|
Home > Archive > IIS Server Security > January 2006 > Certs for SSL
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
|
| Hi,
I want to transfer files via http from a web server to an xp client. I want
to ensure that the integrity of the HTTP transfer and I alsoneed clients to
authenticate, but , they cannot use kerberos, ntlm etc as their is a firewall
between the server and client which only allows port 80 and 443.
So I am think of using SSL, with a cert on the web server with certs on the
clients too. The thing is I have no CA and these machines cannot access the
internet. How can i use certs on these machines? if I get certs from versign,
wouldn't I also need the root CA too or put the cert into the trusted CA list?
Thanks
| |
| Miha Pihler [MVP] 2006-01-05, 6:07 pm |
| Hi,
You can use Basic Authentication, but you have to know that it transfers
username and password in clear text. Firewall does not have any influence on
this type of authentication.
Since username and password are sent in clear text this is a good solution
in combination with SSL that will encrypt the communication including
username and password that is sent from client to server.
In this case you would only have to install a certificate on server where
IIS is. If the server does not have access to the internet then you can
transfer all files that you need to do a request and installation of
VeriSign certificate on floppy, USB key or any other media, ...
Let us know if you need any further help on this.
--
Mike
Microsoft MVP - Windows Security
"rui" <rui@discussions.microsoft.com> wrote in message
news:96316068-EB2C-4A9D-BF40-93D4FBB81B50@microsoft.com...
> Hi,
>
> I want to transfer files via http from a web server to an xp client. I
> want
> to ensure that the integrity of the HTTP transfer and I alsoneed clients
> to
> authenticate, but , they cannot use kerberos, ntlm etc as their is a
> firewall
> between the server and client which only allows port 80 and 443.
>
> So I am think of using SSL, with a cert on the web server with certs on
> the
> clients too. The thing is I have no CA and these machines cannot access
> the
> internet. How can i use certs on these machines? if I get certs from
> versign,
> wouldn't I also need the root CA too or put the cert into the trusted CA
> list?
>
> Thanks
>
| |
| Bernard Cheah [MVP] 2006-01-06, 7:58 am |
| Verisign is part of the trusted preconfigured in your machine. so no need to
worry. here's few kb for you to read
HOW TO Set Up an HTTPS Service in IIS
http://support.microsoft.com/?id=324069
HOW TO Enable SSL for All Customers Who Interact with Your Web Site
in Internet Information Services
http://support.microsoft.com/?id=298805
--
Regards,
Bernard Cheah
http://www.iis-resources.com/
http://www.iiswebcastseries.com/
http://msmvps.com/blogs/bernard/
"rui" <rui@discussions.microsoft.com> wrote in message
news:96316068-EB2C-4A9D-BF40-93D4FBB81B50@microsoft.com...
> Hi,
>
> I want to transfer files via http from a web server to an xp client. I
> want
> to ensure that the integrity of the HTTP transfer and I alsoneed clients
> to
> authenticate, but , they cannot use kerberos, ntlm etc as their is a
> firewall
> between the server and client which only allows port 80 and 443.
>
> So I am think of using SSL, with a cert on the web server with certs on
> the
> clients too. The thing is I have no CA and these machines cannot access
> the
> internet. How can i use certs on these machines? if I get certs from
> versign,
> wouldn't I also need the root CA too or put the cert into the trusted CA
> list?
>
> Thanks
>
| |
|
| Thanks for the reply.
The thing is the clients and the webserver have no common system directory.
They both exist in seperate forests with no trust between.
If I was to use Basic Authentication, wouldn't I need to create local
accounts on the webserver? Also, you mentioned the firewall would have no
influence on basic authentication, is this because it is in clear text? Or
would the firewall have no influence on any type of IIS authentication
methods?
Thanks
"Miha Pihler [MVP]" wrote:
> Hi,
>
> You can use Basic Authentication, but you have to know that it transfers
> username and password in clear text. Firewall does not have any influence on
> this type of authentication.
> Since username and password are sent in clear text this is a good solution
> in combination with SSL that will encrypt the communication including
> username and password that is sent from client to server.
>
> In this case you would only have to install a certificate on server where
> IIS is. If the server does not have access to the internet then you can
> transfer all files that you need to do a request and installation of
> VeriSign certificate on floppy, USB key or any other media, ...
>
> Let us know if you need any further help on this.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>
> "rui" <rui@discussions.microsoft.com> wrote in message
> news:96316068-EB2C-4A9D-BF40-93D4FBB81B50@microsoft.com...
>
>
>
| |
|
|
| Miha Pihler [MVP] 2006-01-06, 5:56 pm |
| Yes, in this case you would have to create accounts for the users on your
web server.
Basic Authentication is transparent to the firewalls. It looks to the
firewall just like any other HTTP(S) traffic.
--
Mike
Microsoft MVP - Windows Security
"rui" <rui@discussions.microsoft.com> wrote in message
news:EC7B1160-3679-4AC1-BF52-567D8A8A9EAC@microsoft.com...[vbcol=seagreen]
> Thanks for the reply.
>
> The thing is the clients and the webserver have no common system
> directory.
> They both exist in seperate forests with no trust between.
>
> If I was to use Basic Authentication, wouldn't I need to create local
> accounts on the webserver? Also, you mentioned the firewall would have no
> influence on basic authentication, is this because it is in clear text? Or
> would the firewall have no influence on any type of IIS authentication
> methods?
>
> Thanks
>
> "Miha Pihler [MVP]" wrote:
>
| |
|
| Thanks
"Miha Pihler [MVP]" wrote:
> Yes, in this case you would have to create accounts for the users on your
> web server.
>
> Basic Authentication is transparent to the firewalls. It looks to the
> firewall just like any other HTTP(S) traffic.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "rui" <rui@discussions.microsoft.com> wrote in message
> news:EC7B1160-3679-4AC1-BF52-567D8A8A9EAC@microsoft.com...
>
>
>
|
|
|
|
|