Article ID: 942034 - View products that this article applies to.
Consider the following scenario. In Internet Information Services (IIS) 7.0, you configure a Web application to use Integrated Windows authentication. You also configure the Web application to accept client certificates. You send a client-side HTTP request to the Web application by using Windows Internet Explorer. In this scenario, you are not prompted to select a client certificate from the local certificate store. Instead, you are transparently authenticated, and you can access the Web application.
This behavior also occurs if you configure the Web application to use Basic authentication and to accept client certificates. When you send the client-side HTTP request to the Web application by using Internet Explorer, the Basic authentication dialog box appears.
Note This behavior does not occur in IIS 6.0.
This behavior occurs because of an issue in the <modules> element in the ApplicationHost.config file or in the Web.config file. The CertificateMappingAuthenticationModule module appears after the WindowsAuthenticationModule module. Therefore, Integrated Windows authentication occurs first, and then client certificate authentication does not occur.
To work around this behavior, modify the <modules> element in the ApplicationHost.config file or in the Web.config file so that the CertificateMappingAuthenticationModule module appears before the WindowsAuthenticationModule module. For example, modify the <modules> element to resemble the following.
Every request that IIS 7.0 receives moves through multiple stages in the IIS 7.0 request pipeline. In IIS 7.0, the request processing moves from one stage to the next stage in a fixed sequence. If any of the modules in the <modules> element subscribe to the event for the current stage, IIS 7.0 calls each of these modules one by one before the request processing moves to the next stage.
If multiple modules subscribe to the same event, the module that has the higher priority is called first. The priority of the module is written in the source code of the module. Additionally, the priority of the module is set at the compile time of the module.
If multiple modules subscribe to the same event and have the same priority, the module that appears first in the <modules> element is called first.
The default order of the modules is important to make sure that the modules work correctly. If you change the default order, you may encounter unexpected problems. For example, you may encounter the behavior that is mentioned in the "Symptoms" section.
In summary, the module execution order in IIS 7.0 is as follows:
Steps to reproduce the behavior