Avoid this confusion around Client certificate mapping in IIS 6.0/7.0

I just wanted to add this quick post around Client certificate Mapping on IIS. This is focused on 1-to-1/Many-to-1 mapping in IIS 6.0/7.0.

If you are interested to know more about configuring Client certificate mapping in IIS 6.0 please check this post of mine and for IIS 7.0 this is an excellent article.

Recently a colleague of mine and I was working on this issue for one of our internal teams and after some real slogging we figured out that one *cannot* set this mapping at any Virtual directory/Application level in IIS.

One has to set the Client certificate mapping at the specific Web site level only!

image This is wrong!

image This is right!

I couldn’t find a documentation on this so thought of putting this as a short post for general audience in case someone is scratching their head over this.


Comments (3)

  1. Craig says:

    Thank you! I spent a week trying to figure this out. I can't understand why the option is even present at the virtual directory or application level.

  2. Michel says:

    That's Microsoft for ya.  You would think they could do a much better job with client certificate mapping.  Why do I even have to associate an account with a mapping?  All I want is for iis to verify that the client cert is in the list!

  3. Rob says:

    This has been driving me crazy. Your explanation here got my IIS certificate authentication working.  Thanks!