[This is preliminary documentation and subject to change]

Enabling Client Certificates

You can require users attempting to access your Web site to log on with a client certificate. Requiring a client certificate, however, does not protect your content from unauthorized access. Any user with a client certificate can establish a secure connection and access your resource. To protect your Web content from unauthorized access you must do either of the following:

Use Basic, Digest, or integrated Windows authentication, in addition to requiring a client certificate.
Create a Windows account mapping for client certificates. For more information, see Mapping Client Certificates to User Accounts.

Your Web server cannot process client certificates unless you have previously installed a server certificate and enabled your server's secure communication features. For more information about authentication and certificates, see About Authentication and Obtaining a Server Certificate.
When you attempt to set properties for a specific Web site, your Web server will prompt you for permission to reset the properties of individual directories and files in the Web site. If you choose to reset these properties, your previous settings will be replaced by the new settings. The is also true for setting properties for a directory containing subdirectories or files with previously set security properties. For more information about setting properties, see Properties and Inheritance of Properties on Sites in About Web and FTP Sites.

To enable client certificates

In the IIS snap-in, select a Web site, directory, or file, and open its property sheets.
If you have not previously obtained a server certificate, select the Directory Security property sheet, under Secure Communications, click Server Certificate. For more information, see Using the New Security Task Wizards.
If you have previously obtained a server certificate, select the Directory Security or File Security property sheet, then under Secure Communications, click Edit.
In the Secure Communications dialog box, select the Require secure channel (SSL) check box. Requiring a secure channel means that user cannot connect to this site without using a secure link (that is, the link's URL must begin with https://).
Under Client certificates select one of the following to enable client certificate authentication:
- Accept client certificates Users can access the resource with a client certificate, but the certificate is not required.
- Require client certificates The server will request a client certificate before connecting the user to the resource. Users without a valid client certificate will be denied access.
- Ignore client certificates Users with or without a client certificate will be granted access.