|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Make Client Cert Required in IIS on SBS 2003?I've posted this question in the SBS forum several times but nobody seems to know the answer. My question is specific to security in Small Business Server 2003, as it applies to RWW (remote web workplace) and related web sites created in IIS on SBS servers. IIS creates a default web site and within it a virtual site called Remote when SBS is installed. This site allows access to the entire SBS domain (servers, clients, OWA, RWW, etc) with certain security provisions. SBS also allows the creation of a self-signed certificate and the installation of that certificate on client computers (and devices). I'm trying to understand how IIS security works in this configuration so I can require a client computer to have a self-signed certificate (from the SBS server) already installed in order to access the Remote Web Workplace (RWW) site from the Internet. It appears the security control is embedded in the IIS settings on the SBS server, under the default web site's \Remote virtual directory. In the Directory Security properties of \Remote, under the Secure Communications section there is a list of Client Certificate radio buttons. The 3 options are: Ignore, Accept or Require client certificates. I cannot get "Require" to work. There may be much more to it than just this one setting. What settings are required to limit RWW access to clients with certificates? How does this "Certificate Required" IIS function work in regular W2k3? Thanks.
Show quote
Hide quote
On Thu, 3 Aug 2006 15:56:09 -0400, "HughM" <ShyGuy@newsgroups.nospam> Require Certificate is a function of SSL. You need to configure SSLwrote: >Hi, > >I've posted this question in the SBS forum several times but nobody seems to >know the answer. My question is specific to security in Small Business >Server 2003, as it applies to RWW (remote web workplace) and related web >sites created in IIS on SBS servers. > >IIS creates a default web site and within it a virtual site called Remote >when SBS is installed. This site allows access to the entire SBS domain >(servers, clients, OWA, RWW, etc) with certain security provisions. SBS also >allows the creation of a self-signed certificate and the installation of >that certificate on client computers (and devices). I'm trying to understand >how IIS security works in this configuration so I can require a client >computer to have a self-signed certificate (from the SBS server) already >installed in order to access the Remote Web Workplace (RWW) site from the >Internet. > >It appears the security control is embedded in the IIS settings on the SBS >server, under the default web site's \Remote virtual directory. In the >Directory Security properties of \Remote, under the Secure Communications >section there is a list of Client Certificate radio buttons. The 3 options >are: Ignore, Accept or Require client certificates. I cannot get "Require" >to work. There may be much more to it than just this one setting. What >settings are required to limit RWW access to clients with certificates? How >does this "Certificate Required" IIS function work in regular W2k3? Thanks. for this to work. Not sure if you have, and I'm unfamiliar with the intricacies of SBS. Jeff Hi Hugh,
The require client certificate option will only be available after you enable SSL on the site. To set up SSL certificate on the web site. First, you should install Certificate Service to build the server as your Certificate Authority(CA). Then follow the article below to request and issue the certificate with IIS Server Certificate Wizard. How To: Set Up SSL on a Web Server https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h tml/SecNetHT16.asp If anything is unclear, please don't hesitate to let me know. Have a nice weekend. Best Regards, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi Hugh,
Just want to check if you've resolved the problem per these suggestions? Best Regards, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. WenJun,
My first problem is that Certificate Services is not installed on SBS 2003 servers and I've been advised on the SBS newsgroup not to install it! With SSL enabled I am able to select the "certificate required" radio button but it seems to have no effect (i.e. it does not require certificates). I have an SBS server running in virtual mode (in addition to the "real" one) and next week I will try to install certificate services on it and see what happens. Thanks. Hugh _________________________________________________________ ""WenJun Zhang[msft]"" <wjzh***@online.microsoft.com> wrote in message Show quoteHide quote news:qXlkKb8uGHA.492@TK2MSFTNGXA01.phx.gbl... > Hi Hugh, > > Just want to check if you've resolved the problem per these suggestions? > > Best Regards, > > WenJun Zhang > > Microsoft Online Community Support > > ================================================== > > Get notification to my posts through email? Please refer to: > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif > ications. > > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues > where an initial response from the community or a Microsoft Support > Engineer within 1 business day is acceptable. Please note that each follow > up response may take approximately 2 business days as the support > professional working with you may need further investigation to reach the > most efficient resolution. The offering is not appropriate for situations > that require urgent, real-time or phone-based interactions or complex > project analysis and dump analysis issues. Issues of this nature are best > handled working with a dedicated Microsoft Support Engineer by contacting > Microsoft Customer Support Services (CSS) at: > > http://msdn.microsoft.com/subscriptions/support/default.aspx. > > ================================================== > > This posting is provided "AS IS" with no warranties, and confers no > rights. > Hi Huge,
If you have concern to install certificate service on the SBS server, you can build the CA on a member server of the domain. I wait for the update from you. Have a nice week. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. It sounds like you are asking to configure IIS to require Client Certificate
based authentication in order to access the /Remote vdir to limit access to RWW to only those that have the Client Certificate. If so, simply: 1. install that Self Signed certificate onto the server 2. right-click Property page of the Website, go to the "Directory Security" tab, click on "Server Certificate" button configure it to use that certificate. This enables SSL for the website using that Server Certificate 3. right-click Property page of /Remote vdir, go to "Directory Security" tab, click on "Edit" for secure communications, check "Require secure channel (SSL)". This automatically enables selection of "Require client certificates". IIS functions the same way in all Windows Server 2003 flavors. Just some features may be disabled/crippled on the Professional SKUs. -- Show quoteHide quote//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // "HughM" <ShyGuy@newsgroups.nospam> wrote in message news:eLg8ebztGHA.1288@TK2MSFTNGP02.phx.gbl... > Hi, > > I've posted this question in the SBS forum several times but nobody seems > to know the answer. My question is specific to security in Small Business > Server 2003, as it applies to RWW (remote web workplace) and related web > sites created in IIS on SBS servers. > > IIS creates a default web site and within it a virtual site called Remote > when SBS is installed. This site allows access to the entire SBS domain > (servers, clients, OWA, RWW, etc) with certain security provisions. SBS > also allows the creation of a self-signed certificate and the installation > of that certificate on client computers (and devices). I'm trying to > understand how IIS security works in this configuration so I can require a > client computer to have a self-signed certificate (from the SBS server) > already installed in order to access the Remote Web Workplace (RWW) site > from the Internet. > > It appears the security control is embedded in the IIS settings on the SBS > server, under the default web site's \Remote virtual directory. In the > Directory Security properties of \Remote, under the Secure Communications > section there is a list of Client Certificate radio buttons. The 3 options > are: Ignore, Accept or Require client certificates. I cannot get "Require" > to work. There may be much more to it than just this one setting. What > settings are required to limit RWW access to clients with certificates? > How does this "Certificate Required" IIS function work in regular W2k3? > Thanks. > 
Other interesting topics
Network/Web Site Authentication
Virtual Directory On UNC Share Not Writable changing "CN" name Network service default permissions IIS 6.0 and passwording site How do you restrict access to directory below parent dir with anon access? Domain Guests Grant Users Permissions to Modify IIS without Having Full Admin Ri automatic login with current username and password Application Pool Identity |
|||||||||||||||||||||||
