Administrator

Checking IIS Client Negotiation Certificate Status for Mutual Authentication

To use mutual authentication with Relay Servers on IIS, the Negotiate Client Certificate value for SSL certificate status must be enabled. To ensure that the Relay Server outbound enabler starts properly for mutual authentication, you must set this value on each IIS server.

Procedure

  1. At a command prompt, check the SSL certificate status:
    netsh http show sslcert

    The output should look similar to:

    SSL Certificate bindings:
    -------------------------
    
        IP:port                      : 0.0.0.0:443
        Certificate Hash             : <cert_hash>
        Application ID               : {<app_id>}
        Certificate Store Name       : My
        Verify Client Certificate Revocation : Enabled
        Verify Revocation Using Cached Client Certificate Only : Disabled
        Usage Check                  : Enabled
        Revocation Freshness Time    : 0
        URL Retrieval Timeout        : 0
        Ctl Identifier               : (null)
        Ctl Store Name               : (null)
        DS Mapper Usage              : Disabled
        Negotiate Client Certificate : Disabled
    
    If the Negotiate Client Certificate value in your command output is Disabled, perform the rest of the steps in this task. Record these values before proceeding:
    • Certificate Hash
    • Application ID

    If the Negotiate Client Certificate value in your output is Enabled, there is nothing more that you need to do.

  2. Delete the SSL certificate state:
    netsh http delete sslcert 0.0.0.0:443

    The output of this command should be:

    SSL Certificate successfully deleted
  3. Readd the SSL certificate, using the values for Certificate Hash and Application ID that you recorded above, and setting clientcertnegotiation=enable.
    netsh http add sslcert 0.0.0.0:443 <cert_hash> {<app_id>} clientcertnegotiation=enable

    The output of this command should be:

    SSL Certificate successfully added
  4. Verify the new settings:
    netsh http show sslcert

    In the output of this command, the certificate hash and application ID should be the same as in the original output, and the last line should be:

    ...
        Negotiate Client Certificate : Enabled