|
Home > Archive > IIS Server Security > January 2004 > IIS Client Certificate Mapping
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS Client Certificate Mapping
|
|
| David Smith 2004-01-28, 4:37 am |
| Has anyone set up a system wher users authenticate using
PKI Client Certificates?
I am doing such a thing right now and using the Many-to-One
mapping feature for IIS to map all certificates from a
particular Issuer to the "\Everyone" user account. I have
required Client Certificates as well.
The problem is: I tried to change the Issuer wildcard
rules so that the certificate would fail (just testing to
see if this would keep out intruders with certificates from
other issuers), problem is, no matter what I put in as long
as the user has a certificate IIS allows access,
regauardless of the rules, where the certificate came from,
or who the subject is.
If this is the case then this is a MAJOR security flaw in
the IIS security model. Chances are I'm just missing
something, any ideas on what that might be?
Thanks
David Smith
dlsjr@dlsjr.com
| |
| Jochen Ruhland 2004-01-28, 11:35 am |
| Hi,
"David Smith" <dlsjr@dlsjr.com> schrieb:quote:
> Has anyone set up a system wher users authenticate using
> PKI Client Certificates?
*snip*
quote:
> I am doing such a thing right now and using the Many-to-One
> mapping feature for IIS to map all certificates from a
> particular Issuer to the "\Everyone" user account. I have
> required Client Certificates as well.
don't use "Everyone" ... take a real user.
quote:
> problem is, no matter what I put in as long
> as the user has a certificate IIS allows access,
> regauardless of the rules, where the certificate came from,
> or who the subject is.
who has access to the files in IIS? Check NTFS-permissions. I guess that
everyone has read-access.
quote:
> Chances are I'm just missing
> something, any ideas on what that might be?
let me guess ... the client presents a valid certifice to IIS, IIS can't
find a rule to match that cert to a user so IIS uses the anonymous
IUSR_system account. That account can access the files ...
Jochen
| |
| Paul Lynch 2004-01-29, 4:37 am |
| On Wed, 28 Jan 2004 09:48:42 -0800, "David Smith" <dlsjr@dlsjr.com>
wrote:
quote:
>Has anyone set up a system wher users authenticate using
>PKI Client Certificates?
>
>I am doing such a thing right now and using the Many-to-One
>mapping feature for IIS to map all certificates from a
>particular Issuer to the "\Everyone" user account. I have
>required Client Certificates as well.
>
>The problem is: I tried to change the Issuer wildcard
>rules so that the certificate would fail (just testing to
>see if this would keep out intruders with certificates from
>other issuers), problem is, no matter what I put in as long
>as the user has a certificate IIS allows access,
>regauardless of the rules, where the certificate came from,
>or who the subject is.
>
>If this is the case then this is a MAJOR security flaw in
>the IIS security model. Chances are I'm just missing
>something, any ideas on what that might be?
>
>Thanks
>David Smith
>dlsjr@dlsjr.com
David,
Try these articles :
How To: Set Up Client Certificates
http://msdn.microsoft.com/library/d.../SecNetHT17.asp
HOW TO: Configure Client Certificate Mappings in Internet Information
Services (IIS) 5.0
http://support.microsoft.com/?id=313070
Regards,
Paul Lynch
MCSE
|
|
|
|
|