I'm running a Windows 2012 R2 environment that hosts a website in IIS. The website currently requires a client certificate (which is validated) to access the website.
The client certificate is checked to ensure that it is valid and has not been revoked, not for identification by the operating system. If the user presents a valid certificate, the information on the certificate is used to authenticate and identify the user in the application code (the actual authentication is Forms Authentication). There is no mapping of the client certificate to an individual user (e.g. the client certificates does not map to an active directory account).
The site currently utilizes an additional piece of software to pass the client certificate to an external OCSP to verify the certificate status.
My goal is to remove that additional piece of software and be left with an IIS only (or Windows Server only) solution, but the documentation has me confused. I'm not sure if I need to install the OCSP role on the IIS server or our AD server, or if there is a way in IIS to configure a URL to check the certificate.
If the client certificate is pointing to an OCSP server in its extension, IIS will automatically validate it. You might check the CAPI2\Operational event log to see what happens during the validation.
Related
We are developing ASP.NET application and we need to use Client Certificate Authentication on IIS 8.
I followed guides to setup SSL and Client Certification authentication.
https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/
and
https://blogs.iis.net/rlucero/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration
I've setup client certificate and added one-to-one mapping to map it to local administator account (once it works, i will change it to more resticted user).
I validated that both server and client certificate are valid and trusted on server and on clinet. So there is no problem with certification authority.
When i try to acces the web page i am promted to choose client certificate. When i confirm selected certificate i allways get 401.1 result: Unauthorized.
I think that it can be related with that in IIS Authentication settings i disabled all authentication types. When i enable Windows Authentication, it seems to work - I am prompted to select certificate and when i confirm selected certificate, i am prompted for username and password and then page is displayed correctly. Of course i do not want user to enter windows user name and password.
PS: Error log file from IIS is here https://www.dropbox.com/s/pe8qwxpgilr347l/fr000156.xml?dl=0
Thank you for any tips.
In my case, i needed to install and activate "client certificate mapping authentication" in Windows Server Manager "Roles and Features" and the IIS configuration editor here: system.webServer/security/authentication/clientCertificateMappingAuthentication
I am having problems correctly installing the OAuth certificate required for Xero partner integration on IIS 7.5 on Windows Server 2008 R2. There used to be guidance from Xero on this at http://developer.xero.com/documentation/advanced-docs/using-partner-applications-with-iis/ but the page just 404s now.
I've installed the certificate to the Trusted Root Certifications Store as per the prior Xero advice, and my code can retrieve the certificate (using its serial number); but when I try to access the private key, I get a CryptographicException: Keyset does not exist error, which other SO posts suggest is a permissions error (my application runs under a dedicated service account), but all those posts assume the certificate is installed in the personal certificate store - the TRC store does not give me the option of granting permissions to the service accounts or any other account.
I think that page used to give information about installing an Entrust client certificate as partner applications in the past needed to use one.
You don't need to use a client certificate these days and partners should instead direct their traffic to "https://api.xero.com" instead of "https://api-partner.network.xero.com".
You also don't need to install your oAuth certificate as that certificate is used only for signing your requests.
I have website hosted on IIS. My main issue is that I want only users with a specific certificate installed to be able to access the site. I tried to follow some tutorials but I can't find anyone covering both server and client side, since I can't get it to work.
I have some questions to the main issue:
What kind of certificate should I use (domain/selfed signed in IIS 7.5)? I do have access to a Active Directory Certificate Services where I can create other types of certificates (CA), but the problem is when trying to import them to my IIS ("certificate cannot be used as an ssl server certificate")
I would like to use a CA certificate, but is that possible when using IIS? Or do I need to write all the code the check if the user has the right certificate?
When created a certificate for the website (e.g. though IIS)..How do I create user certificates that are trusted by the server certificate?
As you may noticed by now I'm not sure how to do all of this, and would really like some help..
Server should use SSL server certificate. This certificate has to have Server Authentication extension in Extended key usage. Server certificate should have SAN extension (Subject alternative name) with domain name of server as DNS name (i.e. somesite.com)
CA certificate has to be imported to Trusted root store (preferably Local Machine) on both server and client machines.
Client certificate should contain Client Authentication extension in Extended key usage.
All EndEntity (client and server) certificates should have CRL distribution point in them where there is URL to CRL that is issued by CA. CRL has to be accessible by both client and server and should be always valid.
You can use XCA for training purposes. It has a nice GUI and it has templates for CA, SSL server and SSL client certificates by default. Then you can mimic these certificates in your Active Directory Certificate Services. Documentation and some guides can be found here.
Our team has a Windows 2008 server which is used primary for a common IIS dev box.
I want to enable SSL on one of the websites on IIS, so that it can only be accessed via HTTPS.
I created a self-signing certificate in IIS and installed it. However when I access the website via the browser (Chrome, Firefox or IE - doesn't matter), it always gives the scary..."this is not secure" screen. I've tried installing the certificate on my own computer, rebooting and I still get that screen.
One thing that I noticed is when I create a self-signed certificate, it adds the domain name to it...for instance, the name of the box is webIIS and our login domain is COMPANYDOMAIN. So it will say that the certificate was created by webIIS.COMPANYDOMAIN.com. This url resolves to nothing, since there is no such thing.
Am I going about it the wrong way?
I've answered a similar question here.
Few afterwords:
Your server should have a dns name. If it is in a domain (Active directory or something) it surely does. Find it, use it in CN of the SSL certificate.
CA that will issue SSL certificate should be trusted by clients accessing the server and by the server itself. Place CA certificate in Trusted Root Store (in LocalMachine store) on the server and all clients that will access it. If you have Active Directory it should be pretty simple to distribute it.
CRL that CA has to issue in defined intervals (it's up to you if the CRL will be issued one a day, month, year or lifetime) has to be accessible by clients and server. Either place it at http url that you gave when issuing SSL certificate or manually place in each certificate store (in Trusted Root Store).
In the Server
I have configured a intermediate certificate .pfx file in the IIS and created a https (443) port using binding option. I use certificate for Authorisation also I am expecting a client certificate from the client , I enabled the Require SSL and clien certificate required option in the IIS.
I checked the Intermediate certificate authorities for the root certificate and they also presents, checked the .pfx file installed in the certificate store (Local Machine) also presents.
I created .cer file from the above .pfx file with include private key option and shared the .cer file with my client and he has to attach the .cer file for authorisation .
Above is the REST wcf service with POST.
In the Client Side
I tested this application after getting the .cer file, attach that to my request in my client.exe and calling the service - it returns .403 fobidden error.
In the IIS log it is logged as 403.16 , sc-win32-status code = 2148204816 error
Please help me my above approach is correct and how to avoid this error.
Is configuring CTL is the option , or I need to get a separate client certificate for use from my client side.
You need to make small steps to debug this.
First import SSL server certificate to LocalMachine\My store. Verify
that certificate is trusted (by double-clicking it and verifying
chain).
Setup SSL binding in IIS. Verify that you can access the https site (even WCF service gives some documentation page on http/s).
Import client certificate in client CurrentUser\My store. Verify that certificate is trusted (by double-clicking it and verifying
chain).
Set SSL require mode on your WCF service on IIS. Verify that when you access https site of the WCF service a certificate is prompted and no trust error is returned (again, the documentation page should be displayed)
Server certificate must have Server Authentication extension. Client certificate must have Client Authentication extension in it. Client has to trust server certificate. Server has to trust Client certificate. This means that CRLs from both chains must be reachable.