IIS website - only allow users with client cert from our CA. Possi
IIS website - only allow users with client cert from our CA. Possi
am 01.02.2006 22:25:29 von frank
At our company, we are trying to implement a solution where only a client
computer we allow can access our IIS website.
I deployed a Windows 2000 Server with Certification Authority (CA) server
installed (Server A). Then went to the Windows 2000 server with our webpage
deployed via IIS (Server B) and requested a Server Cert from our CA (Server
A). Once I got the server Certificate, I applied it to our Webserver (Server
B). I went into IIS Admin and set it so SSL is required and "Require client
Certificates". I tested the page from a client machine (Client A) and I got
an error saying need a client cert... good what i wanted.
Now I need a client cert. I went to the CA (Server A) website
(http://server/certsrv) from the client machine (Client A) and requested a
web browser cert. Moved to the CA (Server A) and allowed the client cert by
using the Certification Authority Administrator. Back to the client machine
(Client A) went back to (http://server/certsrv) and saw the issued cert and
installed it on the client machine (Client A).
Now for the test. Browsed from Client A to the web site (Server B) and it
tells me i need a client cert. I clicked on the one i just installed and
bam.. it works like a charm.. great. I revoked client cert from the CA
(Server A) and published the CRL and bam when the client tries to browse to
the site it says their cert has been revoked... perfect.
Now here is where it gets weird. I deleted the revoked client cert from the
client machine (client A) and installed a Free Thawte Personal Cert
(www.thawte.com). I went to my website (Server B) and now for my choices of
certs, the only one i see if the Free Thawte Personal Cert. Just to test, i
chose to use the Thawte Cert and it let me in without any errors.. HMMM Why
is this? Why does IIS allow me to see my website when it doesn't have our
CA's (Server A) client cert? Does the "require client certificates" setting
in IIS mean any client cert from any trusted root? I only have a server
certificate from our CA (Server A) on our website (Server B), no Thawte
server cert.
Am I missing something? I don't understand how to make it so only client
certs from our CA (Server A) are allowed... not a client cert from any root
(Thawte, Verisign, etc). Please HELP! Been scratching my head for a while..
i'm starting to lose my hair.. :)
advTHANKSance
Re: IIS website - only allow users with client cert from our CA. Possi
am 02.02.2006 04:49:22 von Ken Schaefer
The server cert that you installed on ServerB is for server authentication.
Your options (someone may wish to confirm these for me since I'm not 100%
certain):
a) Use the Certificate Manager on ServerB, remove the 3rd party trusted root
CAs other than your own Win2000 CA
b) You could map client certs to AD accounts, and then set NTFS permissions
appropriately. That would restrict access to those users who have client
certs that give tham appropriate user credentials to access the files
(restricted by NTFS permissions).
Cheers
Ken
"Frank" wrote in message
news:4DDF4830-7E8F-411D-936A-0C58077F4305@microsoft.com...
: At our company, we are trying to implement a solution where only a client
: computer we allow can access our IIS website.
:
: I deployed a Windows 2000 Server with Certification Authority (CA) server
: installed (Server A). Then went to the Windows 2000 server with our
webpage
: deployed via IIS (Server B) and requested a Server Cert from our CA
(Server
: A). Once I got the server Certificate, I applied it to our Webserver
(Server
: B). I went into IIS Admin and set it so SSL is required and "Require
client
: Certificates". I tested the page from a client machine (Client A) and I
got
: an error saying need a client cert... good what i wanted.
:
: Now I need a client cert. I went to the CA (Server A) website
: (http://server/certsrv) from the client machine (Client A) and requested a
: web browser cert. Moved to the CA (Server A) and allowed the client cert
by
: using the Certification Authority Administrator. Back to the client
machine
: (Client A) went back to (http://server/certsrv) and saw the issued cert
and
: installed it on the client machine (Client A).
:
: Now for the test. Browsed from Client A to the web site (Server B) and it
: tells me i need a client cert. I clicked on the one i just installed and
: bam.. it works like a charm.. great. I revoked client cert from the CA
: (Server A) and published the CRL and bam when the client tries to browse
to
: the site it says their cert has been revoked... perfect.
:
: Now here is where it gets weird. I deleted the revoked client cert from
the
: client machine (client A) and installed a Free Thawte Personal Cert
: (www.thawte.com). I went to my website (Server B) and now for my choices
of
: certs, the only one i see if the Free Thawte Personal Cert. Just to test,
i
: chose to use the Thawte Cert and it let me in without any errors.. HMMM
Why
: is this? Why does IIS allow me to see my website when it doesn't have our
: CA's (Server A) client cert? Does the "require client certificates"
setting
: in IIS mean any client cert from any trusted root? I only have a server
: certificate from our CA (Server A) on our website (Server B), no Thawte
: server cert.
:
: Am I missing something? I don't understand how to make it so only client
: certs from our CA (Server A) are allowed... not a client cert from any
root
: (Thawte, Verisign, etc). Please HELP! Been scratching my head for a
while..
: i'm starting to lose my hair.. :)
:
: advTHANKSance
:
Re: IIS website - only allow users with client cert from our CA. Possi
am 02.02.2006 12:03:06 von someone
> Why does IIS allow me to see my website when it doesn't have
> our CA's (Server A) client cert? Does the "require client
> certificates" setting in IIS mean any client cert from any
> trusted root? I only have a server certificate from our CA
> (Server A) on our website (Server B), no Thawte server cert.
>
> Am I missing something? I don't understand how to make it so
> only client certs from our CA (Server A) are allowed... not
> a client cert from any root
IIS supports the behavior you want, but there is no built in feature to
discriminate SSL users based on the issuer of their client cert.
This sounds like the sort of custom behavior that one should write an ISAPI
to extend IIS behavior to accept/reject requests based on the detected
CERT_ISSUER
IIS can communicate with SSL as long as it has a Server Cert. "Require
Client Certificates" simply means that the client MUST produce a Client Cert
from any trusted root in order to do SSL with the server. SSL specifications
did not say that the server can discriminate based on parameters such as who
issued the cert; only whether the cert is valid or not; you will have to
implement such custom logic yourself, and IIS supports you in doing that.
--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Frank" wrote in message
news:4DDF4830-7E8F-411D-936A-0C58077F4305@microsoft.com...
> At our company, we are trying to implement a solution where only a client
> computer we allow can access our IIS website.
>
> I deployed a Windows 2000 Server with Certification Authority (CA) server
> installed (Server A). Then went to the Windows 2000 server with our
> webpage
> deployed via IIS (Server B) and requested a Server Cert from our CA
> (Server
> A). Once I got the server Certificate, I applied it to our Webserver
> (Server
> B). I went into IIS Admin and set it so SSL is required and "Require
> client
> Certificates". I tested the page from a client machine (Client A) and I
> got
> an error saying need a client cert... good what i wanted.
>
> Now I need a client cert. I went to the CA (Server A) website
> (http://server/certsrv) from the client machine (Client A) and requested a
> web browser cert. Moved to the CA (Server A) and allowed the client cert
> by
> using the Certification Authority Administrator. Back to the client
> machine
> (Client A) went back to (http://server/certsrv) and saw the issued cert
> and
> installed it on the client machine (Client A).
>
> Now for the test. Browsed from Client A to the web site (Server B) and it
> tells me i need a client cert. I clicked on the one i just installed and
> bam.. it works like a charm.. great. I revoked client cert from the CA
> (Server A) and published the CRL and bam when the client tries to browse
> to
> the site it says their cert has been revoked... perfect.
>
> Now here is where it gets weird. I deleted the revoked client cert from
> the
> client machine (client A) and installed a Free Thawte Personal Cert
> (www.thawte.com). I went to my website (Server B) and now for my choices
> of
> certs, the only one i see if the Free Thawte Personal Cert. Just to test,
> i
> chose to use the Thawte Cert and it let me in without any errors.. HMMM
> Why
> is this? Why does IIS allow me to see my website when it doesn't have our
> CA's (Server A) client cert? Does the "require client certificates"
> setting
> in IIS mean any client cert from any trusted root? I only have a server
> certificate from our CA (Server A) on our website (Server B), no Thawte
> server cert.
>
> Am I missing something? I don't understand how to make it so only client
> certs from our CA (Server A) are allowed... not a client cert from any
> root
> (Thawte, Verisign, etc). Please HELP! Been scratching my head for a
> while..
> i'm starting to lose my hair.. :)
>
> advTHANKSance
>
Re: IIS website - only allow users with client cert from our CA. P
am 16.02.2006 21:49:27 von JoeinValrico
David,
You need to build a Certificate Trust List. Include only the Trusted
Root(s) you wish to permit certificates issued from for access to your site.
http://www.microsoft.com/technet/prodtechnol/WindowsServer20 03/Library/IIS/559bb9d5-0515-4397-83e0-c403c5ed86fe.mspx
"David Wang [Msft]" wrote:
> > Why does IIS allow me to see my website when it doesn't have
> > our CA's (Server A) client cert? Does the "require client
> > certificates" setting in IIS mean any client cert from any
> > trusted root? I only have a server certificate from our CA
> > (Server A) on our website (Server B), no Thawte server cert.
> >
> > Am I missing something? I don't understand how to make it so
> > only client certs from our CA (Server A) are allowed... not
> > a client cert from any root
>
> IIS supports the behavior you want, but there is no built in feature to
> discriminate SSL users based on the issuer of their client cert.
>
> This sounds like the sort of custom behavior that one should write an ISAPI
> to extend IIS behavior to accept/reject requests based on the detected
> CERT_ISSUER
>
> IIS can communicate with SSL as long as it has a Server Cert. "Require
> Client Certificates" simply means that the client MUST produce a Client Cert
> from any trusted root in order to do SSL with the server. SSL specifications
> did not say that the server can discriminate based on parameters such as who
> issued the cert; only whether the cert is valid or not; you will have to
> implement such custom logic yourself, and IIS supports you in doing that.
>
> --
> //David
> IIS
> http://blogs.msdn.com/David.Wang
> This posting is provided "AS IS" with no warranties, and confers no rights.
> //
>
> "Frank" wrote in message
> news:4DDF4830-7E8F-411D-936A-0C58077F4305@microsoft.com...
> > At our company, we are trying to implement a solution where only a client
> > computer we allow can access our IIS website.
> >
> > I deployed a Windows 2000 Server with Certification Authority (CA) server
> > installed (Server A). Then went to the Windows 2000 server with our
> > webpage
> > deployed via IIS (Server B) and requested a Server Cert from our CA
> > (Server
> > A). Once I got the server Certificate, I applied it to our Webserver
> > (Server
> > B). I went into IIS Admin and set it so SSL is required and "Require
> > client
> > Certificates". I tested the page from a client machine (Client A) and I
> > got
> > an error saying need a client cert... good what i wanted.
> >
> > Now I need a client cert. I went to the CA (Server A) website
> > (http://server/certsrv) from the client machine (Client A) and requested a
> > web browser cert. Moved to the CA (Server A) and allowed the client cert
> > by
> > using the Certification Authority Administrator. Back to the client
> > machine
> > (Client A) went back to (http://server/certsrv) and saw the issued cert
> > and
> > installed it on the client machine (Client A).
> >
> > Now for the test. Browsed from Client A to the web site (Server B) and it
> > tells me i need a client cert. I clicked on the one i just installed and
> > bam.. it works like a charm.. great. I revoked client cert from the CA
> > (Server A) and published the CRL and bam when the client tries to browse
> > to
> > the site it says their cert has been revoked... perfect.
> >
> > Now here is where it gets weird. I deleted the revoked client cert from
> > the
> > client machine (client A) and installed a Free Thawte Personal Cert
> > (www.thawte.com). I went to my website (Server B) and now for my choices
> > of
> > certs, the only one i see if the Free Thawte Personal Cert. Just to test,
> > i
> > chose to use the Thawte Cert and it let me in without any errors.. HMMM
> > Why
> > is this? Why does IIS allow me to see my website when it doesn't have our
> > CA's (Server A) client cert? Does the "require client certificates"
> > setting
> > in IIS mean any client cert from any trusted root? I only have a server
> > certificate from our CA (Server A) on our website (Server B), no Thawte
> > server cert.
> >
> > Am I missing something? I don't understand how to make it so only client
> > certs from our CA (Server A) are allowed... not a client cert from any
> > root
> > (Thawte, Verisign, etc). Please HELP! Been scratching my head for a
> > while..
> > i'm starting to lose my hair.. :)
> >
> > advTHANKSance
> >
>
>
>
>