Configuring Digital Certificate Based Login on IIS

This topic describes the procedure for configuring digital certificate based login on IIS.

SSL must be configured on IIS first before users can log in to the server using digital certificates. For assigning certificates to users in Process Platform, refer to Creating users. The procedure for facilitating digital certificate based log in to a server can be divided into the following steps:

1. Configuring SSL on IIS
   
2. Configuring anonymous access
   
3. Configuring IIS to accept client certificates
   
4. Configuring Certification Authorities in the server trust store
   
   The steps are explained below.
   
   
5. Configuring SSL on IIS. For more information for configuring SSL on IIS, refer to Configuring SSL on IIS.
   
6. Configuring Anonymous access on IIS.
   
   1. In the Internet Information Services window, right-click the <web site> on which you want to configure anonymous access and click Properties. <Web site> Properties dialog box appears.
      
   2. On the Directory Security tab, click Edit.. button in the Anonymous access and authentication control pane. The Authentication Methods dialog box appears.
      
   3. Select the Anonymous access check box, clear the check boxes in the Authenticated access pane and click OK.
      
   4. Click Apply button on the Directory Security tab. The Inheritance Overrides dialog box appears.
      
   5. Click Cancel button.
      
   6. Click Ok button in the <Web site> Properties dialog box. Anonymous access on IIS is configured.
      
7. Configuring IIS to accept client certificates:
   Note: Ensure that the following steps are only performed for sites that will allow clients to login using certificates.
   
   1. In the Internet Information Services window, right-click the <web site> on which you want to configure anonymous access and click Properties. <Web site> Properties dialog box appears.
      
   2. On the Directory Security tab, click Edit.. button in the Secure communications pane. The Secure communications dialog box appears.
      
   3. Select Require Client Certificate check box and select Require 128-bit encryption optionally to add further security.
      
   4. Select either of the following options:

      Option	Description
      Accept client certificates	If this option is selected then the server will accept certificates and user name - passwords as credentials.
      Require client certificates	If this option is selected then the server will accept certificates alone for credentials.

      
      
      
   5. Click OK button. The Web site will now accept client certificates for credentials.
      
8. The certification authorities that issued user certificates have to be configured in the server trust store. For more information, refer to Configuring Certificate Authorities in the Trust Stores.