Which tool should you use?

Your network contains a Web server that runs Windows Server 2008 R2. The Web server has the
Client Certificate Mapping Authentication role service installed. You create a Web site that requires
client certificates for authentication. You need to enable client certificate mapping for the Web site.
Which tool should you use?

A.
Appcmd

B.
Certutil

C.
the Authorization Manager snap-in

D.
the Certificates snap-in

Explanation:
Client Certificate Mapping Authentication
Client Certificate Mapping Authentication enables clients to authenticate with the Web server by
presenting client certificates over Secure Socket Layer (SSL) connections. Note Certificate-based
authentication enables clients to use client certificates to authenticate with the Web server. It is not
required to enable secure communication between the client and the server.
The Client Certificate Mapping Authentication uses the Directory Services Mapper (DS Mapper)
service in Active Directory to map client certificates provided by the user to domain accounts. IIS
also provides a custom certificate mapping feature, the IIS Client Certificate Mapping Authentication,

which allows for more flexible mapping of client certificates to Windows accounts. See the section
titled “IIS Client Certificate Mapping Authentication” later in this chapter for more information.
Note Client Certificate Mapping Authentication is not part of the default IIS install and is not enabled
by default.
You can manually install it from the Security feature category through Turn Windows Features On
And Off on Windows Vista. You can also install it via the Security role service category of the Web
Server (IIS) role in Server Manager on Windows Server 2008. See Chapter 12 for more information
about installing and enabling modules. After the module is installed, you have to explicitly enable
Client Certificate Mapping Authentication for it to be available.
To use Client Certificate Mapping Authentication, you need to meet the following requirements:
The Web server must be a member of a Windows domain.
You must issue client certificates to your users by using a Certificate Authority (CA) trusted
by the Web server.
You must map each client certificate to a valid domain account in Active Directory.
Note You do not need to use Client Certificate Mapping Authentication to require clients to present
client certificates. You can configure the server to always require client certificates to access the
server, but use another authentication scheme to authenticate the client. To do this, see the section
titled “Client Certificates” later in this chapter.
To enable Client Certificate Mapping Authentication on the Web server, you need to perform the
following steps (after installing the Certificate Mapping Authentication module).
1. Enable Client Certificate Mapping Authentication. You can do this in IIS Manager by clicking the
server node, double-clicking Authentication, selecting Active Directory Client Certificate
Authentication, and clicking Enable in the Actions pane. Note that this can only be done at the server
level when using IIS Manager, although you can enable Client Certificate Mapping Authentication for
a specific URL through configuration.
2. Configure SSL on each Web site using this authentication method. Certificate authentication is
possible only if the Web site is being accessed over an SSL connection and therefore requires an SSL
binding to be configured for the Web site. See the section titled “Configuring SSL” later in this
chapter for more details.
3. Enable DS Mapper for each Web site SSL binding. IIS Manager does this automatically for each
Web site when the Client Certificate Mapping Authentication is enabled and you add an SSL binding
for the Web site.
To do this manually, use the Netsh.exe command with the following syntax: netsh http add sslcert IP
Address:Port dsmapperusage=enable, where IP Address and Port are the IP address and port of the
corresponding binding.
4. Configure each Web site using this authentication method to accept client certificates (and
possibly require them). This ensures that the server accepts client certificates when provided by the
client and can also configure the server to require the client to present a certificate to proceed with
the request. See the section titled “Client Certificates” later in this chapter for more details.
You can also enable Client Certificate Mapping Authentication by editing the
system.webServer/security/authentication/clientCertificateMappingAuthentication configuration
section directly or by using Appcmd or other configuration APIs. You can enable this authentication
method by using the following Appcmd syntax.
%systemroot%\system32\inetsrv\Appcmd set config /section: system.webServer/
security/authentication/clientCertificateMappingAuthentication /enabled: true
The enabled attribute specifies whether or not the Client Certificate Mapping Authentication is
enabled. You can enable this method for a specific URL. However, do note that the decision to use

the Directory Services Mapper to map certificates to Windows domain accounts is dependent on
each Web site binding having been configured to use the
HTTP.sys DS Mapper setting.
Source: http://technet.microsoft.com/en-us/library/dd163543.aspx