Make Client Cert Required in IIS on SBS 2003?

Hi,

I've posted this question in the SBS forum several times but nobody seems to
know the answer. My question is specific to security in Small Business
Server 2003, as it applies to RWW (remote web workplace) and related web
sites created in IIS on SBS servers.

IIS creates a default web site and within it a virtual site called Remote
when SBS is installed. This site allows access to the entire SBS domain
(servers, clients, OWA, RWW, etc) with certain security provisions. SBS also
allows the creation of a self-signed certificate and the installation of
that certificate on client computers (and devices). I'm trying to understand
how IIS security works in this configuration so I can require a client
computer to have a self-signed certificate (from the SBS server) already
installed in order to access the Remote Web Workplace (RWW) site from the
Internet.

It appears the security control is embedded in the IIS settings on the SBS
server, under the default web site's \Remote virtual directory. In the
Directory Security properties of \Remote, under the Secure Communications
section there is a list of Client Certificate radio buttons. The 3 options
are: Ignore, Accept or Require client certificates. I cannot get "Require"
to work. There may be much more to it than just this one setting. What
settings are required to limit RWW access to clients with certificates? How
does this "Certificate Required" IIS function work in regular W2k3? Thanks.

Re: Make Client Cert Required in IIS on SBS 2003?

On Thu, 3 Aug 2006 15:56:09 -0400, "HughM"
wrote:

>Hi,
>
>I've posted this question in the SBS forum several times but nobody seems to
>know the answer. My question is specific to security in Small Business
>Server 2003, as it applies to RWW (remote web workplace) and related web
>sites created in IIS on SBS servers.
>
>IIS creates a default web site and within it a virtual site called Remote
>when SBS is installed. This site allows access to the entire SBS domain
>(servers, clients, OWA, RWW, etc) with certain security provisions. SBS also
>allows the creation of a self-signed certificate and the installation of
>that certificate on client computers (and devices). I'm trying to understand
>how IIS security works in this configuration so I can require a client
>computer to have a self-signed certificate (from the SBS server) already
>installed in order to access the Remote Web Workplace (RWW) site from the
>Internet.
>
>It appears the security control is embedded in the IIS settings on the SBS
>server, under the default web site's \Remote virtual directory. In the
>Directory Security properties of \Remote, under the Secure Communications
>section there is a list of Client Certificate radio buttons. The 3 options
>are: Ignore, Accept or Require client certificates. I cannot get "Require"
>to work. There may be much more to it than just this one setting. What
>settings are required to limit RWW access to clients with certificates? How
>does this "Certificate Required" IIS function work in regular W2k3? Thanks.

Require Certificate is a function of SSL. You need to configure SSL
for this to work. Not sure if you have, and I'm unfamiliar with the
intricacies of SBS.

Jeff

Re: Make Client Cert Required in IIS on SBS 2003?

Hi Hugh,

The require client certificate option will only be available after you
enable SSL on the site.

To set up SSL certificate on the web site. First, you should install
Certificate Service to build the server as your Certificate Authority(CA).
Then follow the article below to request and issue the certificate with IIS
Server Certificate Wizard.

How To: Set Up SSL on a Web Server
https://msdn.microsoft.com/library/default.asp?url=/library/ en-us/dnnetsec/h
tml/SecNetHT16.asp

If anything is unclear, please don't hesitate to let me know.

Have a nice weekend.

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: Make Client Cert Required in IIS on SBS 2003?

It sounds like you are asking to configure IIS to require Client Certificate
based authentication in order to access the /Remote vdir to limit access to
RWW to only those that have the Client Certificate.

If so, simply:
1. install that Self Signed certificate onto the server
2. right-click Property page of the Website, go to the "Directory Security"
tab, click on "Server Certificate" button configure it to use that
certificate. This enables SSL for the website using that Server Certificate
3. right-click Property page of /Remote vdir, go to "Directory Security"
tab, click on "Edit" for secure communications, check "Require secure
channel (SSL)". This automatically enables selection of "Require client
certificates".

IIS functions the same way in all Windows Server 2003 flavors. Just some
features may be disabled/crippled on the Professional SKUs.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"HughM" wrote in message
news:eLg8ebztGHA.1288@TK2MSFTNGP02.phx.gbl...
> Hi,
>
> I've posted this question in the SBS forum several times but nobody seems
> to know the answer. My question is specific to security in Small Business
> Server 2003, as it applies to RWW (remote web workplace) and related web
> sites created in IIS on SBS servers.
>
> IIS creates a default web site and within it a virtual site called Remote
> when SBS is installed. This site allows access to the entire SBS domain
> (servers, clients, OWA, RWW, etc) with certain security provisions. SBS
> also allows the creation of a self-signed certificate and the installation
> of that certificate on client computers (and devices). I'm trying to
> understand how IIS security works in this configuration so I can require a
> client computer to have a self-signed certificate (from the SBS server)
> already installed in order to access the Remote Web Workplace (RWW) site
> from the Internet.
>
> It appears the security control is embedded in the IIS settings on the SBS
> server, under the default web site's \Remote virtual directory. In the
> Directory Security properties of \Remote, under the Secure Communications
> section there is a list of Client Certificate radio buttons. The 3 options
> are: Ignore, Accept or Require client certificates. I cannot get "Require"
> to work. There may be much more to it than just this one setting. What
> settings are required to limit RWW access to clients with certificates?
> How does this "Certificate Required" IIS function work in regular W2k3?
> Thanks.
>

Re: Make Client Cert Required in IIS on SBS 2003?

Hi Hugh,

Just want to check if you've resolved the problem per these suggestions?

Best Regards,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Re: Make Client Cert Required in IIS on SBS 2003?

WenJun,

My first problem is that Certificate Services is not installed on SBS 2003
servers and I've been advised on the SBS newsgroup not to install it! With
SSL enabled I am able to select the "certificate required" radio button but
it seems to have no effect (i.e. it does not require certificates). I have
an SBS server running in virtual mode (in addition to the "real" one) and
next week I will try to install certificate services on it and see what
happens. Thanks.
Hugh
_________________________________________________________
""WenJun Zhang[msft]"" wrote in message
news:qXlkKb8uGHA.492@TK2MSFTNGXA01.phx.gbl...
> Hi Hugh,
>
> Just want to check if you've resolved the problem per these suggestions?
>
> Best Regards,
>
> WenJun Zhang
>
> Microsoft Online Community Support
>
> ==================================================
>
> Get notification to my posts through email? Please refer to:
> http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
> ications.
>
> Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
> where an initial response from the community or a Microsoft Support
> Engineer within 1 business day is acceptable. Please note that each follow
> up response may take approximately 2 business days as the support
> professional working with you may need further investigation to reach the
> most efficient resolution. The offering is not appropriate for situations
> that require urgent, real-time or phone-based interactions or complex
> project analysis and dump analysis issues. Issues of this nature are best
> handled working with a dedicated Microsoft Support Engineer by contacting
> Microsoft Customer Support Services (CSS) at:
>
> http://msdn.microsoft.com/subscriptions/support/default.aspx .
>
> ==================================================
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>

Re: Make Client Cert Required in IIS on SBS 2003?

Hi Huge,

If you have concern to install certificate service on the SBS server, you
can build the CA on a member server of the domain.

I wait for the update from you. Have a nice week.

Sincerely,

WenJun Zhang

Microsoft Online Community Support

==================================================

Get notification to my posts through email? Please refer to:
http://msdn.microsoft.com/subscriptions/managednewsgroups/de fault.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at:

http://msdn.microsoft.com/subscriptions/support/default.aspx .

==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.