[LONG] Differences between SSL client authentication - Win2K/IIS5 vs. Win2K3/IIS6

• Previous message: Ying-Shen Yu[MSFT]: "RE: Weird NTFS ACE inheritance issues on WinXP"
• Next in thread: Ohaya: "Re: [LONG] Differences between SSL client authentication - Win2K/IIS5 vs. Win2K3/IIS6"
• Reply: Ohaya: "Re: [LONG] Differences between SSL client authentication - Win2K/IIS5 vs. Win2K3/IIS6"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 01 Nov 2003 12:01:30 -0500

Hi,

[Apologies again for the cross-post, as I think that some questions
overlap NG coverages.]

Background
==========
I've been testing with SSL client authentication scenarios with both
Win2K/IIS5 and Win2K3/IIS6. Most recently, this work has been with
Win2K/IIS5, as that is the production environment we'll be in, but I
also know that we'll be moving to Win2K3/IIS6 at some point in the
future.

The thrust of my work is to "characterize the behavior" of IIS wrt SSL
with client authentication using PKI certificates, and I am doing this
so that I can advise our people when it comes to configuration, etc.

The production environment that we are working is that the certificates
(CA, server and client) will be issued by a 3rd party CA, where the
3rd-party CA is a sub-CA of another root CA. In addition, for initial
testing, I am, in some cases, using my own CA, using MS Cert Server
configured as Standalone CA.

The test environment consists of a Windows Server machine, and I have a
mix of Win2K Pro and WinXP client machines.

For the server, I have installed Windows 2000 Advanced Server, and also
Win2K3 Server, both configured approximately the same way (Win2X Server,
AD, and MS Cert Server-Standalone). The baseline images were done
immediately after installation of Win2X Server, AD, and Cert Server, and
latest updates.

In order to allow me to test the two server environments, after
installing the baseline server, I've imaged the system partition. This
allows me to switch between the two O/S's by simply restoring the
appropriate baseline image to my C: partition.

Problem
=======
I initially did the bulk of my testing using the Win2K3 Server baseline,
but then I switched to, and began focussing on, the Win2K Server
baseline, because originally it was thought that we'd be going with
Win2K3 Server initially, but when the final decision was made, it was to
go with Win2K Server. I wasn't directly involved in this decision, but
the main reason for it was that Win2K3 Server has not been "certified"
by our organization, from a security standpoint yet. As you'll see in
the following, I am very glad they made this decision. In any event,
after completing most of my work with Win2K Server, I also went back and
re-visited Win2K3 Server (since I still expect them to transition to
Win2K3 Server at some point, and I don't want to be surprised when that
happens.)

In my testing of Win2K Server/IIS5 wrt to SSL client authentication with
client certs, other than a possible problem that I reported earlier on
this NGs (which is BTW still not resolved IMO), I've found it to be
relatively "predictable". MS has tons of information on this, but I've
also had to figure out some of it myself, but at least things seem to
work the same way most of the time.

In the Win2K/IIS5 environment, the most "vexing" area that I found with
respect to IIS and SSL with client authentication was behavior wrt the
server CertificateRequest message in the SSL handshake protocol (as I
indicated, I think that there is still at least one problem with this),
but this behavior is at least consistent (it works the same time every
time).

However, I have been almost totally frustrated in testing this same
behavior in the Win2K3/IIS6 environment.

Mainly, Win2K3/IIS6 seems to take a completely different approach to how
it decides what goes into the "acceptable CA" list in the server
CertificateRequest message.
Specifically, whereas in Win2K/IIS5 it appears that (except for one
case) you can definitively control which CAs appear in the acceptable CA
list by controlling the state of "Client Authentication" purpose in the
root CA certs, Win2K3/IIS6 appears to "almost always" include all of the
CAs in the Trusted Root store, regardless of the state of the "Client
Authentication" purpose in the root CA certs.

Win2K3/IIS6 *will* then not validate client certs issued by CAs whose
root CA certs have the Client Authentication purpose disabled.

The difference here is that, from the client/user's standpoint, with
Win2K/IIS5 server, they will only see the client certs from the trusted
CAs whose Client Authentication purpose is enabled, whereas with
Win2K3/IIS6 server, they will see the client certs from ALL CAs in the
Trusted Root store regardless of the setting of the Client
Authentication purpose in the root CA cert.

For example, one one of my test client machines, I have client certs
from my 3rd-party CA, Globalsign, Thawte, and my own CA.

When I connect to Win2K/IIS5, I can control which of these certs appear
in the IE popup window when I connect to the server by
enabling/disabling the Client Authentication purpose in the respective
root CA certs on the server. This behavior works everytime (except for
the one bug/exception mentioned above and in my other post).

On the other hand, when I use this same test client machine to connect
to Win2K3/IIS6, regardless of how I have the Client Authentication
purpose set on the root CA certs on the server, (almost always) all of
the client certs from all of these CAs appear.

In the above, (and this is the probably the thing that frustrates me the
most) I say "almost always", because in my testing with Win2K3/IIS6,
I've found that "sometimes" some CAs will NOT be included, regardless of
the setting of the Client Authentication purpose on the root CA cert on
the server, until you create a CTL and add the root CA to the CTL.

Then, after disabling the CTL, these particular CAs will be included in
the Acceptable CA list "for awhile" (I haven't figured out what that
means yet. This behavior is very inconsistent.), then they'll stop
being included again.

Questions
=========
So, with all of this, I have some questions:

1) Between Win2K/IIS5 and Win2K3/IIS6, did MS *purposefully* change the
behavior/philosophy of how Win2K/IIS5 and Win2K3/IIS6 decide what goes
into Acceptable CA list in the server CertificateRequest message? If
so, is this documented anywhere?

2) Is MS aware of the inconsistent construction of the Acceptable CA
list in the server Certificate that I described above?

That's about it. Apologies for the longishness of this post...

Thanks in advance!

• Previous message: Ying-Shen Yu[MSFT]: "RE: Weird NTFS ACE inheritance issues on WinXP"
• Next in thread: Ohaya: "Re: [LONG] Differences between SSL client authentication - Win2K/IIS5 vs. Win2K3/IIS6"
• Reply: Ohaya: "Re: [LONG] Differences between SSL client authentication - Win2K/IIS5 vs. Win2K3/IIS6"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]