• IIS Admin Blog

  • How to Secure a Web Site Using Client Certificate Authentication

8th October 2007

How to Secure a Web Site Using Client Certificate Authentication

posted in IIS 6.0 |

In this tutorial I am going to demonstrate how to secure a web site using a client certificate. I don’t intend to explain in detail what a client certificate is or how it works. If you don’t know then I suggest you read this Microsoft KB article before we get started :

IIS and client certificates


In a nutshell a client certificate provides an extra layer of security for a web site – you can configure a web site so that any user wishing to connect is required to provide both a valid client certificate and a valid password. This is commonly known as ‘two factor authentication’ – the two factors are ‘something that you know’ and ‘something that you have’. In this scenario the ‘something that you know’ is your password and the ‘something that you have’ is your client certificate.

I am also going to expand on the final comments in the above KB article and demonstrate how to perform User mapping with a client certificate.

System Requirements

To follow the steps in this tutorial you will need the following:

Windows Server 2003 running IIS 6.0

A Client Certificate (with private key)

A Web Server Certificate

Create a Client Certificate User Account

As I am going to be demonstrating how to use client certificate mapping as well as providing non-anonymous access to a secure web site, I need to create a specific user account which I will use for this purpose. So we start by creating a new user account on the web server which will be used to provide access to the web site we are going to secure. Create a new user account called ‘certuser’

Fig. 1

Next remove the ‘certuser’ user account from the Users group as shown here

Fig. 2

#Top Tip – The Log on Locally user right is no longer required for Basic Authentication clients in IIS 6.0 so you can secure your web server even further by denying this right to any clients requiring Basic Authentication. Click Start, Administrative Tools, Local Security Policy. Expand Local Policies and click User Rights Assignment. Double-click Deny log on locally and then add the ‘certuser’ account we created earlier.

Fig. 3

So we have now created a specific user account for use with our client certificate which has no effective group memberships and which has also been denied the right to log on locally to the server.

Create the Web Site Root Directory

The next step is to create a directory for the secure web site and then apply the relevant NTFS permissions. We will be locking out the anonymous user account and requiring both basic authentication and a client certificate for this site. In Windows Explorer I have created a folder named ‘Client Certificate Web Site’ and I am going to modify the NTFS permissions on that folder so that it is securely locked down. Right-click the folder and click Properties and then click the Security tab. Then click Advanced to see the Advanced Security Settings dialog box.

Fig. 4

Next untick the ‘Allow inheritable permissions…’ tick-box and then click Copy when you see this warning dialog box

Fig. 5

Pages: 1 2 3 4 5 6

This entry was posted on Monday, October 8th, 2007 at 2:24 pm and is filed under IIS 6.0. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

There are currently 6 responses to “How to Secure a Web Site Using Client Certificate Authentication”

Why not let us know what you think by adding your own comment! Your opinion is as valid as anyone elses, so come on... let us know what you think.

  1. 1 On January 21st, 2009, Rick said:

    Thank you for the quality hard work that you’ve completed on this website. Many of your articles have been very beneficial.

    I am currently working on a project that combines two of your articles.

    1) Use Isapi Redirect to run tomcat through IIS
    2) Use Client Certificates for security in IIS (this one)

    I have been able to successfully complete both of these tasks separately, but have been unable to complete them together. Would there be additional steps needed to complete this task?

    Thank you for any light you can shed.


  2. 2 On May 29th, 2009, Patrick said:

    Thank you, this is great information. It allowed me to get most of the configuration. However, I can not get either to work. I get a Bad Gateway. error 502.


  3. 3 On May 11th, 2010, Marc said:


    Thanks for a great blog. Have you ever configured both client certificate authentication as well as having the certificate passed to a Tomcat app server? What is required to get IIS to send the cert to Tomcat so it can be read from the request?


  4. 4 On December 5th, 2011, Lydon said:

    Very glad I found your guide! But having some issues. Would you consider doing an updated version of this guide for the newer versions of Sever and IIS?

  5. 5 On December 14th, 2011, Eric Belair said:

    I setup client certificate authentication using these instructions, only I did it on one directory, instead of an entire website. However, I am getting a HTTP 403.7 error when I try to request a page in the directory. I have the client cert in my PC store. I noticed that it doesn’t have a private key – is this absolutely essential?

  6. 6 On December 14th, 2011, Eric Belair said:

    Nevermind, I just realized that the cert they gave us is only the public one – they can’t share the private one. So, I have no way to properly test this for now.

Leave a Reply

You must be logged in to post a comment.

  • Calendar

  • March 2018
    M T W T F S S
    « Sep