« Previous Next »

Thread: Enable requiring client certificates in IIS 6

Last post 06-16-2009 6:00 AM by Paul Lynch. 11 replies.

Average Rating Rate It (5)

RSS

Page 1 of 1 (12 items)

Sort Posts:

Shortcuts

Search | Active Posts | Unanswered Posts | View all users

  • 06-15-2009, 12:02 PM

    Enable requiring client certificates in IIS 6

    Reply Contact

    It sounds simple but I have problems: I would like to force client certificates use on IIS SSL website:

     

     

    I followed tons of  guides/faq but when I try to surf the resource, a window come up with the certificate to select but it is empty.

     Please, follow my situation because I think some step is missing and I need help.

    I have 3 pc involved:

    A) Server on which there is CA  installed: CA_SERVER (deployed in DMZ)
    B) The application Server: IIS_SERVER (deployed in another DMZ)
    C) The client machine: CLIENT_PC (it lives in a AD domain, different from above DMZs)

    I follow these steps on IIS_SERVER

    1) create a new certificate request in IIS (certreq.txt) using NetBIOS name
    2) import it in CA (please note that CA is on another server) and generate certnew.cer
    3) import it in IIS, configuring to work with SSL

    now when I browse https://ipaddress/sslsite or https://IIS_SERVER/sslsite from CLIENT_PC I can see the standard security warning ""There is a problem with this website's security certificate."" and I can force the navigation clicking on "Continue to this website (not recommended)."

    I now follow these steps:

    1) On CLIENT_PC I browse on https://CA_SERVER/certsrv/ --> User Certificate --> Web browser certificate --> fill in details --> Submit
    2) A pending request is now in my CA on CA_SERVER and I issue it.
    3) I return on CLIENT_PC browsing https://CA_SERVER/certsrv/ and click "View the Status of a Pending Certificate Request" --> click my issued request --> click install certificate --> there is a warning that tells me to install the CA certificate first --> I install it --> I finally install the certificate.

    Now I go in IIS and configure the SSL as the first picture you can see in this post ....

    Unfortunately, when I browse the https://IIS_SERVER/sslsite it does not work because I get :

     

    and I can't select any certificate.

    I tried different ways to export certificates with no luck.

    please help!!

  • 06-15-2009, 10:06 PM In reply to

    • lextm
    • Top 10 Contributor
    • Joined on 10-22-2008, 4:18 AM
    • Shanghai, PRC
    • Posts 1,413

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

    You cannot select any certificate on the client side, as simply THERE IS NO VALID certificate installed there yet.

    The settings on the IIS server is correct so you don't need to change much. Now you need to acquire client side certificate and install them on the desired clients. Remember those certificate is different from the server certificate you installed on the server, and your CA can tell you more about that.

    Lex Li
    Support Engineer at Microsoft
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.

  • 06-16-2009, 2:55 AM In reply to

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

    Hi,

    I was also facing the same problem. I was getting the balck dialog box in the client system for certificate selectaion. To overcome this problem, i  made a request of Client Certificate from client system, then in CA i issued the certificate, and in client then i installed this certificate. then it started working fine.

     

    But i have one problem here, Can't I distribute the client certificates from CA without asking client to make request. I want to create one client certificate and distribute it so that users can install the certificate using the certificate file instead of making request from IE browser.

    Please help me.

    Thanks and Regards,

    Harry
    Tags:

  • 06-16-2009, 3:16 AM In reply to

    • lextm
    • Top 10 Contributor
    • Joined on 10-22-2008, 4:18 AM
    • Shanghai, PRC
    • Posts 1,413

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

    About such information, you should consult your CA directly as they know that area much better.

    My understanding is that all authorized users need to manually install the certificate your CA provided when they login, so that the certificate can be used without a problem.

    Lex Li
    Support Engineer at Microsoft
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.

  • 06-16-2009, 3:32 AM In reply to

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

    lextm:

    thanks for reply.

    Why there is not valid certificate ?

    I installed it from CA and if (on my vista client) I open MMC with certificates snap-in I can see my CA under local computer account --> trusted root CA as well as new certificate issued to me under user account --> personal --> certificate.

    The procedure I use to obtain and install certificate is the same I previously wrote, I post again below here:
    -------------------------------------------------------------------------------------
    1) On CLIENT_PC I browse on https://CA_SERVER/certsrv/ --> User Certificate --> Web browser certificate --> fill in details --> Submit
    2) A pending request is now in my CA on CA_SERVER and I issue it.
    3) I return on CLIENT_PC browsing https://CA_SERVER/certsrv/ and click "View the Status of a Pending Certificate Request" --> click my issued request --> click install certificate --> there is a warning that tells me to install the CA certificate first --> I install it --> I finally install the certificate.
    -------------------------------------------------------------------------------------

    Please note that I installed CA and I am supposed to manage it so I can't ask to nobody .. can you point me in a direction or, if CA is not your area, point me to a specific MS forum or person ?

    Please can you also tell me if what I am going to write is true:

     "forcing requiring client certificates in IIS enforce SSL security because only client with the correct certificate can connect; however also choosing ignore client certificate the SLL connection is fully encrypted and cannot be sniffed"

    Thanks!

  • 06-16-2009, 4:05 AM In reply to

    • lextm
    • Top 10 Contributor
    • Joined on 10-22-2008, 4:18 AM
    • Shanghai, PRC
    • Posts 1,413

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

    I assume you installed the Certificate Services of AD, then you can consult our AD experts via the forums,

    http://social.technet.microsoft.com/Forums/en-US/active_directoryde/threads

    To check if a certificate can be used by IE as client certificate, you can,

    1. Go to Internet Options|Content

    2. Click Certificates buttons

    3. Under Personal, double click on the certificates one by one.

    You can check Details tab of the properties and locate the Enhanced Key Usage item. Unless that item contains Client Authentication (1.3.6.1.5.5.7.3.2), IE considers it a valid certificate to use.

    Lex Li
    Support Engineer at Microsoft
    ---------------------------
    This posting is provided "AS IS" with no warranties, and confers no rights.

  • 06-16-2009, 4:25 AM In reply to

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

    joker197cinque:
    I installed it from CA and if (on my vista client) I open MMC with certificates snap-in I can see my CA under local computer account --> trusted root CA as well as new certificate issued to me under user account --> personal --> certificate.
     

    You need to install the certificate into the users personal certificate store, not the certificate store of the machine account. Try following the steps outlined in this article :

    http://www.iisadmin.co.uk/?p=11&page=4

    Regards,

    Paul Lynch | www.iisadmin.co.uk

  • 06-16-2009, 4:28 AM In reply to

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

    joker197cinque:
    "forcing requiring client certificates in IIS enforce SSL security because only client with the correct certificate can connect; however also choosing ignore client certificate the SLL connection is fully encrypted and cannot be sniffed"

    This is True.

    ~ Ganesh

  • 06-16-2009, 4:35 AM In reply to

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

     I checked the installed certificate and I can see:

    Enhanced Key Usage: Client Authentication (1.3.6.1.5.5.7.3.2)
    Key usage: Key Encipherment (20)

    Is it wrong ? If yes, why is wrong and how can I issue a good one ?

    Thanks.

  • 06-16-2009, 5:09 AM In reply to

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

    Hi,

     One thing i notcied while improting the client certificate using IE-Tools-Options-Content tab, when i import the certifcate in personal store, i get message as import was scuccessful, but when i see the personal store, there are no certificates installed in that folder, but when i select the option of "Automatc select store" while importing certificate,  then the certificate goes into Other store.

    I dont what is happening here?

    Can someone throw light on this?

    Other thing is that when i install the certificate using certificate file, it gets installed in the personal store, which i can see throug certificates Curretn user in console, but when i check the Content tab in IE options, then i can not see this certificate?

    strange behaviour....

  • 06-16-2009, 5:37 AM In reply to

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

    Paul,

    reading this link too I can understand that SSL Server certificates are different from Client certificates.

    This is much confusing, if possible :)

    I think to succesfully have set up SSL Server certificate side doing the following:

    1) Created a certreq.txt via IIS
    2) Processed it in my internal Windows 2003 CA on another server and issued
    3) Browsed CA server via http://caserver/certsrv and downloaded the cernew.cer base 64
    4) Succesfully Imported it in IIS

    SSL works, if I ignore client certificates.

    I have an IIS server with SSL enabled on a site... now what to create/manage/import client certificates on the client side ?

    I tried to follow your link but the exact steps to create certificates with SelfSSL are missing ... so I would like to use my internal windows 2003 default CA, if possible.

    Thanks to help of all of you, I think I am near the solution.

  • 06-16-2009, 6:00 AM In reply to

    Re: Enable requiring client certificates in IIS 6

    Reply Contact

    Hi,

    As long as the client certificate is trusted by both the client machine and the web server it should work OK. You now need to request a client certificate from your internal CA and then create the relevant mapping as described in the tutorial I posted.

    The key to getting it all to work is to ensure that any certificates being used are trusted by all parties.

    Regards,

    Paul Lynch | www.iisadmin.co.uk
Page 1 of 1 (12 items)
Microsoft Communities