Where is the Client Certificates UI in IIS 7.0 ?

Where is the Client Certificates UI in IIS 7.0 ?

  • Comments 1

One of the things which I found missing in the IIS 7.0 user interface was the UI which lets you configure the Client certificate mappings for IIS. In the present world, if you want to configure the client certificate mappings for a web site, you will have to use the configuration editor and specify the certificate blob and configure the client certificate as per this blog. At times, getting the certificate blog in a single line itself can get tricky and it might help to just have a UI which IIS 6.0 for this configuration.

Though the client certificate mapping UI feature was not present in IIS 7.0, the IIS 7.0 UI extensibility is so powerful that it is easy to write something like that. I went through some of the blogs that had samples for UI Extensibility and was able to create a sample UI module that adds this functionality in the UI.

Once you install the MSI (for right CPU), you will be able to see this UI module in the IIS manager. This is how it shows up in the UI.

image

I tried ensuring that the UI for client certificate configuration looks exactly the same as configuration interface in IIS 6.0 so if you are already familiar with configuring the client certificate mappings in IIS 6.0, you should be able to directly use this and configure the client certificate mappings quickly.

image

Download Location

Find the zip file attached below to this blog and run the right version (x86 or x64) on your server to install this module.

What does the installer do?

  1. The installer copies a file ClientCertificateMapping.dll to inetsrv\ClientcertificateMapping folder on your IIS server.
  2. It registers the ClientCertificateMapping.dll in the GAC on the server.
  3. It modifies the application host.config and adds the two statements in there.

Under the <moduleProviders> section

<add name="ClientCertificateMapping" type="ClientCertificateMapping.ClientCertificateMappingModuleProvider, ClientCertificateMapping, Version=1.0.0.0, Culture=neutral, PublicKeyToken=44f73143bf16e268" />

And under the <modules>section

<add name="ClientCertificateMapping" />

Note: This tool will just let you configure the client certificate mappings. To make sure that the client certificate mappings works as expected, you might have to review the other settings that are are mentioned in the following links.

  1. http://blogs.iis.net/rlucero/archive/2008/05/23/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration.aspx
  2. http://blogs.msdn.com/saurabh_singh/archive/2007/06/09/client-certificate-revisited-how-to-troubleshoot-client-certificate-related-issues.aspx

Some of the limitations of this UI module (as I see today)

  • I just managed to write the functionality for one-one client certificate mapping. To be very frank, I have never seen many people using the one-to-many mapping feature anyways. But based on the user-feedback, I may spend some time writing up the UI for many-to-one mapping as well.
  • I wasn't able to do too much testing around this functionality. If you come across any issues, do let me know via this blog entry
  • There is no BROWSE button when you click the Add Mapping button. I researched a little bit and came to know that generating a object browser dialog box and using the IDsObjectPicker interface in .net requires too much of code. I found some very good sample at codeplex but realized that it is too much of code and it requires a lot of Interop and Pinvoke code. For the time being, I have not used this functionality and let the user explicitly type in the user name but if this turns out to be a requirement, I can easily add it later.
  • Any other issues you facing using this, please let me know :)

In the end, I just wanted to share some of the great resources that I came across while writing this module (and creating an installer for the same)

  1. http://blogs.msdn.com/tess/archive/2008/08/28/creating-a-ui-module-for-iis7-to-watch-current-requests.aspx
  2. http://learn.iis.net/page.aspx/441/understanding-ui-extension-authoring/
  3. http://learn.iis.net/page.aspx/175/how-to-get-started-extending-module-properties-iis-7-iis-manager/

These links are specifically for creating the installer for this UI module

  1. http://blogs.msdn.com/nikhiln/archive/2007/04/25/post-build-script-to-fix-msi-issues-in-vista-for-vs-2005-setup-and-deployment-project.aspx
  2. http://blogs.msdn.com/heaths/archive/2006/02/01/64-bit-managed-custom-actions-with-visual-studio.aspx
  3. http://blogs.msdn.com/carlosag/archive/2008/11/10/CreatingSetupProjectForIISusingVisualStudio2008.aspx
Attachment: ClientCertificateMapping.zip
Leave a Comment
  • Please add 4 and 8 and type the answer here:
  • Post
  • Many thanks for your elaborate work.

    Several of my customers are looking for just such a solution. So we will be testing it soon.

    Our customers frequently make use of a heterogeneous environment (MAC, Windows, Linux) and make use of the TrustAlert.com solution.

    It on-demand provides users with on demand very short life (1-9 hours valid) X.509v3 certificates. The certificate fields are filled with attribute data frequently coming from an AD, where UPN is commonly used as the CN.

    When you distribute once or twice per day around 10.000 to 100.000 certificates, you most definately want many-to-one (UPN based) mapping. And you don't want to do this manually.

Page 1 of 1 (1 items)