Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


February 1999

Configuring IIS 4.0 Certificate Authentication


From the February 1999 Edition
of Windows IT Pro
Ramon Ali
Feature
InstantDoc #4759
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Download the Code Here
Download the Code Here

Finally, run the following commands from the IIS installation root directory (usually C:\winnt\system32\inetsrv). The commands update the IIS metabase with the details of the CA you created:

Iisca

Net stop iisadmin /y

Net start w3svc

Issuing Client Certificates

Now you can begin issuing client certificates. Client certificates install directly to the browser. (All recent browsers from Netscape and Microsoft support client certificates; however, I will focus on IE 4.0) From the client, browse to http://server name/certsrv/certenroll/ceenroll.asp. The Certificate Enrollment Form lets you enter the details of the client certificate. Fill out all fields as appropriate and click Submit Request. When you submit this request, you call IE 4.0's Web Server Enrollment Page. Click Download on that page to install the client certificate to the browser. You can verify that the client certificate has installed properly by selecting View, Internet Options, Content, Personal. You will see the client certificate in IE 4.0's Client Authentication window.

After you install the client certificate, you need to let IIS know that the certificate holder is thereby authorized to access the secure area of your Web site. Because IIS bases Web security on NT user accounts, IIS needs a way to map each client certificate to an NT user or group account on the server. IIS uses the Client Certificate Mapping table to achieve this mapping. To create a client certificate mapping, you must import each client certificate individually from text files. Importing client certificates from text files, although a clunky process, appears to be the only supported method to create the required mappings. Thus, a method is necessary to capture client certificates installed in client browsers and store them in a text file. The easiest way to capture and store client certificates is to cut Active Server Pages (ASP) code to write the client certificates to a file. Listing 1 shows ASP code that will write client certificates to a text file.

Create a directory on your Web server to store the ASP file, and modify the path in the code as appropriate to write the certificate information to. The modified path appears in callout A of Listing 1. To enable the ASP file to create the text file (cert.txt in Listing 1), you need to allow the directory write permission in IIS. To set up a prompt that asks the client to submit a certificate, enable both https and Anonymous access to the directory in which you store the ASP file. To enable https and Anonymous access, reference the ASP file as https:// rather than http://. Clients running this ASP file will receive a prompt requesting submission of a client certificate, which will subsequently write to the cert.txt file.

If a client browses the ASP file and no client certificate displays in the Client Authentication window, a problem exists with the CA information in the IIS metabase. To repair the problem, rerun the three commands from the IIS installation root directory (Iisca, NET STOP iisadmin /y, and NET START w3svc). The cert.txt file will now contain the client certificate, which will look similar to Listing 2. Copy callout A of Listing 2 into your favorite text editor, and save to a file.

Now you can create a mapping between this client certificate and an NT user account. Select the directory you want to secure from the IIS 4.0 Directory Security tab, and select the permissions you see in the Secure Communications dialog box that Screen 6, page 129, shows. This permission combination sets up a requirement for a valid certificate for Web access. Click Edit in the Secure Communications dialog box to create the client certificate mapping. (You can create wildcard mappings; however, here I describe only individual mapping.) Ensure that you select the Basic tab in the Account Mappings dialog box, which Screen 7 shows, and click Add to import the certificate text file you created when you copied callout A of Listing 2. You'll see a prompt asking for the certificate text file. Enter the path and filename for this file, and click OK. On the Basic tab of the Account Mappings dialog box, assign the mapping a name, enter the NT account name (e.g., the IUSR_server name) of the user who needs access to the secured area, then enter and confirm the NT user password of the account you want to map the client certificate to. A successful mapping will look similar to the one in Screen 7.

Congratulations—You're a CA
That's it! You have created client certificates for your users, captured those certificates to text files, and subsequently mapped the certificates to NT user accounts. Your users can now access your secured Web area without having to use the traditional username and password mechanism. Your users will be happy about the simplified Web access that client certificates make possible, and you'll sleep better knowing your secure Web areas are truly secure.

End of Article

   Previous  1  [2]  Next  


Reader Comments
I’m trying to deploy a secure extranet to a few hundred vendors, and I’ve been struggling with how to incorporate certificates and leverage the services Microsoft Internet Information Server (IIS) offers. I was ready to give up after spending so much time trying (unsuccessfully) to make heads or tails of Microsoft Certificate Server. Then, I read Ramon Ali’s “Configuring IIS 4.0 Certificate Authentication” (February). Finally, here’s an article with some insight and real application of Certificate Server! The other February articles about e-commerce and Microsoft Site Server are also worth their weight in gold. The February issue is Windows NT Magazine’s best issue yet.<br>--Steve Katsirubas

Steve Katsirubas August 06, 1999

I rarely respond to the authors of any of the thousands of articles that I read each year, but I have to make an exception in this case. Ramon Ali’s “Configuring IIS 4.0 Certificate Authentication” (February) couldn’t have come at a better time for me. I was in the process of installing Microsoft Certificate Server 1.0, and Microsoft’s technical support representatives were already tired of me telling them that they needed to produce better documentation about the installation and configuration of the product and the known problems concerning the product’s operation. Ali’s article provided the explanation I needed to install the product and the confidence to research a problem I encountered.
Every time I tried to start the Certificate Server service, my system timed out with a message stating that the service wouldn’t respond to the control function. Ali’s article convinced me I hadn’t done anything wrong, so I went in search of some documentation to help with the problem. The Microsoft article “Certificate Server Fails to Start After Unattended Installation" (http://support.microsoft.com/support/kb/articles/q190/0/59.asp) addresses the problem and provides an easy fix for it. The article explains that the problem occurs only when you perform an unattended setup of Certificate Server, but my experience says otherwise. In the article, Microsoft details how to create a .reg file to enter the necessary Registry keys the OS doesn’t create during Certificate Server installation, but I entered the Registry values manually. In less than 2 minutes, I resolved the problem.
The Registry entries were crucial, but if I hadn’t read Ali’s article, I wouldn’t have made it even far enough to have this problem. Keep up the good work.<br>
--Kyle S. Hamilton<br><br>

<i>The Registry settings that the Microsoft article describe seem to point to problems associated with database logging for Certificate Server. I’ve experienced similar problems during a reinstallation of Certificate Server, but I’ve managed to fix them simply by moving the certsrv.mdb file from wherever it is to C:\winnt\system32.<br>
--Ramon Ali</i>

Kyle S. Hamilton August 09, 1999

I have to agree, this article was timed perfectly. I was struggling with issuing Client Certificates and finding that the server that issued them would not recognize them. Who would have thought to enter the CA Name in the State field. Thanks for the timely solution.

Sam Rener, MCSE April 07, 2000

I spent hours and hours working on this problem. The directions here are the ONLY ones that I have been able to get to work. Horrible documentation on Microsoft's part. THANK YOU for documenting this on the web or I would still be scratching my head.

Mike Mellskog - MCSE October 13, 2002

This article was FANTASTIC!!!

It was exactly what i was looking for and answered my question VERY well. Even though we're using IIS 5, this can easily be interpreted.

Thanks again!!

Robert Smith October 28, 2003

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Microsoft Kills OneCare, Will Launch Free Security Solution

Microsoft on Tuesday announced that it would retire its $50-a-year security subscription product, Windows Live OneCare, and replace it with a free solution codenamed "Morro." Unlike OneCare, however, Morro will focus only on core anti-malware features and ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

The website is down because someone removed the X-Box

What happens when a manager mistakes a server for a games console. ...
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Free Download –VS 2008 Training
Experts Ken Getz & Robert Green plus labs, code, courseware

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Register for SolarWinds VM Monitor
Get X-Ray Vision into Your ESX Servers with SolarWinds FREE VM Monitor

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

How healthy is your Exchange Server? Find out Now!
Automatic Exchange Server Maintenance helps prevent disasters and improves performance. Download a FREE Exchange Server analysis tool.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing