Your network contains a Web server that runs Windows Server 2008 R2.
The Web server has the Client Certificate Mapping Authentication role service installed.
You create a Web site that requires client certificates for authentication.
You need to enable client certificate mapping for the Web site.
Which tool should you use?
A.
Appcmd
B.
Certutil
C.
the Authorization Manager snap-in
D.
the Certificates snap-in
Explanation:
Client Certificate Mapping Authentication
Client Certificate Mapping Authentication enables clients to authenticate with the Web server by presenting client certificates over Secure Socket Layer (SSL) connections.Note Certificate-based authentication enables clients to use client certificates to authenticate with the Web server. It is not required to enable secure communication between the client and the server.
The Client Certificate Mapping Authentication uses the Directory Services Mapper (DS Mapper) service in Active Directory to map client certificates provided by the user to domain accounts. IIS also provides a custom certificate mapping feature, the IIS Client Certificate Mapping Authentication, which allows for more flexible mapping of client certificates to Windows accounts. See the section titled “IIS Client Certificate Mapping Authentication” later in this chapter for more information.
Note Client Certificate Mapping Authentication is not part of the default IIS install and is not enabled by default. You can manually install it from the Security feature category through Turn Windows Features On And Off on Windows Vista. You can also install it via the Security role service category of the Web Server (IIS) role in Server Manager on Windows Server 2008. See Chapter 12 for more information about installing and enabling modules. After the module is installed, you have to explicitly enable Client Certificate Mapping Authentication for it to be available.
To use Client Certificate Mapping Authentication, you need to meet the following requirements:
* The Web server must be a member of a Windows domain.
* You must issue client certificates to your users by using a Certificate Authority (CA) trusted by the Web server.
* You must map each client certificate to a valid domain account in Active Directory.Note You do not need to use Client Certificate Mapping Authentication to require clients to present client certificates. You can configure the server to always require client certificates to access the server, but use another authentication scheme to authenticate the client. To do this, see the section titled “Client Certificates” later in this chapter.
To enable Client Certificate Mapping Authentication on the Web server, you need to perform the following steps (after installing the Certificate Mapping Authentication module).
1. Enable Client Certificate Mapping Authentication. You can do this in IIS Manager by clicking the server node, double-clicking Authentication, selecting Active Directory Client Certificate Authentication, and clicking Enable in the Actions pane. Note that this can only be done at the server level when using IIS Manager, although you can enable Client Certificate Mapping Authentication for a specific URL through configuration.
2. Configure SSL on each Web site using this authentication method. Certificate authentication is possible only if the Web site is being accessed over an SSL connection and therefore requires an SSL binding to be configured for the Web site. See the section titled “Configuring SSL” later in this chapter for more details.
3. Enable DS Mapper for each Web site SSL binding. IIS Manager does this automatically for each Web site when the Client Certificate Mapping Authentication is enabled and you add an SSL binding for the Web site. To do this manually, use the Netsh.exe command with the following syntax: netsh http add sslcert IP Address:Port dsmapperusage=enable, where IP Address and Port are the IP address and port of the corresponding binding.
4. Configure each Web site using this authentication method to accept client certificates (and possibly require them). This ensures that the server accepts client certificates when provided by the client and can also configure the server to require the client to present a certificate to proceed with the request. See the section titled “Client Certificates” later in this chapter for more details.You can also enable Client Certificate Mapping Authentication by editing the system.webServer/security/authentication/clientCertificateMappingAuthentication configuration section directly or by using Appcmd or other configuration APIs. You can enable this authentication method by using the following Appcmd syntax.
%systemroot%\system32\inetsrv\Appcmd set config /section: system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:true
The enabled attribute specifies whether or not the Client Certificate Mapping Authentication is enabled. You can enable this method for a specific URL. However, do note that the decision to use the Directory Services Mapper to map certificates to Windows domain accounts is dependent on each Web site binding having been configured to use the HTTP.sys DS Mapper setting.
Source: http://technet.microsoft.com/en-us/library/dd163543.aspx