How can I request a client certificate only from a particular CA - iis

Is it possible to request client certificates issued only by a particular CA (Certificate Authority)?
The site is using IIS 7.5, and we have client certificates assigned to users following this article - http://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/.
CTL does not seem to have any effect on this because the server will always advertise all acceptable CA names, regardless if they are in the CTL or not.
http://blogs.msdn.com/b/saurabh_singh/archive/2007/12/07/certificate-trust-list-not-being-honored-by-iis-5-0-6-0-7-0.aspx

Run MMC as an Administrator on the server.
Add the Certificates Add-in, selecting the Computer account.
In each of the sub-folders, for each of the certificates you DO NOT want to be included:
If the Intended Purpose has or contains Client Authentication:
Right-click on the certificate
Make sure "Enable only the following purposes" is selected
Uncheck "Client Authentication"
Click OK.
I had to do this for over 400 certificates on two servers... twice (because GPOs overwrote my settings).

Related

Client certificate authentication on IIS 8 - 401.1 Unauthorized

We are developing ASP.NET application and we need to use Client Certificate Authentication on IIS 8.
I followed guides to setup SSL and Client Certification authentication.
https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/
and
https://blogs.iis.net/rlucero/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration
I've setup client certificate and added one-to-one mapping to map it to local administator account (once it works, i will change it to more resticted user).
I validated that both server and client certificate are valid and trusted on server and on clinet. So there is no problem with certification authority.
When i try to acces the web page i am promted to choose client certificate. When i confirm selected certificate i allways get 401.1 result: Unauthorized.
I think that it can be related with that in IIS Authentication settings i disabled all authentication types. When i enable Windows Authentication, it seems to work - I am prompted to select certificate and when i confirm selected certificate, i am prompted for username and password and then page is displayed correctly. Of course i do not want user to enter windows user name and password.
PS: Error log file from IIS is here https://www.dropbox.com/s/pe8qwxpgilr347l/fr000156.xml?dl=0
Thank you for any tips.
In my case, i needed to install and activate "client certificate mapping authentication" in Windows Server Manager "Roles and Features" and the IIS configuration editor here: system.webServer/security/authentication/clientCertificateMappingAuthentication

How do you use Thinktecture IdentityServer 3 with Certificate setup

I want to use Thinktecture IdentityServer 3 to provide STS to ASP.NET site but I don't know how to setup the certificates.
How do I use SelfHost (InMem with WS-Fed) Thinktecture Identity Server 3 as STS for a local IIS site?
The problem I have is as follows:
I've used this client in VS Development Server:
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/Clients/MvcOwinWsFederation
with the SelfHost (InMem with WS-Fed):
IdentityServer3.Samples/tree/master/source/SelfHost%20(InMem%20with%20WS-Fed)
It all works, connects, authenticates and displays claims.
But when I publish the client to local IIS site called WSFedClient and that tries to authenticate against the same self-host STS,
but I get this error:
"The remote certificate is invalid according to the validation
procedure."
I've followed this:
https://github.com/IdentityServer/IdentityServer3/issues/553
...but I'm still confused about what it is I need to do.
Try installing your cert into the "Trusted Root Certificate Authorities" store.
1) Launch the mmc. At the start menu, enter MMC.exe and hit enter.
2) Press control-M to add a module. Select Certificates, and click Add.
3) Select Computer account, then Next, select Local Computer, and hit Finish. Then hit OK.
4) Expand Certificates. Right-click on "Trusted Root Certificate Authorities", and select "All tasks", then "Import..."
5) Browse out to the cert and select it. You probably will need to check the box to allow it to be exported, which means you'll probably have to enter the password, which you should know, if you created it.
Check following things regarding your certificate. Most probably point # 2 below causing this error.
Check if CA's root certificate exists in Trusted Root Certification Authorities store.
Check "Issued To" field of certificate matches with host name of identity server's endpoint url.
Check expiry date of certificate.
Check if certificate is not revoked by CA.
It looks like you must configure SSL endpoint for callback URI as well. That is WSFedClient in your sample.

IIS with mutual SSL not workin

I'm new to mutual SSL. Therefore my understanding how client certifcates might be wrong.
When using Client certificates in IIS, do they need to be issued from the same certificate (or CA) as the IIS HTTPS binding has configured?
My dev IIS has a self signed certificate.
For the client certificate, I've created a CA and a Client certificate according to
the post here.
The CA is in my "Trusted Root Certification Authorities" of the local Computer.
The Client certificate is in my personal certificate folder.
On IIS I've set Client certificates to accept.
The first strange Thing is that when I browse to my page, the IE always shows me 403.7. Even I've disabled the IE setting "Don't prompt for client certificate selection...", there is no window opening for the certificate selection.
Also when accessing the page with a HttpWebRequest with Client cert attached, the response is always 403. Unfortunately there I did not figure out how to get the sub status.
Why doesn't IIS accept my Client certificate when the RootCA of the Client certificate is in the trusted root store?
Is there a way to get more details where the problem might be?
Thanks
Thomas
Finally could solve the issue:
The CA and Client certificates which I generated according to the tutorial here did NOT have the private key assigned in the certificate store. I had to remove the certificates from the cert store and Import the PFX file including the private key.
Second, the client certificate needs to be in the Current User/Personal store so IE does pick it up. I initallly generated it in the Current Computer/Personal store.
There might be a direct way how to create the two certificates including Private key with makecert. But the PFX import was the easiest way for me.
After 3 days of try and error on my side: If you use IIS10 on Windows2022, TLS1.3 is turned on by default.
The SSL handshake seems not to be implemented correctly in browsers/curls/.... for this case.
For testing reasons turn off TLS1.3
In
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
Add:
DisabledByDefault as Dword with 1 and restart the server (not only IIS!)

Issuing auto signed certificate - IIS 7.5

I issued a self signed certificate on IIS 7.5, and it is working correctly if i access my website through my computer.
However, if i access the website from another computer, i get an warning saying the certificate was issued to another address.
Is this because the certificate was issued to localhost instead of the actual IP?
Or this doesn't make any sense?
Regards,
The error message you are getting is normal, assuming you do not have anything in your certificate aside from 'localhost' to identify the owner.
Your browser is performing a name check, and looking to validate the certificate that is presented with the URL you typed in. Typically, the common name of a certificate matches the hostname/DNS name of the machine. Alternatively, there can be information inside of the Subject Alt Name (SAN) extension of your certificate. There, you could specify multiple DNS names or IPAddress fields that identify your server in addition to the CN.
If you are simply performing internal testing, I would not be terribly worried about the warning you are receiving. Just keep all of this in mind when you move to production. Also, having your CA being self-signed, you may also receive trust warnings, unless you manually import your self-signed CA certificate into the trust store of the browser you are using.
Maybe this helps you: Self signed certificates on IIS 7. At the end of the article, in the section named "Adding the Certificate to Trusted Root Certificate Authorities", an alternative solution is shown, but it implies importing the certificate in the client machine, so that could be a huge disadvantage. However, it is a solution if you can't register the certificate on a Certificate Authority, an you have access to the client machine.

How Web broswer's ssl works

When a user selects using the ssl of web browser, for example,
a user selects the option of using ssl in FireFox, how the Web browser sets the ssl connection? Does the browser has a public key ?
The browser has public keys from root certificate authorities. If a key from a website is signed by one of the root CA's in the browser, it can be verified as trustworthy automatically and ssl communication can start. Otherwise, you get prompted by the unknown/self-signed certificate dialog and decide for yourself whether to trust it or not.
When a user selects the option of using ssl in firefox,it allows the the browser to establish connection with ssl enabled websites.The browser has a set of root certificate authorities like verisign which are well known around the world.So when a website gives a certificate signed by these CAs then our browser automatically recognizes the identity of the website.However,if that certificate is signed by a unknown authority ,then the browser gives a pop-up of unknown certificate and it depends on the user to trust it or not.If you trust it then it gets installed in your browser and that pop up does not come up the next time you connect to that website.Similarly,some websites require client certificates in order to recognize the client.In that case,you need to install your certificate(generally provided by them to a set of users) in the browser so that those websites can identify you.You can say that it is a two communication and involves exchange of certificates from both server and client.

Resources