• IIS Admin Blog

  • How to Secure a Web Site Using Client Certificate Authentication

8th October 2007

How to Secure a Web Site Using Client Certificate Authentication

posted in IIS 6.0 |

Configuring Client Certificate Mapping.

As mentioned previously it is actually possible to Configure a web site to require a client certificate which can be mapped to a specific user account. To do this right-click the Client Certificate Web Site and click Properties, Directory Security. Under Secure Communications click Edit. Ensure that Require client certificates is ticked and then check Enable client certificate mapping.

Fig. 29

Click Edit and on the 1-to-1 tab of the Account Mappings dialog box click Add to create the new mapping

Fig. 30

Browse to the location of the previously exported file containing the client certificate and click Open (You should not be prompted for a password as we only exported the public key)

Fig. 31

On the Map to Account dialog box enter a suitable name for the mapping and then enter the details of the ‘certuser’ account.

Fig. 32

Confirm the password and click OK to create the mapping. The client certificate account mapping is now created.

Fig. 33

As we have created a 1-to-1 certificate mapping for this web site we can actually disable all other forms of authentication so that only the client certificate is used to authenticate the user. When the user connects they are prompted for a client certificate. If a valid certificate is presented for which there is a mapping then the user is authenticated as the user specified in the associated certificate mapping.

# Note – this method isn’t recommended for production systems since anyone who managed to obtain a copy the client certificate could gain access to the secure web site. It is actually recommended to require a password for the user in addition to a client certificate in order to enforce the two factor authentication mechanism.

However, I am merely going to demonstrate that it can actually be done here. On the Directory Security of the web site under Authentication and access control uncheck all authentication methods as shown here

Fig. 34

Then click OK twice.

If we now try to connect from the client machine we are prompted for our client certificate but once that certificate is successfully authenticated we are granted access to the secure web site.

Examining the IIS Log Files

Finally, if we examine the log files for this web site we can see how the two different configurations are handled by IIS. First with both anonymous authentication and basic authentication allowed and with a client certificate required we see this entry :

#Software: Microsoft Internet Information Services 6.0

#Version: 1.0

#Date: 2006-05-16 13:44:46

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status

2006-05-16 13:44:46 192.168.0.51 GET / – 443 – 192.168.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1) 401 3 5

2006-05-16 13:44:53 192.168.0.51 GET /Default.asp – 443 certuser 192.168.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1) 200 0 0

Notice the 401.3 status code that we see on the first line – this is caused by anonymous authentication being enabled but the anonymous IUSR account being explicitly denied access to the web site directory (which we configured earlier) On the second line you can see the ‘certuser’ user ID being passed to IIS and a subsequent 200 return code as we are granted access to the web site.

Finally, with all authentication mechanisms disabled except for the client certificate mapping (see Fig. 34) we see that once the client certificate has been authenticated the mapped user account is successfully authenticated to the web site. Notice that the user ID appears in the IIS log file in the format which we entered previously when creating the client certificate account mapping :

#Software: Microsoft Internet Information Services 6.0

#Version: 1.0

#Date: 2006-05-16 13:46:01

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status

2006-05-16 13:46:01 192.168.0.51 GET /Default.asp – 443 W2K3TEST\certuser 192.168.0.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+SV1) 200 0 0

In this tutorial we have looked at how client certificates can be used as a ‘two factor authentication’ mechanism to create even more secure web sites with IIS.

References :

IIS and client certificates

http://support.microsoft.com/?id=907274

http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html

http://www.tech-faq.com/two-factor-authentication.shtml

Certificate Creation Tool (Makecert.exe)

http://msdn2.microsoft.com/en-us/library/bfsktky3(VS.80).aspx

How to install client certificate on IIS Server for ServerXMLHTTP request object

http://support.microsoft.com/kb/301429

Mapping Client Certificates One-to-One (IIS 6.0)

Pages: 1 2 3 4 5 6

This entry was posted on Monday, October 8th, 2007 at 2:24 pm and is filed under IIS 6.0. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

There are currently 6 responses to “How to Secure a Web Site Using Client Certificate Authentication”

Why not let us know what you think by adding your own comment! Your opinion is as valid as anyone elses, so come on... let us know what you think.

  1. 1 On January 21st, 2009, Rick said:

    Thank you for the quality hard work that you’ve completed on this website. Many of your articles have been very beneficial.

    I am currently working on a project that combines two of your articles.

    1) Use Isapi Redirect to run tomcat through IIS
    2) Use Client Certificates for security in IIS (this one)

    I have been able to successfully complete both of these tasks separately, but have been unable to complete them together. Would there be additional steps needed to complete this task?

    Thank you for any light you can shed.

    Rick

  2. 2 On May 29th, 2009, Patrick said:

    Thank you, this is great information. It allowed me to get most of the configuration. However, I can not get either to work. I get a Bad Gateway. error 502.

    Patrick

  3. 3 On May 11th, 2010, Marc said:

    Hello,

    Thanks for a great blog. Have you ever configured both client certificate authentication as well as having the certificate passed to a Tomcat app server? What is required to get IIS to send the cert to Tomcat so it can be read from the request?

    Thanks.

  4. 4 On December 5th, 2011, Lydon said:

    Very glad I found your guide! But having some issues. Would you consider doing an updated version of this guide for the newer versions of Sever and IIS?

  5. 5 On December 14th, 2011, Eric Belair said:

    I setup client certificate authentication using these instructions, only I did it on one directory, instead of an entire website. However, I am getting a HTTP 403.7 error when I try to request a page in the directory. I have the client cert in my PC store. I noticed that it doesn’t have a private key – is this absolutely essential?

  6. 6 On December 14th, 2011, Eric Belair said:

    Nevermind, I just realized that the cert they gave us is only the public one – they can’t share the private one. So, I have no way to properly test this for now.

Leave a Reply

You must be logged in to post a comment.

  • Calendar

  • December 2017
    M T W T F S S
    « Sep    
     123
    45678910
    11121314151617
    18192021222324
    25262728293031