Re: IIS website - only allow users with client cert from our CA. P

David,

You need to build a Certificate Trust List. Include only the Trusted
Root(s) you wish to permit certificates issued from for access to your site.

http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/559bb9d5-0515-4397-83e0-c403c5ed86fe.mspx



"David Wang [Msft]" wrote:

Why does IIS allow me to see my website when it doesn't have
our CA's (Server A) client cert? Does the "require client
certificates" setting in IIS mean any client cert from any
trusted root? I only have a server certificate from our CA
(Server A) on our website (Server B), no Thawte server cert.

Am I missing something? I don't understand how to make it so
only client certs from our CA (Server A) are allowed... not
a client cert from any root

IIS supports the behavior you want, but there is no built in feature to
discriminate SSL users based on the issuer of their client cert.

This sounds like the sort of custom behavior that one should write an ISAPI
to extend IIS behavior to accept/reject requests based on the detected
CERT_ISSUER

IIS can communicate with SSL as long as it has a Server Cert. "Require
Client Certificates" simply means that the client MUST produce a Client Cert
from any trusted root in order to do SSL with the server. SSL specifications
did not say that the server can discriminate based on parameters such as who
issued the cert; only whether the cert is valid or not; you will have to
implement such custom logic yourself, and IIS supports you in doing that.

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//

"Frank" <Frank@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4DDF4830-7E8F-411D-936A-0C58077F4305@xxxxxxxxxxxxxxxx
At our company, we are trying to implement a solution where only a client
computer we allow can access our IIS website.

I deployed a Windows 2000 Server with Certification Authority (CA) server
installed (Server A). Then went to the Windows 2000 server with our
webpage
deployed via IIS (Server B) and requested a Server Cert from our CA
(Server
A). Once I got the server Certificate, I applied it to our Webserver
(Server
B). I went into IIS Admin and set it so SSL is required and "Require
client
Certificates". I tested the page from a client machine (Client A) and I
got
an error saying need a client cert... good what i wanted.

Now I need a client cert. I went to the CA (Server A) website
(http://server/certsrv) from the client machine (Client A) and requested a
web browser cert. Moved to the CA (Server A) and allowed the client cert
by
using the Certification Authority Administrator. Back to the client
machine
(Client A) went back to (http://server/certsrv) and saw the issued cert
and
installed it on the client machine (Client A).

Now for the test. Browsed from Client A to the web site (Server B) and it
tells me i need a client cert. I clicked on the one i just installed and
bam.. it works like a charm.. great. I revoked client cert from the CA
(Server A) and published the CRL and bam when the client tries to browse
to
the site it says their cert has been revoked... perfect.

Now here is where it gets weird. I deleted the revoked client cert from
the
client machine (client A) and installed a Free Thawte Personal Cert
(www.thawte.com). I went to my website (Server B) and now for my choices
of
certs, the only one i see if the Free Thawte Personal Cert. Just to test,
i
chose to use the Thawte Cert and it let me in without any errors.. HMMM
Why
is this? Why does IIS allow me to see my website when it doesn't have our
CA's (Server A) client cert? Does the "require client certificates"
setting
in IIS mean any client cert from any trusted root? I only have a server
certificate from our CA (Server A) on our website (Server B), no Thawte
server cert.

Am I missing something? I don't understand how to make it so only client
certs from our CA (Server A) are allowed... not a client cert from any
root
(Thawte, Verisign, etc). Please HELP! Been scratching my head for a
while..
i'm starting to lose my hair.. :)

advTHANKSance





.

Relevant Pages

  • RE: IIS Key pairs (how to export an IIS 4.0 self-issued Root CA a nd import into new IIS 4.0 box)
    ... it prompts the user for what client cert they want to use to connect to the ... it issues client certificates to the end users. ... Step I - Installing the New Server ... Install NT SP 3 ONLY ...
    (Focus-Microsoft)
  • RE: Certificate logon on Unix
    ... I don't know of any package but there is prolly one out there you should ... The good news is that getting fulle client ... and server side authentication is pretty easy so it will work as a quick ... setup your CA and make the root cert Pbk available to everyone. ...
    (Security-Basics)
  • Re: Secure VPN access
    ... with it's security option for the client. ... After getting the VPN connection I check the Ip settings and found the ... point to the head ISP's DNS server. ... > Computer certificates for L2TP/IPSec VPN connections ...
    (microsoft.public.windows.server.sbs)
  • Re: IIS website - only allow users with client cert from our CA. Possi
    ... > Why does IIS allow me to see my website when it doesn't have ... > our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
  • Re: Sendmail [was OpenSSL]
    ... This is only the first time I've tried a secure email server. ... something very different then the client certificates as ipop3d.pem. ... FC2's cert dir within sendmail.mc is by default /etc/mail/certs. ... STARTTLS being active for PLAIN and LOGIN AUTH. ...
    (Fedora)