|
Home > Archive > IIS Server Security > October 2005 > Smartcard-Webauthentication: Changes in IIS 6.0?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Smartcard-Webauthentication: Changes in IIS 6.0?
|
|
| e9025902@stud2.tuwien.ac.at 2005-10-27, 2:48 am |
| Hi there!
I am testing Smartcard-Authentication with our Webapplication
on IIS 5.0 and IIS 6.0 and found the following different
behaviour: with IIS 5.0 the Smartcard PIN is asked several times
on each Page, while with IIS 6.0 the PIN is asked only once.
IIS 6.0 seems to cache the PIN or rather the authentication
information. My tests showed, that after approximately 15
minutes inactivity the PIN is asked again. Is this the Token
Cache Timeout (UserTokenTTL registry setting) or something else?
I read that SSL is handled differently in IIS 6, but does
anybody know if my "caching assumption" is correct?
Many thanks in advance
Christian Swoboda
| |
| Miha Pihler [MVP] 2005-10-28, 4:54 pm |
| Hi,
PIN is only known to local PC where you insert your smart card. Information
from smart card (such as private key) and PIN are never transmited to IIS
(this goes for all IIS and other webservers) from remote PC.
--
Mike
Microsoft MVP - Windows Security
<e9025902@stud2.tuwien.ac.at> wrote in message
news:1130398731.226840.95500@o13g2000cwo.googlegroups.com...
> Hi there!
>
> I am testing Smartcard-Authentication with our Webapplication
> on IIS 5.0 and IIS 6.0 and found the following different
> behaviour: with IIS 5.0 the Smartcard PIN is asked several times
> on each Page, while with IIS 6.0 the PIN is asked only once.
>
> IIS 6.0 seems to cache the PIN or rather the authentication
> information. My tests showed, that after approximately 15
> minutes inactivity the PIN is asked again. Is this the Token
> Cache Timeout (UserTokenTTL registry setting) or something else?
>
> I read that SSL is handled differently in IIS 6, but does
> anybody know if my "caching assumption" is correct?
>
> Many thanks in advance
> Christian Swoboda
>
| |
| e9025902@stud2.tuwien.ac.at 2005-10-28, 4:54 pm |
| Hi!
The first posting was not phrased correctly; the 2 things that really
interest me are:
1) Why is the behaviour different between IIS 5.0 and IIS 6.0? (Of
course I prefer the
IIS 6.0 behaviour ;-)
2) When I pull the smartcard on IIS 6.0 the client remains
authenticated!! Only after
about 15 minutes of inactivity the SSL session seems to be
renegotiated and
since the private key is missing it fails. There was a thread in
this group
about this being very insecure, do you know how to make this "more
secure"?
Possibly a webserver setting?
Thanks a lot!
Christian
| |
| Miha Pihler [MVP] 2005-10-28, 4:54 pm |
| Hi,
My comments are in-line....
<snip>
> The first posting was not phrased correctly; the 2 things that really
> interest me are:
>
> 1) Why is the behaviour different between IIS 5.0 and IIS 6.0? (Of
> course I prefer the IIS 6.0 behaviour ;-)
I believe this is some sort of misconfiguration of IIS 5.0. I don't think
this is feature of IIS 6.0. I used smart cards on both IIS 5 and 6 and have
same experience with both (no need for repeated authentication on the side
when changing pages -- as you had).
> 2) When I pull the smartcard on IIS 6.0 the client remains
> authenticated!! Only after
> about 15 minutes of inactivity the SSL session seems to be
> renegotiated and
> since the private key is missing it fails. There was a thread in
> this group
> about this being very insecure, do you know how to make this "more
> secure"?
> Possibly a webserver setting?
You can (should?) change UserTokenTTL from default 15 minutes to e.g. 5 or
so...
--
Mike
Microsoft MVP - Windows Security
|
|
|
|
|