Monday, December 16, 2013

Configure client certificate mapping on iis for mutual authentication

IIS Client certificate settings:
There are two places for client certificate settings in iis manager. It is very important to understanding the difference of these two settings.

The first place is in SSL settings under each web application's setting. There is a client certificate radio button. If it is selected as required, it means, when client connects to server using ssl, server will challenge the client's certificate, and the client certification must be signed by a root CA trusted by server (existing in server's Trusted root CA store). For example, a web application can allow anonymous authentication, but require client to use ssl with "Require" client certificate. If so, as long as client certificate is signed by a trusted CA, the client can finish the request without any one-to-one or many-to-one setting described in the second place.

The second place is web site scope setting of Configuration Editor under "Default web site".  The setting is for authenticating a client using client certificate. Note under web application's authentication setting, you can only set Anonymous, Basic, Digest, Form... authentication, there is not a client certificate setting for you to enable. So in order to enable client certificate authentication for your web app, you should disable all authentication items for your app under its authentication settings. And then using configuration editor under the default web site to enable it by configuring either one-to-one mapping or one-to-many mapping. Otherwise, as you already disabled all authentication method, even if the client certificate is trusted by server, the client cannot be authenticated by server and causes the request to fail. Note if you has enabled other kind authentication under authentication settings, the client certificate mapping is really not necessary.

Generate client certificate
(Steps are from: http://msdn.microsoft.com/en-us/library/ff650751.aspx)
1.Generated root certificate for creating client cert.
Open a Visual Studio command prompt and browse to the location where you want to save the certificate files. Run the following command to create the root CA:
makecert -n "CN=RootCaClientTest" -r -sv RootCaClientTest.pvk RootCaClientTest.cer

2. Create a Certificate Revocation List File from the Root Certificate with following command:
makecert -crl -n "CN=RootCaClientTest" -r -sv RootCaClientTest.pvk RootCaClientTest.crl

3. Install Your Client Root Certificate Authority on the Client and Server Machines with following steps:
In the command console, type MMC and then click OK.
In the Microsoft Management Console, on the File menu, click Add/Remove Snap-in.
In the Add Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, select Certificates and then click Add.In the Certificates snap-in dialog box, select the Computer account radio button (because the certificate needs to be made available to all users), and then click Next.
In the Select Computer dialog box, leave the default Local computer: (the computer this console is running on) selected and then click Finish.
In the Add Standalone Snap-in dialog box, click Close.
In the Add/Remove Snap-in dialog box, click OK.
In the left pane, expand the Certificates (Local Computer) node, and then expand the Trusted Root Certification Authorities folder.
Under Trusted Root Certification Authorities, right-click the Certificates subfolder, click All Tasks, and then click Import.
On the Certificate Import Wizard welcome screen, click Next.
On the File to Import screen, click Browse.
Browse to the location of the signed root CA RootCaClientTest.cer file copied in Step 1, select the file, and then click Open.
On the File to Import screen, click Next
On the Certificate Store screen, accept the default choice and then click Next.
On the Completing the Certificate Import Wizard screen, click Finish.

4. Install the Certificate Revocation List File (CLR) on the Server and Client Machines, which is checked during the certificate validation process.

In the command line, type MMC, add Certificates snap-in, and then click Add.
In the Certificates snap-in dialog box, select the Computer account radio button (because the certificate needs to be made available to all users), and then click Next.
In the Select Computer dialog box, leave the default Local computer: (the computer this console is running on) selected and then click Finish.
In the left pane, expand the Certificates (Local Computer) node, and then expand the Trusted Root Certification Authorities folder.
Under Trusted Root Certification Authorities, right-click the Certificates subfolder, select All Tasks, and then click Import.
On the Certificate Import Wizard welcome screen, click Next.
On the File to Import screen, click Browse.
On the Files of Type screen, select Certificate Revocation List.
Browse to the location of the signed root CA RootCaClientTest.crl file copied in Step 1, select the file, and then click Open.
On the File to Import screen, click Next.
On the Certificate Store screen, accept the default choice and then click Next.
On the Completing the Certificate Import Wizard screen, click Finish.

5. Create and Install Your Temporary Client Certificate

Open a Visual Studio command prompt and browse to the location where the root CA certificate and private key file you created are stored.
Run the following command for creating a certificate signed by the root CA certificate:
makecert -sk MyKeyName -iv RootCaClientTest.pvk -n "CN=tempClientcert" -ic RootCaClientTest.cer -sr currentuser -ss my -sky signature -pe 

In this command:
-sk specifies the key container name for the certificate. This needs to be unique for each certificate you create.
-iv specifies the private key file from which the temporary certificate will be created. You need to specify the root certificate private key file name that was created in the previous step and make sure that it is available in the current directory. This will be used for signing the certificate and for key generation.
-n specifies the key subject name for the temporary certificate. The convention is to prefix the subject name with "CN = " for "Common Name".
-ic specifies the file containing the root CA certificate file generated in the previous step.
-sr specifies the store location where the certificate will be installed. The default location is currentuser. For certificate authentication, this is the default location that Microsoft Internet Explorer uses for when browsing Web sites that require a client certificate.
-ss specifies the store name for the certificate. My is the personal store location of the certificate.
-sky specifies the key type, which could be either signature or exchange. Using signature makes the certificate capable of signing and enables certificate authentication.
-pe specifies that the private key is generated in the certificate and installed with it in the certificate store. When you double-click the certificate on the General tab, you should see the message “You have a private key that corresponds to this certificate” displayed at the bottom. This is a requirement for certificate authentication. If the certificate does not have the corresponding private key, it cannot be used for certificate authentication.

6. The steps to generate iis server certificate for ssl connection  is not included here, please refer http://jonathanblog2000.blogspot.ca/2013/12/how-to-deploy-aspnet-project-to-iis-by.html.

Configure IIS for client certificate authentication (one-to-one mapping)
(http://www.iis.net/learn/manage/configuring-security/configuring-one-to-one-client-certificate-mappings)
1. Getting the Certificate Blob
Export the client cert file TempClientCert.cer from MMC certificate snap-in with Base64 encoding.  Right click on your client .cer file, and open it in notepad.
Remove -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----
Format the certificate blob to be a single line.
Save this file as clientCertBlob.txt

2. Configure IIS for client certificate One to One Mapping
Start  IIS Manager,
Select the web site (Default Web Site, this can not be done on web application) that is being configured and open Configuration Editor icon
Type "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" in the Section drop down box.
Select the enabled field and change the value to true
Select the oneToOneCertificateMappingsEnabled property grid entry and change the value to true
Select the oneToOneMappings property grid entry and click Edit Items... in the Actions Task Pane
Click Add in the Collection Editor task list
Copy the single string certificate blob from above and paste it into the certificate field
Set the userName and password that clients will be authenticated as.
Set the enabled field to true
Close Collection Editor
Click Apply in the Actions Task Pane

3: Enabling Client Certificate Authentication For A Web Site Using SSL
Once a mapping has been created and the feature has been enabled, a site must be configured to use client certificates.
From  IIS Manager UI, select the SSL web application you want to use client certificates
Select the SSL settings module
Under Client certificates: select the Require or Accept radio button
Click Apply in the Actions Task Pane
Disable all authentication method for the web application.


4: Verifying It All Works (using firefox)

Export client certificate with private key to a file.
Import client certificate (with private key) into firefox browser by opening option->advanced->Certificate tab. Select view certificate, and import the certificate into "Your Certificate" tab. Once it is done, it will show the certificate under RootCaClientTest node.
Use https connection to visit the iis web application. You will be prompted to select a client certificate.


Configure IIS for client certificate authentication (many-to-one mapping)
(https://blogs.iis.net/webtopics/archive/2010/04/27/configuring-many-to-one-client-certificate-mappings-for-iis-7-7-5.aspx)
If you are within an enterprise environment, and each developer already has his own corporate certificate, it is easier to setup many-to-one client certificate for iis mutual authentication.

Similar to one-to-one mapping, select the configuration editor under the default web site, and set enabled to true
Set manyToOneCertificateMappingsEnabled to True
Select manyToOneMappings and click on the extreme end at the Ellipsis button to launch the new window for configuring mappings.
Under this new window go ahead and Add a new item. You can modify the properties from within the window
Click on the Ellipsis button for rules and this will give you an option to add multiple patterns for matching based on certificate properties. For example, you can set certificateField to "Issuer" and certificateSubField to "CN", and matchCriteria to "SSO_CA", it will map the client certificate issued by SSO_CA to the specified user account.
Set the userName and password that clients will be authenticated as.
Apply the change.
Disable all authentication methods under web application's authentication settings.
Request the server from browser and you should be prompted for client certificate.

27 comments:

  1. Hi,
    Thanks a lot for sharing such a good source with all, i appreciate your efforts taken for the same. I found this worth sharing and must share this with all.
    Certificate Authentication

    ReplyDelete
  2. Once a mapping has been created and the feature has been enabled, a site must be configured to use client certificates.
    Brooklyn Nine Nine Leather Jacket

    ReplyDelete
  3. I'm as of now coding a venture in Angular, instylejackets and I need to execute route dependent on jobs. I began some time prior however as of not long ago I've assembled the whole application dependent on the administrator job which approaches each module, thus I wound up overlooking this subject for some time.For model, at the present time my ways resemble this:

    ReplyDelete
  4. Fly Ash Supplier Dallas
    Hasten Chemical is a team of professionals who work to maximize the bottom line results of its clients. As a wholesaler of chemical products, Hasten provides unconditional commitment to excellence in quality that will provide consistent results, and make us the partner of choice to help produce and maintain growth of Products and Service Companies.

    ReplyDelete
  5. A debt of gratitude is in order for sharing this snippet of data. I truly appreciated it. keep doing awesome the absolute best of karma!Custom Assignment Writing Services

    ReplyDelete
  6. LOCAL is an independent life-style concept store that combines a specialty cafe, coffee beans Abu Dhabi, men's barbershop and an exclusive
    sneaker & street wear consignment store

    ReplyDelete
  7. Best Amazon Product in one Store at Coupon Gift Free xbox 360 messenger kit

    ReplyDelete
  8. Very nice Article I love it and want to share with my friends
    Vinyl fencing supplier in Saskatoon

    ReplyDelete
  9. Assignment a legal term used in the context of the law of contact and of property In both instances, assignment is the process whereby a person, the assignor, transfers rights or benefits to another, Read more at Australian Assignment Writers
    Australian Essay Writing Service

    ReplyDelete
    Replies
    1. At Envision Eye Care, we strive to provide comprehensive eye care for the whole family. From pediatric eye care to screening for various eye diseases to specialty contact lens fittings, we are equipped with the latest equipment for your eye care needs.
      eye doctor services Edmonton

      Delete
  10. Hasten Chemical is a team of professionals who work to maximize the bottom line results of its clients. As a wholesaler of chemical products, Hasten provides unconditional commitment to excellence in quality, that will provide consistent results, and make us the partner of choice to help produce and maintain growth of Products and Service Companies.chemical supplier houston

    ReplyDelete
  11. Hasten Cleanse LLC of Houston, Texas, USA produces a powerful product for tank cleaning in the petrochemical sector. We strive to deliver a quality product with professionalism unrivaled in the marketplace. We will do whatever it takes to be your vendor of choice in the hydrocarbon cleanup arena.Hydrocarbon Tank Cleaning

    ReplyDelete
  12. These jackets are completely fabulous and without any doubt, these jackets are designed in a way to make you look highlighted in a crowd. By wearing these jackets, you can easily enhance your looks and steal the spotlight right away.
    Men's Winter Coats

    ReplyDelete
  13. Get Our Famous Hollywood Movies Leather outfits available at our Online Store Instyle.com, We offer free shipping.
    bomber RAF shearling leather jacket

    ReplyDelete
  14. Ilforno is the Best italian restaurant in UAE offers Mozzarella cheese, tomato sauce, mushroom, black olives, chicken, pepperoni, Potato & cheddar cheese and many more delicious and cheezy Italian food to make your day, buy the best Italian food in abu dhabi
    Best Italian pizza in al ain

    ReplyDelete
  15. Identify and address the risks to business operations, improve performance, reduce costs, and increase revenue.What is Product Non-Conformance costing you? Consider the true cost of rework, wasted material, labour and energy.Operational Effectiveness Solutions Edmonton Has consumer confidence dropped causing a deterioration in your brand value?Contact us to start eliminating ineffective activities.

    ReplyDelete
  16. Hello Guys. How are you? Hope you all are fine, I am so happy to share with you a great thing for shopping, for men women, and also children collections are available here with 50% up to 90% discount, can you think? Such a big discount, Here are too much awesome offers and deal are available for you so come on guys what are you waiting for just check; and enjoy.
    Stylewe discount

    ReplyDelete
  17. Compared to concrete pavements, CBT is an affordable and time-saving solution for a variety of construction projects that rely on evenly distributed load-bearing platforms to remove sub-grade fatigue. What’s more, it has beenCEMENT TREATED BASE services in houston demonstrated that CBT exceeds the structural proprieties of a thicker crushed aggregate base, making it a standard choice for modern road construction. For more visit to our website.

    ReplyDelete
  18. Pediatric eye examinations performed by an Optometrist is important for ensuring a child’s eyes are healthy and have the visual skills necessary for learning and development. They are important to detect many eye conditions including: refractive error, strabismus, amblyopia, and more. Some visual conditions Optometry Edmontoncannot be treated adequately with just glasses, contact lenses and/or patching, and are best resolved through Vision Therapy.

    ReplyDelete
  19. Get Our Famous Hollywood Movies Leather outfits available at our Online Store Instyle.com, We offer free shipping.
    Men's Leather Bomber Jackets

    ReplyDelete
  20. This comment has been removed by the author.

    ReplyDelete
  21. Ramma foundation is a company and a foundation that provide crack repair snow remove and gutter clean service. We are the crack repair foundation in Alberta Edmonton. We provide services like crack repair, gutter clean services, show removal,foundation repair Edmonton in short we are the foundation repair in Edmonton.

    ReplyDelete
  22. Trust Ramma Edmonton foundation repair for reliable solutions to your foundation repair needs in Edmonton.

    ReplyDelete
  23. Cmolds is a leading mobile app development company, specializing in creating innovative and user-friendly mobile applications. With a team of skilled developers, they provide tailored solutions to help businesses thrive in the digital world.
    http://www.lacartes.com/business/Cmolds-App-Design-And-Development-Company/2268676

    ReplyDelete
  24. Mr Auto Approved is your trusted partner for securing hassle-free Truck loans calgary. With our expert team and seamless process, we make obtaining truck loans in Calgary a breeze. Drive your business forward with Mr Auto Approved today!

    ReplyDelete