 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / IIS / IIS Security / August 2006Make Client Cert Required in IIS on SBS 2003?
Hi, I've posted this question in the SBS forum several times but nobody seems to know the answer. My question is specific to security in Small Business Server 2003, as it applies to RWW (remote web workplace) and related web sites created in IIS on SBS servers. IIS creates a default web site and within it a virtual site called Remote when SBS is installed. This site allows access to the entire SBS domain (servers, clients, OWA, RWW, etc) with certain security provisions. SBS also allows the creation of a self-signed certificate and the installation of that certificate on client computers (and devices). I'm trying to understand how IIS security works in this configuration so I can require a client computer to have a self-signed certificate (from the SBS server) already installed in order to access the Remote Web Workplace (RWW) site from the Internet. It appears the security control is embedded in the IIS settings on the SBS server, under the default web site's \Remote virtual directory. In the Directory Security properties of \Remote, under the Secure Communications section there is a list of Client Certificate radio buttons. The 3 options are: Ignore, Accept or Require client certificates. I cannot get "Require" to work. There may be much more to it than just this one setting. What settings are required to limit RWW access to clients with certificates? How does this "Certificate Required" IIS function work in regular W2k3? Thanks. >Hi, > [quoted text clipped - 21 lines] >settings are required to limit RWW access to clients with certificates? How >does this "Certificate Required" IIS function work in regular W2k3? Thanks. Require Certificate is a function of SSL. You need to configure SSL for this to work. Not sure if you have, and I'm unfamiliar with the intricacies of SBS. Jeff Hi Hugh, The require client certificate option will only be available after you enable SSL on the site. To set up SSL certificate on the web site. First, you should install Certificate Service to build the server as your Certificate Authority(CA). Then follow the article below to request and issue the certificate with IIS Server Certificate Wizard. How To: Set Up SSL on a Web Server https://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/h tml/SecNetHT16.asp If anything is unclear, please don't hesitate to let me know. Have a nice weekend. Best Regards, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. Hi Hugh, Just want to check if you've resolved the problem per these suggestions? Best Regards, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. WenJun, My first problem is that Certificate Services is not installed on SBS 2003 servers and I've been advised on the SBS newsgroup not to install it! With SSL enabled I am able to select the "certificate required" radio button but it seems to have no effect (i.e. it does not require certificates). I have an SBS server running in virtual mode (in addition to the "real" one) and next week I will try to install certificate services on it and see what happens. Thanks. Hugh _________________________________________________________ > Hi Hugh, > [quoted text clipped - 29 lines] > This posting is provided "AS IS" with no warranties, and confers no > rights. Hi Huge, If you have concern to install certificate service on the SBS server, you can build the CA on a member server of the domain. I wait for the update from you. Have a nice week. Sincerely, WenJun Zhang Microsoft Online Community Support ================================================== Get notification to my posts through email? Please refer to: http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif ications. Note: The MSDN Managed Newsgroup support offering is for non-urgent issues where an initial response from the community or a Microsoft Support Engineer within 1 business day is acceptable. Please note that each follow up response may take approximately 2 business days as the support professional working with you may need further investigation to reach the most efficient resolution. The offering is not appropriate for situations that require urgent, real-time or phone-based interactions or complex project analysis and dump analysis issues. Issues of this nature are best handled working with a dedicated Microsoft Support Engineer by contacting Microsoft Customer Support Services (CSS) at: http://msdn.microsoft.com/subscriptions/support/default.aspx. ================================================== This posting is provided "AS IS" with no warranties, and confers no rights. It sounds like you are asking to configure IIS to require Client Certificate based authentication in order to access the /Remote vdir to limit access to RWW to only those that have the Client Certificate. If so, simply: 1. install that Self Signed certificate onto the server 2. right-click Property page of the Website, go to the "Directory Security" tab, click on "Server Certificate" button configure it to use that certificate. This enables SSL for the website using that Server Certificate 3. right-click Property page of /Remote vdir, go to "Directory Security" tab, click on "Edit" for secure communications, check "Require secure channel (SSL)". This automatically enables selection of "Require client certificates". IIS functions the same way in all Windows Server 2003 flavors. Just some features may be disabled/crippled on the Professional SKUs.  Signature//David IIS http://blogs.msdn.com/David.Wang This posting is provided "AS IS" with no warranties, and confers no rights. // > Hi, > [quoted text clipped - 22 lines] > How does this "Certificate Required" IIS function work in regular W2k3? > Thanks. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2010 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.