Using Client Certificate Authentication with IIS 6.0 Web Sites
by Thomas Shinder [Published on 24 June 2004 / Last Updated on 24 June 2004 ]
In spite of the fact that there’s no such thing as a secure network, there are still a lot of things you can do that doesn’t require you to take a second mortgage on your home and thousands of man-hours. This is especially true when it comes to providing secure access to Microsoft IIS Web servers.
What methods do you use to control access to your secure Web sites? Do you require authentication? If so, what type of authentication? Are the users’ credentials passed in clear text? Do you secure data moving between the Web site and the client, or can anyone with a network sniffer read all the data moving between the Web client and the Web server?
The definition of secure is a moving target. If you talk to the security wonks, they’ll tell your configuration is not secure, and that you’ll have to spend untold number of dollars and administrator hours to correct the security flaws in your network. Meanwhile, if you were to go to the security consultant’s home, you’ll find he has glass windows and clear glass panes on his doors which are easily breakable. Any run-in-the-mill burglar can make off with his stereo and laptop computer sitting on the desk inside.
When we put together a secure Web site (for employee access, not for e-commerce as e-commerce sites have an entire different set of requirements), we require two factor authentication. Two factor authentication requires two methods be used when accessing content
on the secure Web site. For example, one factor can be the username and password, and the second factor can be biometric input, such as a fingerprint. The two factor authentication methods typically depend on what I know and what I have .
Most two-factor authentication schemes require very pricey third party devices that provide the what I have component. The most popular two-factor authentication method is RSA SecurID. The SecurID token generates a one time password users use when they authenticate with a secure Web site. SecurID is a very powerful two-factor authentication scheme and I highly recommend it for organizations that can afford it.
Even if you don’t have hoards of excess cash, you can still benefit from two factor authentication. If you have a Windows 2000 or Windows Server 2003 Server (such as the domain controller in your Active Directory domain), then you can put together your own two-factor authentication scheme. You can install a Microsoft Certificate Server on the Windows Server machine and issue user certificates to your users. Then you can configure your Web site to require both username and password and a user certificate. The user certificate is the what I have piece of the two factor authentication scheme.
In this article we’ll go over procedures required to make this two-factor authentication method work. You’ll need to do the following:
Install IIS 6.0 on the Windows Server 2003 computer
Create an offline certificate request file using the Web Site Certificate Wizard
Submit the offline certificate request to the Certificate Server using the Web Enrollment SiteSource: m.windowsecurity.com