You are not prompted to select a client certificate from the local certificate store in IIS 7.0

Consider the following scenario. In Internet Information Services (IIS) 7.0, you configure a Web application to use Integrated Windows authentication. You also configure the Web application to accept client certificates. You send a client-side HTTP request to the Web application by using Windows Internet Explorer. In this scenario, you are not prompted to select a client certificate from the local certificate store. Instead, you are transparently authenticated, and you can access the Web application.

This behavior also occurs if you configure the Web application to use Basic authentication and to accept client certificates. When you send the client-side HTTP request to the Web application by using Internet Explorer, the Basic authentication dialog box appears.

Note This behavior does not occur in IIS 6.0.

This behavior occurs because of an issue in the <modules> element in the ApplicationHost.config file or in the Web.config file. The CertificateMappingAuthenticationModule module appears after the WindowsAuthenticationModule module. Therefore, Integrated Windows authentication occurs first, and then client certificate authentication does not occur.

To work around this behavior, modify the <modules> element in the ApplicationHost.config file or in the Web.config file so that the CertificateMappingAuthenticationModule module appears before the WindowsAuthenticationModule module. For example, modify the <modules> element to resemble the following.

This behavior is by design.

Every request that IIS 7.0 receives moves through multiple stages in the IIS 7.0 request pipeline. In IIS 7.0, the request processing moves from one stage to the next stage in a fixed sequence. If any of the modules in the <modules> element subscribe to the event for the current stage, IIS 7.0 calls each of these modules one by one before the request processing moves to the next stage.

If multiple modules subscribe to the same event, the module that has the higher priority is called first. The priority of the module is written in the source code of the module. Additionally, the priority of the module is set at the compile time of the module.

If multiple modules subscribe to the same event and have the same priority, the module that appears first in the <modules> element is called first.

The default order of the modules is important to make sure that the modules work correctly. If you change the default order, you may encounter unexpected problems. For example, you may encounter the behavior that is mentioned in the "Symptoms" section.

In summary, the module execution order in IIS 7.0 is as follows:

• A module that subscribes to an earlier event is called before a module that subscribes to a later event.
• Among the modules that subscribe to the same event, a module that has a higher priority is called before a module that has a lower priority.
  
  Note The RQ_SEND_RESPONSE priority order is the opposite of the order of other pipeline notifications. For example, the modules that have the RQ_SEND_RESPONSE priority of LAST are run first. Then, the modules that have the RQ_SEND_RESPONSE priority of LOW are run.
• Among the modules that subscribe to the same event and that have the same priority, the module that appears first in the <modules> element is called first.

Steps to reproduce the behavior

1. Install IIS 7.0.
2. During the installation, install only the CertificateMappingAuthenticationModule module.
   
   Note Do not install the WindowsAuthenticationModule module.
3. After the installation is complete, install the WindowsAuthenticationModule module.
4. Configure the Web application to use Integrated Windows authentication, and then configure the Web application to accept client certificates.
5. Set up Secure Sockets Layer (SSL) on the server computer, and then install a client certificate on the client computer.
6. On the client computer, visit the Web application.
   
   Notice that you are not prompted to select a client certificate.