|
|
You're in the
iis security
group:How to set up Client-side certification
iis security:
I set up private CA(certificate authority) and trying to test SSL(server-side and client-side also) now. ----------------------------- <Problem> Now server-side certification worked already, but client-side certification can not work well. Normally when access client-side certification site, pop up window will be displayed and ask the user which certification want to choice, but I can not see any certifications installed in the client machine. It is just a blank list box. Can not choice any client-side certifications here. ----------------------------- <Machines> CA server:Win2000serverSP4<Eng> IIS:XPproSP2<Eng> Client:Win2000proSP4<Jpn> *Every machine are set up inside same LAN. ----------------------------- <Checked already> 1:The CA is registered as trusted CA to IE(Client). 2:The CA is registered as trusted CA to IIS. 3:Server-side certification worked fine. 4:The client machine was installed client-side certification fine (can see in IE as a registered cerver-side certification). 5:The certifications are valid. 6:CA is valid. 7:Port mapping is fine(443). 8:Didn't use account mapping for client-side certification. Kindly give me advice. Best regards
Hi Mike
Thank you for your reply. Yes, I can see the certification in Tools -> Internet Options -> Content -> Certificates -> Personal. I installed some certifications, all certifications are listed here as client-side certification. And certification's status are valid (not expired), each. And in trusted CA also I can see the CA I set up. Plus, there was 1 wrong information. I use WinXPproSp1 as IIS machine.not SP2. Sorry. Best regards Hiko *** Sent via Developersdex http://www.developersdex.com ***
Hi,
If you e.g. open IE and go to Tools -> Internet Options -> Content -> Certificates. Do you see any certificates listed? If not, issue and install client certificates. -- Mike Microsoft MVP - Windows Security [quoted text, click to view] "HIKO" <ayamano74@hotmail.com> wrote in message news:d10edfb2.0501310515.3e40127d@posting.google.com... > Hi > > I set up private CA(certificate authority) and > trying to test SSL(server-side and client-side also) now. > ----------------------------- > <Problem> > Now server-side certification worked already, > but client-side certification can not work well. > Normally when access client-side certification site, > pop up window will be displayed and ask > the user which certification want to choice, > but I can not see any certifications installed > in the client machine. It is just a blank list box. > Can not choice any client-side certifications here. > ----------------------------- > <Machines> > CA server:Win2000serverSP4<Eng> > IIS:XPproSP2<Eng> > Client:Win2000proSP4<Jpn> > *Every machine are set up inside same LAN. > ----------------------------- > <Checked already> > 1:The CA is registered as trusted CA to IE(Client). > 2:The CA is registered as trusted CA to IIS. > 3:Server-side certification worked fine. > 4:The client machine was installed client-side certification fine > (can see in IE as a registered cerver-side certification). > 5:The certifications are valid. > 6:CA is valid. > 7:Port mapping is fine(443). > 8:Didn't use account mapping for client-side certification. > > Kindly give me advice. > > Best regards > > Hiko
Hm, ... strange.
Can you check what is the purpose listed in the certificates that you see under "Personal". You can see this if you select the certificate and click on View button... Here is an example: http://freeweb.siol.net/mpihler/purpose.jpg -- Mike Microsoft MVP - Windows Security [quoted text, click to view] "Hiko Hiko" <ayamano74@hotmail.com> wrote in message news:ud7ec08BFHA.3504@TK2MSFTNGP12.phx.gbl... > Hi Mike > > Thank you for your reply. > > Yes, I can see the certification in > Tools -> Internet Options -> Content -> > Certificates -> Personal. > I installed some certifications, > all certifications are listed here as > client-side certification. > And certification's status are valid > (not expired), each. > > And in trusted CA also I can see the CA I set up. > > Plus, there was 1 wrong information. > I use WinXPproSp1 as IIS machine.not SP2. > Sorry. > > Best regards > > Hiko > > > *** Sent via Developersdex http://www.developersdex.com *** > Don't just participate in USENET...get rewarded for it!
Hi Mike
Ok, the purpose is "Personal your identity to a remote computer". And I click "Advanced..", can see the check box "Client Authentication" is checked as default. *"Server Authentication" check box also checked as default. I tried Win2000proSP4 client, and other three WinXPproSp1 clients also, but on every machines it was result. Maybe I do same mistake on every machines. Or on server I do serious mistake. <Information of certificates registered in IE> 1:Personal : Can see a valid entry(Client-side certification). 2:OtherPeople : No entry 3:Intermediate Certification Authorities : Can see some entries. 4:Trusted Root Certification Authorities : Can see some entries. And can see the CA I set up here. 5:Trusted Publisher:No entry <IIS setting Information> 1:I choice gDefault Web Siteh apply server-side certification. And approved by CA, and adjusted it. 2:Enable grequire secure channel(not checked 128-bit encryption)h. 3:Selected gRequire client certificatesh. 4:Disable gEnable client certificate mappingh 5:Enable gEnable certificate trust listh 6:Can see the CA I set up in gCertificate trust List (selected as Current CTL)h. Thanks and best regards Hiko *** Sent via Developersdex http://www.developersdex.com ***
Hi,
Can you check this if it will help: How Do I Fix the Blank Certificate List Displayed When I Browse to an IIS 5.0 Web Site? http://support.microsoft.com/?id=285069 -- Mike Microsoft MVP - Windows Security [quoted text, click to view] "Hiko Hiko" <ayamano74@hotmail.com> wrote in message news:OdPaHIFCFHA.2568@TK2MSFTNGP10.phx.gbl... > Hi Mike > > Ok, > the purpose is > "Personal your identity to a remote computer". > And I click "Advanced..", > can see the check box "Client Authentication" is checked as default. > *"Server Authentication" check box also checked as default. > > I tried Win2000proSP4 client, and other three WinXPproSp1 clients also, > but on every machines it was result. > Maybe I do same mistake on every machines. > Or on server I do serious mistake. > > <Information of certificates registered in IE> > 1:Personal : Can see a valid entry(Client-side > certification). > 2:OtherPeople : No entry > 3:Intermediate Certification Authorities : Can see some > entries. > 4:Trusted Root Certification Authorities : Can see some > entries. And can see the CA I set up here. > 5:Trusted Publisher:No entry > > <IIS setting Information> > 1:I choice gDefault Web Siteh apply server-side > certification. And approved by CA, > and adjusted it. > 2:Enable grequire secure channel(not checked > 128-bit encryption)h. > 3:Selected gRequire client certificatesh. > 4:Disable gEnable client certificate mappingh > 5:Enable gEnable certificate trust listh > 6:Can see the CA I set up in gCertificate trust > List (selected as Current CTL)h. > > Thanks and best regards > > Hiko > > > > *** Sent via Developersdex http://www.developersdex.com *** > Don't just participate in USENET...get rewarded for it!
Hi Mike
Worked! <Reason> Private CA was not registered on IIS server in trusted root certification authorities. <Solution> Register private CA as trusted root on IIS server. I exported the certification certificates my private CA from client's "trusted root certification authorities", and imported same one on the IIS server's same place. I read the site you had introduced, and when I checked the console(mmc.exe) I realized this mistake. Thank you very much for your helping me! Have a nice day! Hiko *** Sent via Developersdex http://www.developersdex.com ***
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |