s it possible to force IIS to accept any certificate?

Hello,

I am trying to configure IIS to accept any certificate, from anyone, is that
possible?

TIA!
Stanko.

Re: s it possible to force IIS to accept any certificate?

why would you want to do this?

"Stanko Milosev" wrote in message
news:OvRH0003HHA.3684@TK2MSFTNGP02.phx.gbl...
> Hello,
>
> I am trying to configure IIS to accept any certificate, from anyone, is
> that possible?
>
> TIA!
> Stanko.
>

Re: s it possible to force IIS to accept any certificate?

We want to make web site with PHP, that if a user have a certificate, then,
for example, to give this user welcome screen, but if he don't have a
certificate then to give him login screen.

I have found that with _SERVER["CERT_SERIALNUMBER"] variable I can get
client certificate serial number, but only if IIS server accepted user
certificate...


"Consultant" wrote in message
news:unhfGL33HHA.5360@TK2MSFTNGP03.phx.gbl...
> why would you want to do this?
>
> "Stanko Milosev" wrote in message
> news:OvRH0003HHA.3684@TK2MSFTNGP02.phx.gbl...
>> Hello,
>>
>> I am trying to configure IIS to accept any certificate, from anyone, is
>> that possible?
>>
>> TIA!
>> Stanko.
>>
>
>

Re: s it possible to force IIS to accept any certificate?

Your authentication protocol is not possible to implement in the
smooth fashion that you imagine, especially if you plan to use generic
browsers like IE/Firefox/Opera or generic servers like Apache/IIS/
Java.

With SSL, IIS supports ignoring, accepting, or requiring client
certificate. With the latter two options, IIS certainly supports
accepting any certificate from anyone. The question is whether you can
*compel* the user to send the certificate when it is optional.

If you don't force the user to send the certificate, then you'll never
get the logic of "certificate first, then fallback to login screen".
If you DO force the user to send the certificate, no web server will
allow a "fallback to login screen". Why? Because that is a custom
authentication scheme unsupported by standards. SSL Client Certificate
protocol never says it works like what you dream.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//





On Aug 16, 12:02 am, "Stanko Milosev" wrote:
> We want to make web site with PHP, that if a user have a certificate, then,
> for example, to give this user welcome screen, but if he don't have a
> certificate then to give him login screen.
>
> I have found that with _SERVER["CERT_SERIALNUMBER"] variable I can get
> client certificate serial number, but only if IIS server accepted user
> certificate...
>
> "Consultant" wrote in message
>
> news:unhfGL33HHA.5360@TK2MSFTNGP03.phx.gbl...
>
>
>
> > why would you want to do this?
>
> > "Stanko Milosev" wrote in message
> >news:OvRH0003HHA.3684@TK2MSFTNGP02.phx.gbl...
> >> Hello,
>
> >> I am trying to configure IIS to accept any certificate, from anyone, is
> >> that possible?
>
> >> TIA!
> >> Stanko.- Hide quoted text -
>
> - Show quoted text -

Re: s it possible to force IIS to accept any certificate?

Thank you David, for your help.

I am just searching for a way to solve my task.

Is there way, any how, that we can accept client certificates? We are trying
to find a way to allow our users to log on to our site with their
certificate, but we don't want them to force to get new certificate, since
we already started pki system for signing and encrypting xml documents, and
our users already have some certificates, now we don't want them to force to
get another one.

Stanko.

"David Wang" wrote in message
news:1187252080.373084.162030@q4g2000prc.googlegroups.com...
> Your authentication protocol is not possible to implement in the
> smooth fashion that you imagine, especially if you plan to use generic
> browsers like IE/Firefox/Opera or generic servers like Apache/IIS/
> Java.
>
> With SSL, IIS supports ignoring, accepting, or requiring client
> certificate. With the latter two options, IIS certainly supports
> accepting any certificate from anyone. The question is whether you can
> *compel* the user to send the certificate when it is optional.
>
> If you don't force the user to send the certificate, then you'll never
> get the logic of "certificate first, then fallback to login screen".
> If you DO force the user to send the certificate, no web server will
> allow a "fallback to login screen". Why? Because that is a custom
> authentication scheme unsupported by standards. SSL Client Certificate
> protocol never says it works like what you dream.
>
>
> //David
> http://w3-4u.blogspot.com
> http://blogs.msdn.com/David.Wang
> //
>
>
>
>
>
> On Aug 16, 12:02 am, "Stanko Milosev" wrote:
>> We want to make web site with PHP, that if a user have a certificate,
>> then,
>> for example, to give this user welcome screen, but if he don't have a
>> certificate then to give him login screen.
>>
>> I have found that with _SERVER["CERT_SERIALNUMBER"] variable I can get
>> client certificate serial number, but only if IIS server accepted user
>> certificate...
>>
>> "Consultant" wrote in message
>>
>> news:unhfGL33HHA.5360@TK2MSFTNGP03.phx.gbl...
>>
>>
>>
>> > why would you want to do this?
>>
>> > "Stanko Milosev" wrote in message
>> >news:OvRH0003HHA.3684@TK2MSFTNGP02.phx.gbl...
>> >> Hello,
>>
>> >> I am trying to configure IIS to accept any certificate, from anyone,
>> >> is
>> >> that possible?
>>
>> >> TIA!
>> >> Stanko.- Hide quoted text -
>>
>> - Show quoted text -
>
>

Re: s it possible to force IIS to accept any certificate?

I am sorry,

I don't understad this:

> With SSL, IIS supports ignoring, accepting, or requiring client
> certificate. With the latter two options, IIS certainly supports
> accepting any certificate from anyone.

As much as I know, I must follow certificate chain? This mean, that IIS will
not accept certificate which is not followed by certificate from server?

Obviously, I have little knowledge about IIS SSL, can you please recommend
me a book about it?

Thank you again,
Stanko

Re: s it possible to force IIS to accept any certificate?

On Aug 16, 2:44 am, "Stanko Milosev" wrote:
> I am sorry,
>
> I don't understad this:
>
> > With SSL, IIS supports ignoring, accepting, or requiring client
> > certificate. With the latter two options, IIS certainly supports
> > accepting any certificate from anyone.
>
> As much as I know, I must follow certificate chain? This mean, that IIS will
> not accept certificate which is not followed by certificate from server?
>
> Obviously, I have little knowledge about IIS SSL, can you please recommend
> me a book about it?
>
> Thank you again,
> Stanko


I think your problem is a PKI key distribution/management problem, not
IIS/SSL problem.

You want an authentication protocol that is not supported by all web
browsers and web servers without writing custom software. And you want
that protocol because you don't want users to get a second
certificate. That sounds like the wrong solution to the PKI
certificate distribution problem.

At my company, certificate distribution is automatic and it just
works. IIS requires certificates all the time, and the client
automatically chooses the correct one out of all the distributed
certificates to me.


//David
http://w3-4u.blogspot.com
http://blogs.msdn.com/David.Wang
//

Re: s it possible to force IIS to accept any certificate?

Actually, I think the problem here is that:

a) As part of the SSL/TLS handshake, the server indicates that it can accept
client certificate. It presents a list of trusted CAs to the client

b) the client automatically selects an appropriate certificate *if* there is
a single certificate that is issued by one of the trusted CAs. If there are
multiple client auth certificates from multiple trusted CAs, then the user
is prompted to choose which certificate to present to the server

c) Your problem is that IIS doesn't trust certs from every CA in the world.
If your partners have their own CAs, you need to install the root CA certs
into IIS.

Cheers
Ken


"Stanko Milosev" wrote in message
news:u7N0Eo%233HHA.5724@TK2MSFTNGP05.phx.gbl...
>I am sorry,
>
> I don't understad this:
>
>> With SSL, IIS supports ignoring, accepting, or requiring client
>> certificate. With the latter two options, IIS certainly supports
>> accepting any certificate from anyone.
>
> As much as I know, I must follow certificate chain? This mean, that IIS
> will not accept certificate which is not followed by certificate from
> server?
>
> Obviously, I have little knowledge about IIS SSL, can you please recommend
> me a book about it?
>
> Thank you again,
> Stanko
>