You can also use client certificates to authenticate users. A client certificate is a digital ID that is passed from the client machine to the server. This ID is "signed" with a digital signature that is verified by a third-party certification authority. This third party is someone you trust to check out users prior to issuing a client certificate.
A digital signature is basically a hash of a message (in this case, the certificate) that is encrypted with the sender's private key. IIS can be configured to ignore, accept, or require client certificates. It's important to understand how each setting changes how IIS responds to client certificates:
Ignore certificates. IIS doesn't care if a user sends his certificate with a request; IIS will simply authenticate the user using another method, such as Challenge/Response.
Accept certificates. If a client certificate is sent, IIS will use this certificate information to authenticate the user. If no certificate is sent, IIS will use another method.
Require certificates. IIS will only fulfill requests from users with valid certificates.
IIS client certificate mapping associates (or maps) client certificate information with Windows NT user accounts. This form of authentication can be very secure and flexible, and most newer browsers support the use of client certificates.
The certificate itself is a special text file that contains two sections: a clear text section (readable by humans) containing the information about the owner, issuer, and so on, and an encrypted section (not readable by humans) that contains the digital signature and public key of the certification authority.
The text file is given the .cer extension so that when you open it, the operating system uses whatever certificate utility it has to view the file. If you open one of these files in Notepad, it will look something like this:
-----BEGIN CERTIFICATE----- CBHcm91cCBDQS5jcmwwRqBEoEKGQGZpbGU6Ly9cXEN FUlRTUlZcQ2VydFNydlxDZXJ0RW5yb2xsXE1TIENl cnRTcnYgVGVzdCBHcm91cCBDQS5jcmwwCQYDVR0TB AIwADBiBggrBgEFBQcBAQRWMFQwUgYIKwYBBQUHMAK GRmh0dHA6Ly9DRVJUU1JWL0NlcnRTcnYvQ2VydEVuc m9sbC9DRVJUU1JWX01TIENlcnRTcnYgVGVzdCBHcm 91cCBDQS5jcnQwDQYJKoZIhvcNAQEEBQADQQAhq70 nRlse0ulPstU+IWdjeNj5p -----END CERTIFICATE-----