(Optional) Set the SSL client certificate
In installations that require SSL client certificates on the application servers, such as smart card support, IIS folders must be set to
Require
client certificates instead of accepting client certificates.Indications that this setting has not been made include: desktop pop-ups display one or more security prompts, the Weather Alerting Module is not functional, and integration with external systems that use the
AtHoc
SDK APIs do not work.To set the preference for client certificates, complete the following steps:
- Open theInternet Information Services Manager.
- ExpandSites, then expand Default Web Site or the named site. Select a Web application and open SSL Settings.
- Select theIgnore,Accept, orRequireradio button under client certificates. Use the recommendations for each folder, provided in the table that follows these steps.
- ClickApply.
The following table provides a reference for client certificate settings for Department of Defense, Federal Government, and any other customers that use smart cards or soft certificates for client authentication to web servers.
Application or virtual directory | SSL client certificates |
|---|---|
Aspnet_client | Require |
api | Ignore |
ast | Require |
athoc-cdn | Require |
athoc-iws | Require |
AuthConfig | Ignore |
CascadeAlertAgent | Require |
client 1 | Require |
config 2 | Ignore if you have desktop clients deployed. Require if not. |
csi 2 | Ignore if you have desktop clients deployed. Require if not. |
D911Server | Require |
Data | Require |
DataExport | Require |
Default Web Site | Require |
EasyConnect | Require |
EmailResponse | Require |
Help | Require |
Graphics 2 | Ignore if you have desktop clients deployed. Require if not. |
Gw | Require |
Icons | Require |
Images | Require |
Include | Require |
Integrated Weather Alerts 3 | Require |
mas | Accept |
monitor | Ignore if your web server monitoring solution will not work with client certificates. Require if it does. |
Redirector | Require |
sdk | Ignore if your custom code integration does not support client certificates. Require if it does. |
SelfService | Require |
Self Service/AuthWin | Require |
sps 2 | Ignore if you have desktop clients deployed. Require if not. |
Sso | Require |
Syndication | Require if your IIM devices have client certificates installed, or If no IIM devices are deployed. Ignore if not. |
TwitterConfig | Require |
User | Require |
wis | Require |
- BlackBerry AtHochealth monitors do not currently support client certificate authentication. Setting theclientWeb directory to “Require Client Certificates” might cause theBlackBerry AtHocmanagement system health monitor to falsely show that the system is down.BlackBerry AtHocrecommends disabling this monitor in this configuration.
- Ifconfig,csi,Graphics, andspsare set to “Require Client Certificates” and you have desktop clients deployed, one of two things can happen:
- Users experience periodic prompts for client certificate pin authentication.
- The SSL stack on the IIS web server becomes overwhelmed with SSL renegotiation issues. This condition looks like your Web server is under a denial of service attack, with page loads becoming slower and eventually timing out with errors.
- Make sure the Symantec/Verisign certificate chain for the target system is properly represented in the Windows Certificate Manager.