Use this dialog box to create or edit elements of a matching rule. Client certificates can contain identification information, such as company names, localities, or e-mail addresses, formatted into arrangements of fields and subfields. Your Web server can use this identification information to map the user's identity to a Windows user account.

Field names represent general categories of information, such as (Client) Subject and Issuer. For more information about the fields and subfields of a certificate, see the documentation for the certification authority that issued that certificate.

Subfield names represent information specific to each of the general Subject and Issuer categories. The following list describes basic subfields contained in a certificate:

(O) Organization

The top-level organization or company name, preferably International Organization for Standardization (ISO)-registered.

(OU) Organization Unit

A department within a company, (for example, Marketing).

(CN) Common Name

The domain name of the server, (for example,

(C) Country/Region

Two-letter ISO country/region designation (for example, US, FR, AU, or UK).

(S) State or Province

The full, unabbreviated name of the state or province (for example, Washington instead of WA or Alberta instead of AB).

(L) Locality

The full name of the city where your company is located (for example, Redmond or Toronto).

Several non-standard subfield categories are supported as well, including the following:

(I) Inititals

Initials of the certificate owner.

(GN) Given Name

Given name of the certificate owner.

(T) Title

Title of the certificate owner.


E-mail address of the certificate owner.

Consult a certification authority to obtain updated subfield information.

Match Capitalization

Select to configure IIS to make your rule element case sensitive.

Certificate Field

Click a certificate field element of a matching rule from the list box. Select this element before selecting the other elements in this dialog box.

Sub Field

Click a sub-element of the certificate field of a matching rule from the list box. Select an element from the Certificate Field list box first in order to view the entire valid list of valid subfields.


Specify the criteria for matching field and subfield information. For example, if the subfield is "O", the criteria could be "Microsoft" to indicate to which organization the matching rule should correspond. You can use the wildcard character (*) to partially specify the text of your criteria.

Related Topics

To learn more about certificate mapping and certificates, see the IIS 6.0 online documentation on the Microsoft Windows Server TechCenter.