|
Home > Archive > IIS Server Security > May 2004 > iis not transferring clients to ssl port
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
iis not transferring clients to ssl port
|
|
|
| Hi,
A friend of mine is having problems setting up ssl on his
server and I am hoping someone can help.
He has a win 2000 server with iis and ca installed. He
is not using Active Directory. He has created and tested
is certificate and the server is sending out that
certificate. The problem is that iis is not transferring
the clients pc to port 443. Where does he go in iis to
tell iis what port to send poeple when they put https in
the browser? Is there any check boxes along with that?
I'm basically looking for any set up instructions that
could help him along.
Thanks
| |
| Paul Lynch 2004-05-20, 8:35 pm |
| On Thu, 20 May 2004 13:25:46 -0700, "Marty" <marty@gpagallery.com>
wrote:
>Hi,
>
>A friend of mine is having problems setting up ssl on his
>server and I am hoping someone can help.
>
>He has a win 2000 server with iis and ca installed. He
>is not using Active Directory. He has created and tested
>is certificate and the server is sending out that
>certificate. The problem is that iis is not transferring
>the clients pc to port 443. Where does he go in iis to
>tell iis what port to send poeple when they put https in
>the browser? Is there any check boxes along with that?
>I'm basically looking for any set up instructions that
>could help him along.
>
>Thanks
Hello,
Try this KB article :
HOW TO: Enable SSL for All Customers Who Interact with Your Web Site
in Internet Information Services
http://support.microsoft.com/?id=298805
Regards,
Paul Lynch
MCSE
| |
| Marty Bleck 2004-05-21, 5:47 pm |
|
Hi Paul,
He wants to set up the server to allow the web masters to be able to
select wich pages are protected. (ie: https instead of http) He and I
have seen this done. He is not using active directory so he has to tell
iis what port to transfer the clients web browser to. He can't find
where to do this. Setting it up using acive directory works fine, but
he wants the webmasters to be able to secure only the pages they want
without being transferred to a sub domain. You can tell the sites that
are set up this way when they secure the page but you are not
transferred to a sub domain. A few of the sites that I have contacted
seem unwilling to share how they set this up. That is why I posted to a
microsoft forum hoping that someone that works for ms would say 'oh yeh,
you just have to go here and click this check box'. I've been through
almost every kb about ssl and have found nothing, that is why I resorted
to using the forums. Thanks in advance for any help you can provide.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
| |
| David Wang [Msft] 2004-05-23, 2:30 am |
| There are several ways to do this. The main difference is "where does the
requirement that page X requires SSL exist"? It can either live in
individual ASP pages, inside of IIS metabase at a per-URL level, or inside
some central text file.
However, you need to understand that there are limits to implementing an
"automatic transfer from HTTP to HTTPS" using modern browsers and web
servers. Namely, it does not work for posted FORMS, and it cannot be done
without changing the URL in the location bar in the browser. This is
because for all intents and purposes, the "transfer" from HTTP to HTTPS is
over a new socket connection as well as port #, which triggers the client to
both display the new URL as well as warn on re-posted FORMs.
One way is to have each page that is supposed to be secured to check if they
are accessed over secured channel, and if not, redirect. i.e.
<%
' Check if request is over HTTPS or not
' If it is not over HTTPS, send a 302 redirection to this page over HTTPS
IF Request.ServerVariables("SERVER_PORT_SECURE") = "0" THEN
' Be aware that this is vulnerable to Cross-site scripting attack...
Response.Redirect "https://" & Request.ServerVariables("HTTP_HOST") &
Request.ServerVariables("SCRIPT_NAME") & "?" &
Request.ServerVariables("QUERY_STRING")
END IF
' Rest of ASP page
%>
Another way is to have IIS check if a URL is supposed to be accessed over a
secured channel, and if not, send a 403.4 custom error, which you will
hijack and use to send the redirection. i.e.
1. Go to IIS Manager UI
2. Select the file to require SSL, choose right-click properties, and go to
the "File Security" tab
3. Select "Edit" under "Secure communications" and check the "Require secure
channel (SSL)" option. OK
4. Select the "Custom Errors" tab and modify 403.4 to execute a URL. You
can make it execute the ASP code I gave above to see what is happening and
how to custom-tailor to your needs
Both "File Security" and "Custom Errors" can be set at a per-URL level or
aggregated to a per-vdir or per-website level, so you can fine-tune it
however you wish.
This general idea can be extended such that all configuration is centralized
instead of spread out amongst individual files. You can write an ISAPI
Filter that triggers on all incoming URLs, inspect the URL and compare
against a list of URLs from a text file that "must be over SSL", and if the
request isn't over SSL, send a 302 redirection. This isn't as easy as
writing an ASP page or twiddling IIS configuration, but it's doable.
--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Marty Bleck" <mbleck@gciepage.com> wrote in message
news:e4gPJt0PEHA.2976@TK2MSFTNGP10.phx.gbl...
Hi Paul,
He wants to set up the server to allow the web masters to be able to
select wich pages are protected. (ie: https instead of http) He and I
have seen this done. He is not using active directory so he has to tell
iis what port to transfer the clients web browser to. He can't find
where to do this. Setting it up using acive directory works fine, but
he wants the webmasters to be able to secure only the pages they want
without being transferred to a sub domain. You can tell the sites that
are set up this way when they secure the page but you are not
transferred to a sub domain. A few of the sites that I have contacted
seem unwilling to share how they set this up. That is why I posted to a
microsoft forum hoping that someone that works for ms would say 'oh yeh,
you just have to go here and click this check box'. I've been through
almost every kb about ssl and have found nothing, that is why I resorted
to using the forums. Thanks in advance for any help you can provide.
*** Sent via Developersdex http://www.codecomments.com ***
Don't just participate in USENET...get rewarded for it!
|
|
|
|
|