"Don Thimsen" <dthimsenospam@nc.rr.com> wrote in message
news:%23zNrcWxHHHA.4056@TK2MSFTNGP03.phx.gbl...
> I'm working with an IIS 6.0 website running on Windows 2003 Server.
> It's normally used as an internal website, but we now have a small group
> of geographically disperse external users that require access.  VPN isn't
> practical in this situation, so I though I'd try SSL.
>
> I first tried using SelfSSL and then Requiring SSL connections.  The idea
> being
> that I could export the certificate, and then get both internal and
> external users to
> manually add the pfx file using the password I used during the certificate
> creation.
>
> This worked like I wanted until I realized users can "Continue to this
> website
> (not recommended) and get to the site anyway.  Can the IIS configuration
> be setup
> to disable auto-import for browsers (which I doubt), or is there a way a
> "server"
> certifcate can force a password prompt during the auto-imported?  For
> example,
> certifcates from a real CA have more capabilities?
>
> I'm obviously new to this, and have also read about requiring client
> certificates
> in IIS, but don't really understand how they could be easily implemented
> in our
> environment.
>
> Any suggestion?
>
> TIA,
> Don
>
>
>
>

"Miha Pihler [MVP]" <mihap-n***@atlantis.si> wrote in message
news:%23HQdpH8HHHA.784@TK2MSFTNGP03.phx.gbl...
> Hi Don,
>
> You can't use SelfSSL for client authentication. You can only use it on
> the server itself. Certificates have their intended purposes (e.g.
> "Ensures the identity of a remote computer" or "Proves your identity to a
> remote computer"). First one is used on server for SSL, second one is used
> by clients for certificate authentication.
>
> If your clients are part of domain, you can install your own CA server and
> deploy certificates to your users using Group Policies...
>
> Here are some information how to deploy CA in your environment.
>
> Best Practices:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws3pkibp.mspx
>
> Cert templates -
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03crtm.mspx
>
> Operations guide -
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03pkog.mspx
>
> Managing PKI:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/mngpki.mspx
>
> advanced certificate enrollment:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx
>
> web enrollment:
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Don Thimsen" <dthimsenospam@nc.rr.com> wrote in message
> news:%23zNrcWxHHHA.4056@TK2MSFTNGP03.phx.gbl...
>> I'm working with an IIS 6.0 website running on Windows 2003 Server.
>> It's normally used as an internal website, but we now have a small group
>> of geographically disperse external users that require access.  VPN isn't
>> practical in this situation, so I though I'd try SSL.
>>
>> I first tried using SelfSSL and then Requiring SSL connections.  The idea
>> being
>> that I could export the certificate, and then get both internal and
>> external users to
>> manually add the pfx file using the password I used during the
>> certificate creation.
>>
>> This worked like I wanted until I realized users can "Continue to this
>> website
>> (not recommended) and get to the site anyway.  Can the IIS configuration
>> be setup
>> to disable auto-import for browsers (which I doubt), or is there a way a
>> "server"
>> certifcate can force a password prompt during the auto-imported?  For
>> example,
>> certifcates from a real CA have more capabilities?
>>
>> I'm obviously new to this, and have also read about requiring client
>> certificates
>> in IIS, but don't really understand how they could be easily implemented
>> in our
>> environment.
>>
>> Any suggestion?
>>
>> TIA,
>> Don
>>
>>
>>
>>
>
>