How to configure client certificate for SharePoint authentication

  • Article

SharePoint supports client certificate authentication. However, before you enable SharePoint and IIS for client certificate authentication, make sure that a X.509 PKI is in place within your IT infrastructure.

It is not recommended to apply client certificate authentication to public facing Internet sites.

Your domain must be running under native Windows 2003 Domain mode. Please refer to: https://support.microsoft.com/kb/322692.

You must configure Secure Socket Layer (SSL) on the IIS virtual server you plan to enable client certificate authentication. This section assumes that you already have SSL properly configured. For more information, please refer to: https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/9b619620-4f88-488b-8243-e6bc7caf61ad.mspx.

Follow these steps to configure SharePoint for client certificate authentication:

1) Open SharePoint 3.0 Central Administration

2) Navigate to Application Management -> Authentication Providers

3) Click on Web Application and select Change Web Application, on the Select Web Application window, click on the name of the web application to configure

4) Click on the zone you want to configure

5) Select Windows for Authentication type and uncheck all items from Anonymous Access and IIS Authentication Settings.

6) Click Save to save the change.

 You may consider creating a new authentication provider zone for client certificate authentication.

 

Follow these steps to configure IIS for client authentication:

1) Open Internet Information Server (IIS) Manager on IIS server

2) Navigate to the virtual web server you want to configure, and right click on it to open its Properties dialog

3) Click on Directory Security tab

4) In Secure Communications section, click on Edit button

5) The “Require secure channel (SSL)” option should have already been checked. If not, you need to set up SSL before proceeding.

6) Select “Require client certificates” option in Client Certificates and check “Enable client certificate mapping” option

7) Click on OK to close the window and click on OK again in Properties dialog to close it.

8) Navigate to the Web Sites folder under the server in IIS Manager window, right click on the folder and open its Properties dialog

9) Click on Directory Security tab

10) In Secure Communications section, check “Enable the Windows directory service mapper” option

11) Click on OK to close the dialog

This is how you test your configuration:

Open a web browser from a workstation with client certificates installed, and navigates to the SharePoint site you configured for client certificate authentication.

If you have one valid client certificate installed, the browser would automatically use it to authenticate to the site and you should be able to access the site with correct user identity.

If you have multiple client certificates installed, a pop-up window would show up to allow you to pick the client certificate you want to use for authentication.

If your client certificate is rejected by IIS, you would see a plain HTML error message.

You would see a SharePoint “Access Denied” page if your client certificate is accepted by IIS but fails SharePoint authentication.

 

Zewei Song, Ph.D.

MCPD, MCTS: .NET 3.5, MOSS AppDev, Configuration

Enterprise Services, Microsoft Corporation