the virtual directory or application level.

  2. Michel says:

    That's Microsoft for ya.  You would think they could do a much better job with client certificate mapping.  Why do I even have to associate an account with a mapping?  All I want is for iis to verify that the client cert is in the list!

  3. Rob says:

    This has been driving me crazy. Your explanation here got my IIS certificate authentication working.  Thanks!

  4. Olivier says:

    THanks a lot, this really helped me. However, so far, I have to configure this mapping at both web site AND application to make it work (but my application is already a “sub application” of an application of this web site).

Comments are closed.

Skip to main content