The Client Certificate Mapping Authentication role service is required on the machine hosting the Active Roles Web Interface.
Membership in the local Administrators group, or equivalent, is the minimum permission set required to complete this procedure.
To add the Client Certificate Mapping Authentication role service:
- Open Server Manager. Click Start | Administrative Tools | Server Manager
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes .
- Expand Roles , and then click Web Server (IIS) .
- In the results pane under Role Services , click Add Role Services .
- Select the Client Certificate Mapping Authentication check box, and then click Next .
- Click Install .
- When the role service is added, click Close .
Next, configure the authentication method in IIS:
- Click Start | Administrative Tools | Internet Information Services (IIS) Manager
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes .
- In the console tree, click on the server name.
- In the results pane of the server Home page, double-click Authentication to open the Authentication page.
- In the results pane of the Authentication page, right-click Active Directory Client Certificate Authentication , and then click Enable .
- Close IIS Manager.
Finally, enable client authentication for the Web site that is the Active Roles Web Interface:
- Click Start | Administrative Tools | Internet Information Services (IIS) Manager
- If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes .
- In the console tree, expand the server name.
- Expand Sites , and then expand the Web site that is hosting the Active Roles Web Interface. By default, the Web site name is Default Web Site
- In the console tree, select the site name (i.e. ARWebAdmin)
- In the results pane on the Home page, double-click SSL Settings
- Choose the appropriate Client certificates setting ( Accept or Require ). You should choose Accept if you want clients to have the option to supply authentication credentials by using either a smart card certificate or a user name and password. You should Requireclient certificates if you want only clients with client-side certificates such as smart cards to be able to connect to the service.
- Click Apply .
- Repeat steps 5-8 for any additional Active Roles Web Interface Sites as desired.
- Close IIS Manager.
- In an elevated command prompt, run iisreset