Configuring a Web Site to Require a Client Certificate

Use Internet Information Services (IIS) Manager to configure settings for the Relay Server's Web site.

  1. Open Internet Information Services (IIS) Manager.
  2. (Optional) Create a self-signed certificate.
    1. Select the IIS server node in the left pane.
    2. Double-click the Server Certificates icon in the center pane.
    3. Click the Create Self-Signed Certificate action in the right pane.
    4. Enter the certificate name according to certificate naming guidelines, and click OK.
  3. (Optional) Import the certificate to IIS.
    1. Select the IIS server node in the left pane.
    2. Double-click the Server Certificates icon in the center pane.
    3. Click the Import action in the right pane.
    4. Enter the certificate path and password in the Import Certificate window, and click OK.
  4. Add the HTTPS binding.
    1. Right click the Web site which includes the Relay Server application in the left pane.
    2. Select Edit Bindings in the context menu.
    3. Click Add in the Site Bindings window.
    4. Select https and select certificate in the Add Site Binding window, then click OK.
  5. Configure the ias_relay_server application to require SSL.
    Note: Only the SAP Mobile Server client connecting to the Relay Server needs to provide a certificate; the RSOE connecting to the Relay Server does not need to provide a certificate.
    1. Click the Relay Server’s Web site.
    2. Double click the SSL Settings icon in the center pane.
    3. Uncheck Require SSL, and select the Ignore option in the center pane.
    4. Click the Apply action in the right pane.
    5. Click the ias_relay_server application in the left pane.
    6. Double click the SSL Settings icon in the center pane.
    7. Check Require SSL, and select the Require option in the center pane.
    8. Click the Apply action in the right pane.
  6. Enable IIS to negotiate the client certificate.
    Note: The following instructions are for IIS 7.5; if you are using IIS 6.x, see the Microsoft technical documentation.
    1. To check whether Negotiate Client Certificate is enabled, run this command in the command line.
      netsh http show sslcert
    2. If Negotiate Client Certificate is disabled, delete the certificate by running:
      netsh http delete sslcert 0.0.0.0:433
    3. Run following command to add the certificate again.
      netsh http add sslcert 0.0.0.0:443 976772814ae6bc1468d7ff2382a45a4d65bdec51 {4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=MY clientcertnegotiation=enable

      The Certificate Hash and Application ID must match your IIS configuration.

    4. Verify that Negotiate Client Certificate is enabled.
Parent topic: Authenticating at the Network Edge with Relay Server