问题：

[单选]

You are a security administrator for your company. The network consists of a single Active 
Directory domain. All servers run Windows Server 2003. All client computers run Windows 2000 Professional.  
You manage a Windows Server 2003 computer named Server1 that is a domain member server. You use IIS on Server1 to host an Internet Web site. Approximately 4，000 employees of your company connect over the lnternet to access company confidential data on Server1. You control access to data on Server1 by using NTFS file permissions assigned to groups. Different groups are assigned access to different files. Employees must have access only to files that they are assigned access to based on their membership in a group. You enable SSL on Server1 to protect confidential data while it is in transit. You issue each employee an Authenticated Session certificate and store a copy of that certificate with their user account in the Active Directory domain.   
You need to ensure that Server1 authenticates users based on possession of their certificate. 
What should you do？（）

A .  Request a Web server certificate from a commercial certification authority （CA）.
B .  Configure access restrictions based on employee ip address.
C .  Enable Digest authentication for Windows domain servers.
D .  Configure client certificate mapping.