Click to return to the Security     
Web Workshop  |  Security & Cryptography

Setting Up Client Authentication in IIS 3.0


Excerpt from "Securing Your ASP Application" in the ASP Scripting Guide

December 1996

A Web site visitor using a browser that supports either the Secure Sockets Layer (SSL) 3.0 protocol or the Private Communications Technology (PCT1) protocol can send a client certificate to prove his or her identity. A client certificate is an encrypted number that is stored in a file on the user’s computer. The browser sends the number along with a request for an ASP page. Client certificates provide a way to secure access to a Web site; they are available from a number of certification authorities.

Note: You cannot use client certificates with Personal Web Server on Windows 95.

As an ASP application developer, you can write scripts to confirm the presence of a certificate and read certificate fields. For example, you can access the user name or company name fields from the certificate. Active Server Pages stores certificate information in the ClientCertificate collection of the Request object. For more information, see Object Reference.

Your Web server must be configured to request a client certificate; otherwise the ClientCertificate collection will be empty. By default, Internet Information Server and Peer Web Services do not request certificates. You can set up your Web server to request certificates for one or more virtual directories.

To configure your server to request a certificate:

  1. From the Internet Information Server or Peer Web Services program group, choose Internet Service Manager.
  2. Double-click the WWW service, then click the Directories tab.
  3. Select a virtual directory, then click Edit Properties.
  4. Select Enable Client Certificates to have your server request client certificates for this virtual directory. To require client certificates, select both Enable Client Certificates and Require Client Certificates.

    For Internet Explorer version 3.0 and later, requesting a certificate is the same as requiring a certificate because the user cannot continue if no certificate is provided.

  5. Click OK.

You can use client certificates alone or together with certificates installed on your Web server that authenticate your Web site to browsers. For more information on installing server certificates, see "Securing Your Site Against Intruders" in your Web server’s Installation and Administration Guide.

NextNext page



Back to topBack to top

Did you find this material useful? Gripes? Compliments? Suggestions for other articles? Write us!

© 1999 Microsoft Corporation. All rights reserved. Terms of use.