IIS Client Certificate Mapping Authentication

What is Authentication?

Authentication is the process of identifying and providing that identity to a remote service. It is the process of proving that you are who you say you are.

What is Client Certificate Mapping Authentication?

IIS provides six authentication options. One of these options is called “Client Certificate Authentication”. In this authentication option, the client presents a certificate to the server, the server configured to map certificates to one or more Windows user accounts

  • Many-to-One Client Mapping => Multiple trusted user certificates are mapped to a single Windows user account.
  • Active Directory Mapping => Certificates are passed to Active Directory, which will validate if the mapping is correct.


  • Certificate
  • Ssl => The site or application requires SSL.
  • SslNegotiateCert => The site or application accepts client certificates for authentication.
  • SslRequireCert => The site or application requires client certificates for authentication.
  • Ssl128 =>The site or application requires 128-bit SSL certificate encryption.
  • That my site can accept client certificates for authentication.
  • That my site requires a client certificate for authentication.

One-to-One Certificate Mapping

  • userName => account that will be the one used to log in.
  • password => password of that account

How to get the Base-64 encoded string of your certificate.

Export your certificate as “Base-64 encoded X.509 (.CER)

Many-to-One Certificate Mapping

<remove the mapping that we had for oneToOneMapping or disable it>

Final Thoughts

  • Client Certificate Mapping Authentication is one of the options that IIS provides in order to authenticate.
  • You could encounter the following status codes: (See the documentation on how to troubleshoot it):
  • If you only have “SslNegotiateCert” and you do not have any valid certificate, the other Authentication protocol that you have will be used. In case you have potential valid certificate, it would ask you to choose a certificate, if you chose an incorrect certificate, it would give you 403.16. It will not use the other authentication option that you have in the “Authentication module”.




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store