|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How do I make a local machine client certificate available to all users?Hi,
Using Windows Server 2003, i have set up a standalone certificate using the certsrv tools. When a client machine registers you can use the advanced form to 'Store Certificate in Local Computer Certificate Store'. This all works as intended when the client machine registers, but when a user logs on to the site using IE6 they still are met with the 'The page requires a client certificate' web page. I know i can export the local machine store certificate and then import per user through IE, but is there an easier way to do it? Ideally i want all users on a particular machine to automatically use the local computer stored certificate without need for individual IE install. Thanks for your help. What are you trying to accomplish?
Are you trying to install one client certificate on machine and have all users logged into that machine automatically use that certificate to make a SSL request to your server? Because if so, what you want is very contrary to the whole security design of a client certificate. The whole purpose of client certificate is proof of identity. If you have multiple users that can use the same certificate, you might as well not bother requiring client certificates in the first place. Unless you are trying to enforce the requirement that only certain machines with client certificates, used by anyone, can access your server, but you can do that in other ways, like with IPSec. So... can you please describe what you are actually trying to do? //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // Assimalyst wrote: Show quoteHide quote > Hi, > > Using Windows Server 2003, i have set up a standalone certificate > using the certsrv tools. > > When a client machine registers you can use the advanced form to 'Store > Certificate in Local Computer Certificate Store'. > > This all works as intended when the client machine registers, but when > a user logs on to the site using IE6 they still are met with the 'The > page requires a client certificate' web page. > > I know i can export the local machine store certificate and then import > per user through IE, but is there an easier way to do it? Ideally i > want all users on a particular machine to automatically use the local > computer stored certificate without need for individual IE install. > > Thanks for your help. Hi David,
Thank you for your response. Yes, the intention is to allow a machine access regardless of user, the website has a user login to track that. So it seems client certificates are not the way to go on this? I will look into IPSec, but of course any further comments are always welcome. Thanks again David Wang wrote: Show quoteHide quote > What are you trying to accomplish? > > Are you trying to install one client certificate on machine and have > all users logged into that machine automatically use that certificate > to make a SSL request to your server? Because if so, what you want is > very contrary to the whole security design of a client certificate. > > The whole purpose of client certificate is proof of identity. If you > have multiple users that can use the same certificate, you might as > well not bother requiring client certificates in the first place. > > Unless you are trying to enforce the requirement that only certain > machines with client certificates, used by anyone, can access your > server, but you can do that in other ways, like with IPSec. > > So... can you please describe what you are actually trying to do? > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > > Assimalyst wrote: > > Hi, > > > > Using Windows Server 2003, i have set up a standalone certificate > > using the certsrv tools. > > > > When a client machine registers you can use the advanced form to 'Store > > Certificate in Local Computer Certificate Store'. > > > > This all works as intended when the client machine registers, but when > > a user logs on to the site using IE6 they still are met with the 'The > > page requires a client certificate' web page. > > > > I know i can export the local machine store certificate and then import > > per user through IE, but is there an easier way to do it? Ideally i > > want all users on a particular machine to automatically use the local > > computer stored certificate without need for individual IE install. > > > > Thanks for your help. I will elaborate on the situation as i am still a little unclear on the
bets course of action. I have Windows server 2003 SP1 running a website. I want to allow only specific machines to access this website over the internet. They will likely originate from 1 or 2 IP addresses, belonging to bureau of machines, where users may be using different machines within the bureau day to day. Ideally i would like to be able to track which machines are logged on, and which user is logged on with that machine. I can track users through the website, but am not so sure how to track the machine. I thought by using client certificates that the machine could be tracked, but the certificate is installed on a per user basis. I found i was able to install on the local machine certificate store, but the certificate still needed to be installed per user for them to gain access to the website. Any comments would be much appreciated. Assimalyst wrote: Show quoteHide quote > Hi David, > > Thank you for your response. > > Yes, the intention is to allow a machine access regardless of user, the > website has a user login to track that. > > So it seems client certificates are not the way to go on this? I will > look into IPSec, but of course any further comments are always welcome. > > Thanks again > > David Wang wrote: > > What are you trying to accomplish? > > > > Are you trying to install one client certificate on machine and have > > all users logged into that machine automatically use that certificate > > to make a SSL request to your server? Because if so, what you want is > > very contrary to the whole security design of a client certificate. > > > > The whole purpose of client certificate is proof of identity. If you > > have multiple users that can use the same certificate, you might as > > well not bother requiring client certificates in the first place. > > > > Unless you are trying to enforce the requirement that only certain > > machines with client certificates, used by anyone, can access your > > server, but you can do that in other ways, like with IPSec. > > > > So... can you please describe what you are actually trying to do? > > > > > > //David > > http://w3-4u.blogspot.com > > http://blogs.msdn.com/David.Wang > > // > > > > > > > > > > Assimalyst wrote: > > > Hi, > > > > > > Using Windows Server 2003, i have set up a standalone certificate > > > using the certsrv tools. > > > > > > When a client machine registers you can use the advanced form to 'Store > > > Certificate in Local Computer Certificate Store'. > > > > > > This all works as intended when the client machine registers, but when > > > a user logs on to the site using IE6 they still are met with the 'The > > > page requires a client certificate' web page. > > > > > > I know i can export the local machine store certificate and then import > > > per user through IE, but is there an easier way to do it? Ideally i > > > want all users on a particular machine to automatically use the local > > > computer stored certificate without need for individual IE install. > > > > > > Thanks for your help. I have just found out the client machines operate from a DHCP server. I
presume then that IPSec will not work in this instance? Thanks Assimalyst wrote: Show quoteHide quote > I will elaborate on the situation as i am still a little unclear on the > bets course of action. > > I have Windows server 2003 SP1 running a website. I want to allow only > specific machines to access this website over the internet. They will > likely originate from 1 or 2 IP addresses, belonging to bureau of > machines, where users may be using different machines within the bureau > day to day. > > Ideally i would like to be able to track which machines are logged on, > and which user is logged on with that machine. I can track users > through the website, but am not so sure how to track the machine. > > I thought by using client certificates that the machine could be > tracked, but the certificate is installed on a per user basis. I found > i was able to install on the local machine certificate store, but the > certificate still needed to be installed per user for them to gain > access to the website. > > Any comments would be much appreciated. > > Assimalyst wrote: > > Hi David, > > > > Thank you for your response. > > > > Yes, the intention is to allow a machine access regardless of user, the > > website has a user login to track that. > > > > So it seems client certificates are not the way to go on this? I will > > look into IPSec, but of course any further comments are always welcome. > > > > Thanks again > > > > David Wang wrote: > > > What are you trying to accomplish? > > > > > > Are you trying to install one client certificate on machine and have > > > all users logged into that machine automatically use that certificate > > > to make a SSL request to your server? Because if so, what you want is > > > very contrary to the whole security design of a client certificate. > > > > > > The whole purpose of client certificate is proof of identity. If you > > > have multiple users that can use the same certificate, you might as > > > well not bother requiring client certificates in the first place. > > > > > > Unless you are trying to enforce the requirement that only certain > > > machines with client certificates, used by anyone, can access your > > > server, but you can do that in other ways, like with IPSec. > > > > > > So... can you please describe what you are actually trying to do? > > > > > > > > > //David > > > http://w3-4u.blogspot.com > > > http://blogs.msdn.com/David.Wang > > > // > > > > > > > > > > > > > > > Assimalyst wrote: > > > > Hi, > > > > > > > > Using Windows Server 2003, i have set up a standalone certificate > > > > using the certsrv tools. > > > > > > > > When a client machine registers you can use the advanced form to 'Store > > > > Certificate in Local Computer Certificate Store'. > > > > > > > > This all works as intended when the client machine registers, but when > > > > a user logs on to the site using IE6 they still are met with the 'The > > > > page requires a client certificate' web page. > > > > > > > > I know i can export the local machine store certificate and then import > > > > per user through IE, but is there an easier way to do it? Ideally i > > > > want all users on a particular machine to automatically use the local > > > > computer stored certificate without need for individual IE install. > > > > > > > > Thanks for your help. It sounds like your client machines are Intranet machines which access
the Internet through a common Proxy, which then authenticate and access your server machine. >From a networking perspective, that Proxy intentionally masks the internal IP of the client machines from your server machine and is theonly one that knows how to map between the two. So, the only way for your server machine to know the client machine is if the client intentionally discloses its identity to the server. You were thinking of using machine-specific client certificates sent by the browser of that machine for all users, but that dream runs contrary to how reality works. An easy, proprietary approach would be for the client authentication protocol to also disclose the internal IP to the server, in the same way that it discloses the username. As for restricting access to your server - you can only restrict it to the IP of the Proxy using built-in IP Restriction of IIS or IPSec. If you want to restrict based on internal IP at the Bureaus, then you need to write your own proprietary code to retrieve the internal IP disclosed via the proprietary authentication protocol. All of this would be easy to do with built-in Windows functionality if the machines are "local" to each other. It is hard because the Proxy used at the Bureaus obscures the internal client machine's IP (by-design), so using standard tools, you can only approximate authentication based on the IP of the Proxy. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // Assimalyst wrote: Show quoteHide quote > I have just found out the client machines operate from a DHCP server. I > presume then that IPSec will not work in this instance? > > Thanks > > Assimalyst wrote: > > I will elaborate on the situation as i am still a little unclear on the > > bets course of action. > > > > I have Windows server 2003 SP1 running a website. I want to allow only > > specific machines to access this website over the internet. They will > > likely originate from 1 or 2 IP addresses, belonging to bureau of > > machines, where users may be using different machines within the bureau > > day to day. > > > > Ideally i would like to be able to track which machines are logged on, > > and which user is logged on with that machine. I can track users > > through the website, but am not so sure how to track the machine. > > > > I thought by using client certificates that the machine could be > > tracked, but the certificate is installed on a per user basis. I found > > i was able to install on the local machine certificate store, but the > > certificate still needed to be installed per user for them to gain > > access to the website. > > > > Any comments would be much appreciated. > > > > Assimalyst wrote: > > > Hi David, > > > > > > Thank you for your response. > > > > > > Yes, the intention is to allow a machine access regardless of user, the > > > website has a user login to track that. > > > > > > So it seems client certificates are not the way to go on this? I will > > > look into IPSec, but of course any further comments are always welcome. > > > > > > Thanks again > > > > > > David Wang wrote: > > > > What are you trying to accomplish? > > > > > > > > Are you trying to install one client certificate on machine and have > > > > all users logged into that machine automatically use that certificate > > > > to make a SSL request to your server? Because if so, what you want is > > > > very contrary to the whole security design of a client certificate. > > > > > > > > The whole purpose of client certificate is proof of identity. If you > > > > have multiple users that can use the same certificate, you might as > > > > well not bother requiring client certificates in the first place. > > > > > > > > Unless you are trying to enforce the requirement that only certain > > > > machines with client certificates, used by anyone, can access your > > > > server, but you can do that in other ways, like with IPSec. > > > > > > > > So... can you please describe what you are actually trying to do? > > > > > > > > > > > > //David > > > > http://w3-4u.blogspot.com > > > > http://blogs.msdn.com/David.Wang > > > > // > > > > > > > > > > > > > > > > > > > > Assimalyst wrote: > > > > > Hi, > > > > > > > > > > Using Windows Server 2003, i have set up a standalone certificate > > > > > using the certsrv tools. > > > > > > > > > > When a client machine registers you can use the advanced form to 'Store > > > > > Certificate in Local Computer Certificate Store'. > > > > > > > > > > This all works as intended when the client machine registers, but when > > > > > a user logs on to the site using IE6 they still are met with the 'The > > > > > page requires a client certificate' web page. > > > > > > > > > > I know i can export the local machine store certificate and then import > > > > > per user through IE, but is there an easier way to do it? Ideally i > > > > > want all users on a particular machine to automatically use the local > > > > > computer stored certificate without need for individual IE install. > > > > > > > > > > Thanks for your help. |
|||||||||||||||||||||||
Other interesting topics