Enable client certificates

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

To enable client certificates

  1. On the receiving computer, open the Internet Information Services snap-in as follows: click Start, point to All Programs, point to Administrative Tools, and then click Internet Information Services (IIS).

  2. In the console tree, right-click MSMQ.

    Where?

    • Console Root/Internet Information Services/*YourComputer/*Web Sites/Default Web Site/MSMQ
  3. Click Properties.

  4. Select the Directory Security tab, and then under Secure Communications, click Edit.

  5. To require that a secure link be used for a site resource, click Require secure channel (SSL).

  6. Under Client certificates, select one of the following to enable client certificate authentication:

    • To enable clients to access a resource with a client certificate, click Accept client certificates. Note that a client certificate is not required.

    • To ensure that users without a valid client certificate will be denied access to the site resource, click Require client certificates.

    • To grant access to users with or without a client certificate, click Ignore client certificates.

  7. To enable client certificate mapping, in the Secure Communications dialog box, select Enable client certificate mapping if not already selected, and then click Edit. For instructions on creating a mapping, see the IIS online Help file.

Notes

  • By default, anonymous access is enabled for the MSMQ virtual directory using the account IUSR_computername. To prevent both authenticated and unauthenticated HTTP messages from being sent, disable anonymous access. For instructions, see Change the security settings for Internet Information Services.

  • By default, IUSR_computername user has write permission for the physical MSMQ directory (default is %SystemDrive%\Inetpub\wwwroot\msmq), and Ignore client certificates is selected, thus allowing everyone to send HTTPS messages. You can control access to MSMQ virtual directory by configuring security settings for the physical Message Queuing directory.

  • Requiring a secure channel means that a user cannot connect to a site resource without using a secure link (that is, the link's URL must begin with https://).

Information about functional differences

  • Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.

See Also

Concepts

Authentication for Message Queuing
Working with MMC console files