Re: SSL client certificate authentication

From: David Cross [MS] (dcross@online.microsoft.com)
Date: 04/05/03

• Next message: Ken: "nt4 security setting interface"
• Previous message: David Cross [MS]: "Re: Renew Certificate with Stand-alone CA"
• In reply to: Neel: "SSL client certificate authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "David Cross [MS]" <dcross@online.microsoft.com>
Date: Fri, 4 Apr 2003 21:12:58 -0800

The list is populated by IE based on the list of root CA certs that the IIS
machine trusts.

--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"Neel" <sriparvathy.ganeshan-external@gemplus.com> wrote in message
news:17f3a876.0304030427.4dd8394e@posting.google.com...
> Hi All,
>
> I tried out doing the SSL client certificate authentication in the
> following way as explained  below. But there is some problem and the
> web site doesn't open in the client machine...
>
> 1> I have installed the stand-alone root CA for generating the
> certificates to be stored in the local machine.
>
> 2> When I install the microsoft certificate services, the root CA gets
> installed in the trusted  root certificate Authority root store.
>
> 3> Using the microsoft certificate services web page, i request a
> client and a server  certificate. The server certificate is installed
> in the server machine and gets stored in the  Intermediate CA. The
> client certificate is installed in the client machine and gets stored
> in the  Intermediate CA again.
>
> 4> Now in the IIS wizard, i go to the directory security tab.
> * In the Anonymous access and authentication control section, i have
> not enabled any of the  authentication methods like Anonymous,
> BAsic,Digest or Integrated windows authentication.
>
> Here only certificate authentication is needed. So i went to the
> secure communication section to,
> * map a server certificate that i have generated and installed before.
> * I go to the Edit section, enable the Require secure channel and
> Require client certificate.
> * But i don't do any mapping of the client certificate to the windows
> user account.
>
> I am not doing this mapping because if that happens, then all the
> client certificates have to be  compulsorily placed in the server
> machine,which is not correct.
>
> I have thought the working of this SSL client cetificate
> authentication this way :-
>
> a> I  just enable the SSL communication and to accept the client
> certificate in the server.
>
> b> Get the client certificate in the client PC and install it in the
> Intermediate CA.
>
> c> Now, when i type https:// address of server>/Test, the server
> certificate should be presented and  later the client authentication
> dialog box has to appear with the client certificate in the list.  But
> here i have a doubt, on what basis does the client certificate gets
> listed in the client  authentication dialog box? Does it have any
> connection with the user?
>
> Is the mapping of certificate mandatory here?
>
> Thanx
> Neel

---

• Next message: Ken: "nt4 security setting interface"
• Previous message: David Cross [MS]: "Re: Renew Certificate with Stand-alone CA"
• In reply to: Neel: "SSL client certificate authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Authentication using Distinguished name instead of Certificate ... the certificate, but I would still have the same issue. ... >:I DO want to a pass-through authentication feature by myself. ... authenticating on a client certificate, I want to authenticate based on ... In order to reduce SSL load and support edge server caching ... (microsoft.public.inetserver.iis.security) Re: PKI question, trusting subordinate CA ... > trusted CA's list and I would like to enable trusting subordinate CA ... > in my server (I do not want to trust the root CA and other subordinate ... > client authentication), but this cause a problem in revocation check. ... > certificate (I cannot validate the CRL for the trusted subordinate CA ... (microsoft.public.security) Re: Active Directory Federation Services ... How do I get a Microsoft CA to issue me a client cert? ... option for client certificate. ... There is a user certificate, ... I'm not an FSP expert by any means, but I might be able to help here. ... (microsoft.public.windows.server.active_directory) IIS 5 and client certificates - odd behaviour ... We have an IIS server on our test system that has pages setup to accept ... We have the root certificate of the CA issuing the ... using for testing has a client certificate is issued by an intermediate CA ... (microsoft.public.inetserver.iis) using certificates for remote domain authentication ... I have a client certificate issued by thawte. ... When I try to connect to my test domain using my user account on the laptop, ... facilitate in terms of client authentication? ... (microsoft.public.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)