Re: Is it possible to force IIS to accept any client ssl certificate?

From: Tester (test)
Date: 01/15/04

• Next message: Richard Ward: "Re: LogonUser returns ERROR_BAD_VALIDATION_CLASS"
• Previous message: Eric Perlin [MS]: "Re: How to know if a session is locked"
• In reply to: Ryan D Johnson [MS]: "Re: Is it possible to force IIS to accept any client ssl certificate?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 14 Jan 2004 19:09:50 -0500

There is CertCheckMode/CertChainCheckUsage/CheckCertRevocation:

CertChainCheckUsage/CheckCertRevocation are both false by default.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/ref_mb_certcheckmode.asp
http://www.microsoft.com/windows2000/en/server/iis/htm/asp/apro4e3p.htm

MD_CERT_NO_USAGE_CHECK "When MD_CERT_NO_USAGE_CHECK is set to true, the
certificate provided by the client is not verified as valid."

Is this win2k3 only? Does it do what it says?

Thanks for any response

"Ryan D Johnson [MS]" <rjohnson@online.microsoft.com> wrote in message
news:uy8sbzlca.fsf@online.microsoft.com...
> "David Cross [MS]" <dcross@online.microsoft.com> writes:
>
> > No, the client certs must be trusted and map to an account through one
of
> > the acceptable methods
>
> Not entirely true. IIS will reject the client cert if the chain
> doesn't verify or if the cert doesn't contain the client auth EKU.
>
> However, it is not necessary for the cert to map to an account unless
> you have denied anonymous access to the directory.
>
> I don't know if the chain and policy validation behavior of IIS can be
> configured or not. Seems unlikely.
>
> --
> Ryan D Johnson [MS]
> rjohnson@online.microsoft.com
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights. Use of included script samples are subject to the terms
> specified at http://www.microsoft.com/info/cpyright.htm

---

• Next message: Richard Ward: "Re: LogonUser returns ERROR_BAD_VALIDATION_CLASS"
• Previous message: Eric Perlin [MS]: "Re: How to know if a session is locked"
• In reply to: Ryan D Johnson [MS]: "Re: Is it possible to force IIS to accept any client ssl certificate?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Confused about SSL/Client Authentication ... No- IIS doesn't need to have access to all of your client certs but that is ... one option for setting up your authentication. ... Goes like this on IIS 5... ... (comp.security.misc) Re: Treo 700w and SSL Exchange access ... doing client certs over ssl. ... I installed the root and client cert on ... Certificates" in the IIS configuration and still use SSL, ... it doesn't mention how to do client certificates. ... (microsoft.public.windows.server.sbs) Re: Is it possible to force IIS to accept any client ssl certificate? ... There is CertCheckMode/CertChainCheckUsage/CheckCertRevocation: ... the client certs must be trusted and map to an account through one ... IIS will reject the client cert if the chain ... (microsoft.public.inetserver.iis.security) Is this right? Question about SSL and PKI... ... trying to get client authentication working. ... relationship between the certificates that the client and the server ... have client certs issued by CA1 and CA2 installed in a browser (ok, ... and a server cert issued by CA1. ... (sci.crypt) Re: Is it possible to force IIS to accept any client ssl certificate? ... There is CertCheckMode/CertChainCheckUsage/CheckCertRevocation: ... the client certs must be trusted and map to an account through one ... IIS will reject the client cert if the chain ... (microsoft.public.inetserver.iis.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.platformsdk.security  > 2004-01