|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
IIS requiring Client "Machine" Certificate... possible?I was wondering if it is possible, natively or add-in, to enable IIS to
require a client "machine" certificate (like IPSEC) instead of the common user certificate. Thanks - Gabriele. On Dec 17, 6:19 pm, GabrielTFI <Gabriel***@discussions.microsoft.com>
wrote: > I was wondering if it is possible, natively or add-in, to enable IIS to A certificate is a certificate. In an Active Directory environment,> require a client "machine" certificate (like IPSEC) instead of the common > user certificate. > > Thanks - Gabriele. computer accounts can authenticate themselves with a certificate just like a user can. If you set up an IIS VDIR to require client certificate authentication and a service running on another machine tries to access the web app then it can present it's certificate to authenticate the host computer account. Many details are left out, of course, but that's the high level. Did this answer your question or are you thinking of a different scenario? Thanks! Dave Thanks for your reply.
I just meant another different case. I would like to find a way that a user accessing my IIS web site is required to present a _machine_ certificate rather than the "standard" _user_ certificate. I would like to authenticate the machine certicate first, then the user with user and password. Say I want to allow 10 users to access my IIS web application with user and password, but that access will be restricted only from 5 computers enrolled with a machine certificate. Is there anyway to achieve that? Show quoteHide quote "DaveMo" wrote: > On Dec 17, 6:19 pm, GabrielTFI <Gabriel***@discussions.microsoft.com> > wrote: > > I was wondering if it is possible, natively or add-in, to enable IIS to > > require a client "machine" certificate (like IPSEC) instead of the common > > user certificate. > > > > Thanks - Gabriele. > > A certificate is a certificate. In an Active Directory environment, > computer accounts can authenticate themselves with a certificate just > like a user can. If you set up an IIS VDIR to require client > certificate authentication and a service running on another machine > tries to access the web app then it can present it's certificate to > authenticate the host computer account. Many details are left out, of > course, but that's the high level. > > Did this answer your question or are you thinking of a different > scenario? > > Thanks! > Dave > On Dec 18, 6:08 pm, GabrielTFI <Gabriel***@discussions.microsoft.com>
wrote: Show quoteHide quote > Thanks for your reply. Ahh. Well that is a standard IPSEC scenario - why not use IPSEC?> > I just meant another different case. > I would like to find a way that a user accessing my IIS web site is required > to present a _machine_ certificate rather than the "standard" _user_ > certificate. > I would like to authenticate the machine certicate first, then the user with > user and password. > Say I want to allow 10 users to access my IIS web application with user and > password, but that access will be restricted only from 5 computers enrolled > with a machine certificate. > > Is there anyway to achieve that? > > > > "DaveMo" wrote: > > On Dec 17, 6:19 pm, GabrielTFI <Gabriel***@discussions.microsoft.com> > > wrote: > > > I was wondering if it is possible, natively or add-in, to enable IIS to > > > require a client "machine" certificate (like IPSEC) instead of the common > > > user certificate. > > > > Thanks - Gabriele. > > > A certificate is a certificate. In an Active Directory environment, > > computer accounts can authenticate themselves with a certificate just > > like a user can. If you set up an IIS VDIR to require client > > certificate authentication and a service running on another machine > > tries to access the web app then it can present it's certificate to > > authenticate the host computer account. Many details are left out, of > > course, but that's the high level. > > > Did this answer your question or are you thinking of a different > > scenario? > > > Thanks! > > Dave- Hide quoted text - > > - Show quoted text - You really couldn't do what you are describing because it's the machine that own's the machine certificate not the user. Any process running in the context of the user can not, and should not, be able to access cert private key that would be required to do authentication. IPSEC works, of course, because it is actually the machine doing the authentication at the IP layer. Make sense? Dave 
Other interesting topics
Re: Q: Digital certificate inventory within network?
Windows Authentication Access Denied Error Web App using integrated Active Directory Authentication Problem processing SSL certificate response. Sharing between server Certificate Types webpage permissions Internal site configuration localstart.asp vulnerability WebDAV bad write permission pass-through feature? |
|||||||||||||||||||||||
