DOCUMENT:Q243353 14-JAN-2001 [iis] TITLE :Custom Certificate Mappings Are Not Recognized PRODUCT :Internet Information Server PROD/VER::5.0 OPER/SYS: KEYWORDS: ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Internet Information Services version 5.0 ------------------------------------------------------------------------------- SYMPTOMS ======== In Internet Information Services (IIS) 5.0, when you use client certificate mapping, custom mappings may not be recognized. For example, the Web site stops responding (hangs). CAUSE ===== If you are not using Windows 2000 Active Directory Mapping (for example, client certificates are not mapped to their user accounts in the Windows 2000 active directory), you may have turned on the Windows Directory Service Mapper in error. RESOLUTION ========== To resolve this problem, perform the following steps: 1. Click Start, click Administrative Tools, and then click Internet Services Manager. 2. Right-click the computer name (should be just above the listing of Web and FTP sites), and then click Properties. 3. Click Edit (next to WWW Service). 4. Click the Directory Security tab. 5. Click to uncheck the Enable the Windows Directory Service Mapper check box. (This option is available only at the Master properties level, and only if the server is a member of a Windows 2000 domain.) 6. Click OK, and then click OK again to return to the Internet Services Manager. 7. Right-click the computer name, and then click Restart IIS. MORE INFORMATION ================ If you are using the Windows Directory Service Mapper, you cannot use IIS to create custom certificate mappings for each Web site through the IIS Mapper (for example, enable Client Certificate Mapping on the Directory Security tab). You can only use one or the other. In general, if you want to do one-to-one mappings, and the accounts reside in your domain (or forest), the Windows Mapper can save you time. If you are using many-to-one mappings, or the accounts reside outside your network, the IIS Mapper is the best solution. For more details on the types of certificate mapping available, see the Internet Information Services 5.0 documentation. Additional query words: iis iis5 certsrv 5 ====================================================================== Keywords : Technology : kbiisSearch kbiis500 Version : :5.0 Issue type : kbprb Solution Type : kbpending ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.