Require only specific client certificates in IIS
I am implementing a solution that requires client certificates. I'm using IIS 7.5 and ASP.Net 4 WCF services.
I've set the SSL Settings to Require SSL and require client certificates. Looks good so far.
Because I'm new to the use of client certificates I've been doing a bit of research, and came across a Microsoft support article that attempts to explain a bit about the client certificate validation process. It states:
When the server prompts for a certificate, the request includes a list
of the certification authorities that the server trusts. The client
then compares this list to the list of certification authorities that
the client trusts and creates a list of the ones that match. Then, the
client compares that list to the client certificates it has and
determines which, if any, certificates have been issued by
certification authorities that both the client and the server trust.
Apparently the client will send certificates that both sides trust. What I'm interested in is can I configure IIS or my WCF service to only accept certain client certificates, such as ones we generate from our own certificate authority specifically for the purpose of this WCF service.
What is to stop someone using a client certificate from VeriSign or use from our certificate authority that were intended for some other purpose?
iis iis-7.5 client-certificate wcf
|
show 2 more comments
I am implementing a solution that requires client certificates. I'm using IIS 7.5 and ASP.Net 4 WCF services.
I've set the SSL Settings to Require SSL and require client certificates. Looks good so far.
Because I'm new to the use of client certificates I've been doing a bit of research, and came across a Microsoft support article that attempts to explain a bit about the client certificate validation process. It states:
When the server prompts for a certificate, the request includes a list
of the certification authorities that the server trusts. The client
then compares this list to the list of certification authorities that
the client trusts and creates a list of the ones that match. Then, the
client compares that list to the client certificates it has and
determines which, if any, certificates have been issued by
certification authorities that both the client and the server trust.
Apparently the client will send certificates that both sides trust. What I'm interested in is can I configure IIS or my WCF service to only accept certain client certificates, such as ones we generate from our own certificate authority specifically for the purpose of this WCF service.
What is to stop someone using a client certificate from VeriSign or use from our certificate authority that were intended for some other purpose?
iis iis-7.5 client-certificate wcf
The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.
– Brian
Jan 14 '14 at 19:02
2
@Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?
– Jeremy
Jan 15 '14 at 20:55
@Jeremy did you ever find a solution to this problem?
– ahsteele
Jan 24 '17 at 20:31
@ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)
– Jeremy
Jan 24 '17 at 21:26
@Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.
– ahsteele
Jan 24 '17 at 22:13
|
show 2 more comments
I am implementing a solution that requires client certificates. I'm using IIS 7.5 and ASP.Net 4 WCF services.
I've set the SSL Settings to Require SSL and require client certificates. Looks good so far.
Because I'm new to the use of client certificates I've been doing a bit of research, and came across a Microsoft support article that attempts to explain a bit about the client certificate validation process. It states:
When the server prompts for a certificate, the request includes a list
of the certification authorities that the server trusts. The client
then compares this list to the list of certification authorities that
the client trusts and creates a list of the ones that match. Then, the
client compares that list to the client certificates it has and
determines which, if any, certificates have been issued by
certification authorities that both the client and the server trust.
Apparently the client will send certificates that both sides trust. What I'm interested in is can I configure IIS or my WCF service to only accept certain client certificates, such as ones we generate from our own certificate authority specifically for the purpose of this WCF service.
What is to stop someone using a client certificate from VeriSign or use from our certificate authority that were intended for some other purpose?
iis iis-7.5 client-certificate wcf
I am implementing a solution that requires client certificates. I'm using IIS 7.5 and ASP.Net 4 WCF services.
I've set the SSL Settings to Require SSL and require client certificates. Looks good so far.
Because I'm new to the use of client certificates I've been doing a bit of research, and came across a Microsoft support article that attempts to explain a bit about the client certificate validation process. It states:
When the server prompts for a certificate, the request includes a list
of the certification authorities that the server trusts. The client
then compares this list to the list of certification authorities that
the client trusts and creates a list of the ones that match. Then, the
client compares that list to the client certificates it has and
determines which, if any, certificates have been issued by
certification authorities that both the client and the server trust.
Apparently the client will send certificates that both sides trust. What I'm interested in is can I configure IIS or my WCF service to only accept certain client certificates, such as ones we generate from our own certificate authority specifically for the purpose of this WCF service.
What is to stop someone using a client certificate from VeriSign or use from our certificate authority that were intended for some other purpose?
iis iis-7.5 client-certificate wcf
iis iis-7.5 client-certificate wcf
asked Jan 14 '14 at 18:09
JeremyJeremy
3231312
3231312
The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.
– Brian
Jan 14 '14 at 19:02
2
@Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?
– Jeremy
Jan 15 '14 at 20:55
@Jeremy did you ever find a solution to this problem?
– ahsteele
Jan 24 '17 at 20:31
@ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)
– Jeremy
Jan 24 '17 at 21:26
@Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.
– ahsteele
Jan 24 '17 at 22:13
|
show 2 more comments
The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.
– Brian
Jan 14 '14 at 19:02
2
@Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?
– Jeremy
Jan 15 '14 at 20:55
@Jeremy did you ever find a solution to this problem?
– ahsteele
Jan 24 '17 at 20:31
@ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)
– Jeremy
Jan 24 '17 at 21:26
@Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.
– ahsteele
Jan 24 '17 at 22:13
The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.
– Brian
Jan 14 '14 at 19:02
The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.
– Brian
Jan 14 '14 at 19:02
2
2
@Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?
– Jeremy
Jan 15 '14 at 20:55
@Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?
– Jeremy
Jan 15 '14 at 20:55
@Jeremy did you ever find a solution to this problem?
– ahsteele
Jan 24 '17 at 20:31
@Jeremy did you ever find a solution to this problem?
– ahsteele
Jan 24 '17 at 20:31
@ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)
– Jeremy
Jan 24 '17 at 21:26
@ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)
– Jeremy
Jan 24 '17 at 21:26
@Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.
– ahsteele
Jan 24 '17 at 22:13
@Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.
– ahsteele
Jan 24 '17 at 22:13
|
show 2 more comments
1 Answer
1
active
oldest
votes
I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.
https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/
New contributor
Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
– bertieb
Jan 5 at 15:53
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f701634%2frequire-only-specific-client-certificates-in-iis%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.
https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/
New contributor
Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
– bertieb
Jan 5 at 15:53
add a comment |
I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.
https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/
New contributor
Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
– bertieb
Jan 5 at 15:53
add a comment |
I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.
https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/
New contributor
I believe this link provides the solution you are looking for. And it appears to be quite detailed. I am going to try it in the next couple of days and will get back my findings.
https://blogs.msdn.microsoft.com/asiatech/2014/02/12/how-to-configure-iis-client-certificate-mapping-authentication-for-iis7/
New contributor
New contributor
answered Jan 5 at 15:05
Carlos GuevaraCarlos Guevara
1
1
New contributor
New contributor
Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
– bertieb
Jan 5 at 15:53
add a comment |
Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
– bertieb
Jan 5 at 15:53
Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
– bertieb
Jan 5 at 15:53
Welcome to Super User! Whilst this may theoretically answer the question, it would be preferable to include the essential parts of the answer here, and provide the link for reference.
– bertieb
Jan 5 at 15:53
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f701634%2frequire-only-specific-client-certificates-in-iis%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
The client does not send a certificate. It accepts one of the certificates offered by the server after validating against local certificates.
– Brian
Jan 14 '14 at 19:02
2
@Brian - I don't understand. we're talking about client certificates. The server side requires the client to prove their identity by supplying a client certificate to the server, does it not? How does the client not send a certificate?
– Jeremy
Jan 15 '14 at 20:55
@Jeremy did you ever find a solution to this problem?
– ahsteele
Jan 24 '17 at 20:31
@ahsteele I haven't. In our environment we are using a reverse proxy mechanism (F5 is the vendor) so we enforce the client certificate there. We are able to write a script that ensures the client certificate is one that we've issued. It doesn't allow us to validate that the certificate is the one for that specific user though. If you figure out how to do this in IIS I'd like to know too... :)
– Jeremy
Jan 24 '17 at 21:26
@Jeremy was hoping you had the silver bullet. I'm guessing in your scenario the user is also being presented with a list of certificates from all of the CAs that both the server and client trust.
– ahsteele
Jan 24 '17 at 22:13