Re: IIS website - only allow users with client cert from our CA. Possi

From: "David Wang [Msft]" <someone@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 2 Feb 2006 03:03:06 -0800

> Why does IIS allow me to see my website when it doesn't have
> our CA's (Server A) client cert? Does the "require client
> certificates" setting in IIS mean any client cert from any
> trusted root? I only have a server certificate from our CA
> (Server A) on our website (Server B), no Thawte server cert.
>
> Am I missing something? I don't understand how to make it so
> only client certs from our CA (Server A) are allowed... not
> a client cert from any root

IIS supports the behavior you want, but there is no built in feature to
discriminate SSL users based on the issuer of their client cert.

This sounds like the sort of custom behavior that one should write an ISAPI 
to extend IIS behavior to accept/reject requests based on the detected 
CERT_ISSUER

IIS can communicate with SSL as long as it has a Server Cert. "Require
Client Certificates" simply means that the client MUST produce a Client Cert
from any trusted root in order to do SSL with the server. SSL specifications
did not say that the server can discriminate based on parameters such as who
issued the cert; only whether the cert is valid or not; you will have to
implement such custom logic yourself, and IIS supports you in doing that.

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Frank" <Frank@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4DDF4830-7E8F-411D-936A-0C58077F4305@xxxxxxxxxxxxxxxx
> At our company, we are trying to implement a solution where only a client
> computer we allow can access our IIS website.
>
> I deployed a Windows 2000 Server with Certification Authority (CA) server
> installed (Server A). Then went to the Windows 2000 server with our
> webpage
> deployed via IIS (Server B) and requested a Server Cert from our CA
> (Server
> A). Once I got the server Certificate, I applied it to our Webserver
> (Server
> B). I went into IIS Admin and set it so SSL is required and "Require
> client
> Certificates". I tested the page from a client machine (Client A) and I
> got
> an error saying need a client cert... good what i wanted.
>
> Now I need a client cert. I went to the CA (Server A) website
> (http://server/certsrv) from the client machine (Client A) and requested a
> web browser cert. Moved to the CA (Server A) and allowed the client cert
> by
> using the Certification Authority Administrator. Back to the client
> machine
> (Client A) went back to (http://server/certsrv) and saw the issued cert
> and
> installed it on the client machine (Client A).
>
> Now for the test. Browsed from Client A to the web site (Server B) and it
> tells me i need a client cert. I clicked on the one i just installed and
> bam.. it works like a charm.. great. I revoked client cert from the CA
> (Server A) and published the CRL and bam when the client tries to browse
> to
> the site it says their cert has been revoked... perfect.
>
> Now here is where it gets weird. I deleted the revoked client cert from
> the
> client machine (client A) and installed a Free Thawte Personal Cert
> (www.thawte.com). I went to my website (Server B) and now for my choices
> of
> certs, the only one i see if the Free Thawte Personal Cert. Just to test,
> i
> chose to use the Thawte Cert and it let me in without any errors.. HMMM
> Why
> is this? Why does IIS allow me to see my website when it doesn't have our
> CA's (Server A) client cert? Does the "require client certificates"
> setting
> in IIS mean any client cert from any trusted root? I only have a server
> certificate from our CA (Server A) on our website (Server B), no Thawte
> server cert.
>
> Am I missing something? I don't understand how to make it so only client
> certs from our CA (Server A) are allowed... not a client cert from any
> root
> (Thawte, Verisign, etc). Please HELP! Been scratching my head for a
> while..
> i'm starting to lose my hair.. :)
>
> advTHANKSance
>



.

Follow-Ups:
- Re: IIS website - only allow users with client cert from our CA. P
  - From: Joe in Valrico

Prev by Date: Re: login window pop up for integrated windows authentication
Next by Date: Authentication problem - Routing and Remote access
Previous by thread: Re: IIS website - only allow users with client cert from our CA. Possi
Next by thread: Re: IIS website - only allow users with client cert from our CA. P
Index(es):
- Date
- Thread

Relevant Pages

RE: 401.2 Errors
... the server name as their proxy server, ... really understand the point in deploying the Firewall Client to all clients. ... I had a look at the log file but it only seems to be ... recording access that the IIS Server itself goes through. ...
(microsoft.public.windows.server.sbs)
RE: Certificate logon on Unix
... I don't know of any package but there is prolly one out there you should ... The good news is that getting fulle client ... and server side authentication is pretty easy so it will work as a quick ... setup your CA and make the root cert Pbk available to everyone. ...
(Security-Basics)
Re: Connect Computer Problem at 2 Customer Sites
... I understand this issue to be: the client ... please restart the IIS service. ... join the domain has got the valid IP address and DNS server address in the ... Microsoft Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
Re: IIS website - only allow users with client cert from our CA. P
... Rootyou wish to permit certificates issued from for access to your site. ... our CA's client cert? ... I only have a server certificate from our CA ...
(microsoft.public.inetserver.iis.security)
Re: Problem with connect computer wizard
... You mentioned that you're using Anonymous access with Administrator ... Open ConnectComputer properties in IIS. ... And there is only the DNS server be configured on client ...
(microsoft.public.windows.server.sbs)