• IIS Admin Blog

  • How to Secure a Web Site Using Client Certificate Authentication

8th October 2007

How to Secure a Web Site Using Client Certificate Authentication

posted in IIS 6.0 |

Then click OK. Keep the basic security tab open as we will need it for the next few steps. Now we are going to lock down the NTFS permissions. Start by clicking the Users group and click Remove. Then click Add and click and click Advanced to bring up the Select Users or Groups dialog box. Click Find Now to list all Users and Groups. Click the ‘certuser’ account and then hold down the Ctrl Key and click the IUSR_MACHINENAME account and then click OK and then click OK again.

Fig. 6

Next highlight the IUSR_MACHINENAME account and click the Deny Read & Execute permission tick box as shown here

Fig. 7

Click Yes when you see this Security warning dialog box

Fig. 8

Ensure that the ‘certuser’ account has Read & Execute permission and then click OK to exit the Properties dialog box. We have now created the locked down root directory for our client certificate web site.

Create the Client Certificate Web Site

In IIS Manager create a new web site called ‘Client Certificate Web Site’ which points at the folder we just created. Accept all the defaults during the web site creation process. Once the site is created right-click on the site and click Properties. Click the Directory Security tab and then click Edit next to Authentication and access control. Uncheck Integrated Windows authentication and check Basic authentication – click Yes when you see the warning dialog box concerning passwords being transmitted over the network

Fig. 9

You can leave Enable anonymous access checked if you like – it makes no difference because anonymous access will fail as we have already explicitly denied the IUSR_MACHINENAME account access to the web site’s root directory. At this point we now have a web site which requires Basic Authentication and explicitly denies anonymous access at the file system level. We can go ahead and test the site at this time. Paste the following text into notepad on the server and save the file as Default.asp in the root of the ‘Client Certificate Web Site’ folder :

<% Response.Write “This is the Client Certificate Web Site.” %><br>

AUTH_USER=<%=Request.ServerVariables(“AUTH_USER”) %><br>

Now browse to http://localhost on the server and you should be prompted to enter a username and password. Enter the ‘certuser’ account name and password and then you should see the following in your browser

Fig. 10

Now that we have the basic web site configured we need to configure the certificates we are going to use in order to enable SSL and client certificate authentication.

Pages: 1 2 3 4 5 6

This entry was posted on Monday, October 8th, 2007 at 2:24 pm and is filed under IIS 6.0. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

There are currently 6 responses to “How to Secure a Web Site Using Client Certificate Authentication”

Why not let us know what you think by adding your own comment! Your opinion is as valid as anyone elses, so come on... let us know what you think.

  1. 1 On January 21st, 2009, Rick said:

    Thank you for the quality hard work that you’ve completed on this website. Many of your articles have been very beneficial.

    I am currently working on a project that combines two of your articles.

    1) Use Isapi Redirect to run tomcat through IIS
    2) Use Client Certificates for security in IIS (this one)

    I have been able to successfully complete both of these tasks separately, but have been unable to complete them together. Would there be additional steps needed to complete this task?

    Thank you for any light you can shed.


  2. 2 On May 29th, 2009, Patrick said:

    Thank you, this is great information. It allowed me to get most of the configuration. However, I can not get either to work. I get a Bad Gateway. error 502.


  3. 3 On May 11th, 2010, Marc said:


    Thanks for a great blog. Have you ever configured both client certificate authentication as well as having the certificate passed to a Tomcat app server? What is required to get IIS to send the cert to Tomcat so it can be read from the request?


  4. 4 On December 5th, 2011, Lydon said:

    Very glad I found your guide! But having some issues. Would you consider doing an updated version of this guide for the newer versions of Sever and IIS?

  5. 5 On December 14th, 2011, Eric Belair said:

    I setup client certificate authentication using these instructions, only I did it on one directory, instead of an entire website. However, I am getting a HTTP 403.7 error when I try to request a page in the directory. I have the client cert in my PC store. I noticed that it doesn’t have a private key – is this absolutely essential?

  6. 6 On December 14th, 2011, Eric Belair said:

    Nevermind, I just realized that the cert they gave us is only the public one – they can’t share the private one. So, I have no way to properly test this for now.

Leave a Reply

You must be logged in to post a comment.

  • Calendar

  • March 2018
    M T W T F S S
    « Sep