X.509 certificate authentication configuration Web Agent on IIS
search cancel

X.509 certificate authentication configuration Web Agent on IIS


Article ID: 9643


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder)



How to configure X.509 cert authentication with CA Single-On Web Agent on IIS Web Server.




Web Agent 12.52SP1 on IIS 7.5

Web Agent 12.52SP1CRxx on IIS 10.x version1809




Get the following 3 required certificates in .pfx format (1):

  1. Trusted CA root certificate.(let's call it rootCA.pfx)
  2. Server Certificate from a trusted CA.(let's call it server.pfx)
  3. Client Certificate from a trusted CA.(let's call it client.p12/pfx)

Changes on the IIS Web Server:

1. Open MMC console, add the certificate for the Local Computer


2. Import the CA root certificate to Trusted Root Certification Authorities.

3. Open Inetmgr and click Server Certificates under server node.


4. Import the server certificate by clicking on the Import link on the Actions pane.


5. Select the website which needs the X.509 certificate authentication.

   - On the Actions pane, click Bindings...
   - Click Add
   - Select Type = https, and choose the SSL certificate as the server certificate that was imported in the previous step.


6. Navigate to the cert folder under the "siteminderagent" virtual directory and click SSL Settings


7. In the middle panel, select Require SSL and Require for Client certificates.

   - Click Apply on the Action pane.


8. Ensure that Anonymous Authentication is DISABLED for "cert" folder

Changes on the Policy Server

1. Create X.509 certificate authentication scheme as below:

2. Create Domain, Realm, Rule (get/post), Policy. Protect the realm with the X.509 authentication scheme.

3. Click Certificate Mappings under Directory and create mapping as below.

   Note :

   Ensure that the Issuer DN matches exactly as in the user certificate.
   Choose the mapping attribute as per the Active Directory LDAP User DN lookup configuration.


Changes on the client machine:

1. Open the MMC console and import the client certificate and CA root certificate. Import them to the Current User account.


How to Test:

1. From the client machine access, the IIS resource is protected with X.509 authenication scheme.

2. It will prompt you to select the client/user certificate. Choose the appropriate user certificate and click Ok.


Additional Information



    Tech Tip : How to create self signed RootCA/Server/User Certificates using OpenSSL