httpcfg flags

Ian makes a reasonable point in his comment on my previous entry; the flags to httpcfg are somewhat arcane (which, according to my OED, means 'understood by few, mysterious' ).

 

The flags to httpcfg are actually a bit mask, which according to the information displayed by running httpcfg with no command line arguments, supports the following behaviour;

 

0x00000001 - Use DS Mapper.
0x00000002 - Negotiate Client certificate.
0x00000004 - Do not route to Raw ISAPI filters.

 

We already know what setting bit 2 does; it enables mutual authentication using a client certificate ( I should probably note at this point that it doesn't require mutual authentication ).

 

Setting bit 3 'prevents SSL requests being passed to low-level ISAPI filters', whatever that means… I know what an ISAPI filter is, but it's not clear from the description of the flag whether it stops SSL requests being routed to ISAPI filters, period. Or whether some ISAPI filters are considered more low-level than others and it only stops such routing for really low-level ISAPI filters.

 

Setting bit 1 means that presented client certificates are mapped, where possible, to Windows user accounts. The online help implies that this will only take into account mappings between certs and user accounts defined in Active Directory, but I suspect you may be able to get it to work with local user accounts too. This seems to be akin to configuring IIS Directory Security and under the Secure Communications, Edit… dialog, setting the 'Enable client certificate mapping' and defining some mappings from certs to Windows user accounts. In fact, I suspect that when you do this, the IIS Admin tool calls the same API that httpcfg calls, namely HttpSetServiceConfiguration.

 

By the way, I got most of the information about what httpcfg is up to from looking at the help for HttpSetServiceConfiguration, specifically the HTTP_SET_SERVICE_CONFIG_PARAM structure.