| Groups | Blog | Home |
iis security : How do I make a local machine client certificate available to all users?
Hi,
Using Windows Server 2003, i have set up a standalone certificate using the certsrv tools. When a client machine registers you can use the advanced form to 'Store Certificate in Local Computer Certificate Store'. This all works as intended when the client machine registers, but when a user logs on to the site using IE6 they still are met with the 'The page requires a client certificate' web page. I know i can export the local machine store certificate and then import per user through IE, but is there an easier way to do it? Ideally i want all users on a particular machine to automatically use the local computer stored certificate without need for individual IE install. Thanks for your help.
What are you trying to accomplish?
Are you trying to install one client certificate on machine and have all users logged into that machine automatically use that certificate to make a SSL request to your server? Because if so, what you want is very contrary to the whole security design of a client certificate. The whole purpose of client certificate is proof of identity. If you have multiple users that can use the same certificate, you might as well not bother requiring client certificates in the first place. Unless you are trying to enforce the requirement that only certain machines with client certificates, used by anyone, can access your server, but you can do that in other ways, like with IPSec. So... can you please describe what you are actually trying to do? //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] Assimalyst wrote:
> Hi, > > Using Windows Server 2003, i have set up a standalone certificate > using the certsrv tools. > > When a client machine registers you can use the advanced form to 'Store > Certificate in Local Computer Certificate Store'. > > This all works as intended when the client machine registers, but when > a user logs on to the site using IE6 they still are met with the 'The > page requires a client certificate' web page. > > I know i can export the local machine store certificate and then import > per user through IE, but is there an easier way to do it? Ideally i > want all users on a particular machine to automatically use the local > computer stored certificate without need for individual IE install. > > Thanks for your help.
Hi David,
Thank you for your response. Yes, the intention is to allow a machine access regardless of user, the website has a user login to track that. So it seems client certificates are not the way to go on this? I will look into IPSec, but of course any further comments are always welcome. Thanks again [quoted text, click to view] David Wang wrote:
> What are you trying to accomplish? > > Are you trying to install one client certificate on machine and have > all users logged into that machine automatically use that certificate > to make a SSL request to your server? Because if so, what you want is > very contrary to the whole security design of a client certificate. > > The whole purpose of client certificate is proof of identity. If you > have multiple users that can use the same certificate, you might as > well not bother requiring client certificates in the first place. > > Unless you are trying to enforce the requirement that only certain > machines with client certificates, used by anyone, can access your > server, but you can do that in other ways, like with IPSec. > > So... can you please describe what you are actually trying to do? > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > > Assimalyst wrote: > > Hi, > > > > Using Windows Server 2003, i have set up a standalone certificate > > using the certsrv tools. > > > > When a client machine registers you can use the advanced form to 'Store > > Certificate in Local Computer Certificate Store'. > > > > This all works as intended when the client machine registers, but when > > a user logs on to the site using IE6 they still are met with the 'The > > page requires a client certificate' web page. > > > > I know i can export the local machine store certificate and then import > > per user through IE, but is there an easier way to do it? Ideally i > > want all users on a particular machine to automatically use the local > > computer stored certificate without need for individual IE install. > > > > Thanks for your help.
I will elaborate on the situation as i am still a little unclear on the
bets course of action. I have Windows server 2003 SP1 running a website. I want to allow only specific machines to access this website over the internet. They will likely originate from 1 or 2 IP addresses, belonging to bureau of machines, where users may be using different machines within the bureau day to day. Ideally i would like to be able to track which machines are logged on, and which user is logged on with that machine. I can track users through the website, but am not so sure how to track the machine. I thought by using client certificates that the machine could be tracked, but the certificate is installed on a per user basis. I found i was able to install on the local machine certificate store, but the certificate still needed to be installed per user for them to gain access to the website. Any comments would be much appreciated. [quoted text, click to view] Assimalyst wrote:
> Hi David, > > Thank you for your response. > > Yes, the intention is to allow a machine access regardless of user, the > website has a user login to track that. > > So it seems client certificates are not the way to go on this? I will > look into IPSec, but of course any further comments are always welcome. > > Thanks again > > David Wang wrote: > > What are you trying to accomplish? > > > > Are you trying to install one client certificate on machine and have > > all users logged into that machine automatically use that certificate > > to make a SSL request to your server? Because if so, what you want is > > very contrary to the whole security design of a client certificate. > > > > The whole purpose of client certificate is proof of identity. If you > > have multiple users that can use the same certificate, you might as > > well not bother requiring client certificates in the first place. > > > > Unless you are trying to enforce the requirement that only certain > > machines with client certificates, used by anyone, can access your > > server, but you can do that in other ways, like with IPSec. > > > > So... can you please describe what you are actually trying to do? > > > > > > //David > > http://w3-4u.blogspot.com > > http://blogs.msdn.com/David.Wang > > // > > > > > > > > > > Assimalyst wrote: > > > Hi, > > > > > > Using Windows Server 2003, i have set up a standalone certificate > > > using the certsrv tools. > > > > > > When a client machine registers you can use the advanced form to 'Store > > > Certificate in Local Computer Certificate Store'. > > > > > > This all works as intended when the client machine registers, but when > > > a user logs on to the site using IE6 they still are met with the 'The > > > page requires a client certificate' web page. > > > > > > I know i can export the local machine store certificate and then import > > > per user through IE, but is there an easier way to do it? Ideally i > > > want all users on a particular machine to automatically use the local > > > computer stored certificate without need for individual IE install. > > > > > > Thanks for your help.
I have just found out the client machines operate from a DHCP server. I
presume then that IPSec will not work in this instance? Thanks [quoted text, click to view] Assimalyst wrote:
> I will elaborate on the situation as i am still a little unclear on the > bets course of action. > > I have Windows server 2003 SP1 running a website. I want to allow only > specific machines to access this website over the internet. They will > likely originate from 1 or 2 IP addresses, belonging to bureau of > machines, where users may be using different machines within the bureau > day to day. > > Ideally i would like to be able to track which machines are logged on, > and which user is logged on with that machine. I can track users > through the website, but am not so sure how to track the machine. > > I thought by using client certificates that the machine could be > tracked, but the certificate is installed on a per user basis. I found > i was able to install on the local machine certificate store, but the > certificate still needed to be installed per user for them to gain > access to the website. > > Any comments would be much appreciated. > > Assimalyst wrote: > > Hi David, > > > > Thank you for your response. > > > > Yes, the intention is to allow a machine access regardless of user, the > > website has a user login to track that. > > > > So it seems client certificates are not the way to go on this? I will > > look into IPSec, but of course any further comments are always welcome. > > > > Thanks again > > > > David Wang wrote: > > > What are you trying to accomplish? > > > > > > Are you trying to install one client certificate on machine and have > > > all users logged into that machine automatically use that certificate > > > to make a SSL request to your server? Because if so, what you want is > > > very contrary to the whole security design of a client certificate. > > > > > > The whole purpose of client certificate is proof of identity. If you > > > have multiple users that can use the same certificate, you might as > > > well not bother requiring client certificates in the first place. > > > > > > Unless you are trying to enforce the requirement that only certain > > > machines with client certificates, used by anyone, can access your > > > server, but you can do that in other ways, like with IPSec. > > > > > > So... can you please describe what you are actually trying to do? > > > > > > > > > //David > > > http://w3-4u.blogspot.com > > > http://blogs.msdn.com/David.Wang > > > // > > > > > > > > > > > > > > > Assimalyst wrote: > > > > Hi, > > > > > > > > Using Windows Server 2003, i have set up a standalone certificate > > > > using the certsrv tools. > > > > > > > > When a client machine registers you can use the advanced form to 'Store > > > > Certificate in Local Computer Certificate Store'. > > > > > > > > This all works as intended when the client machine registers, but when > > > > a user logs on to the site using IE6 they still are met with the 'The > > > > page requires a client certificate' web page. > > > > > > > > I know i can export the local machine store certificate and then import > > > > per user through IE, but is there an easier way to do it? Ideally i > > > > want all users on a particular machine to automatically use the local > > > > computer stored certificate without need for individual IE install. > > > > > > > > Thanks for your help.
It sounds like your client machines are Intranet machines which access
the Internet through a common Proxy, which then authenticate and access your server machine. [quoted text, click to view] >From a networking perspective, that Proxy intentionally masks the internal IP of the client machines from your server machine and is theonly one that knows how to map between the two. So, the only way for your server machine to know the client machine is if the client intentionally discloses its identity to the server. You were thinking of using machine-specific client certificates sent by the browser of that machine for all users, but that dream runs contrary to how reality works. An easy, proprietary approach would be for the client authentication protocol to also disclose the internal IP to the server, in the same way that it discloses the username. As for restricting access to your server - you can only restrict it to the IP of the Proxy using built-in IP Restriction of IIS or IPSec. If you want to restrict based on internal IP at the Bureaus, then you need to write your own proprietary code to retrieve the internal IP disclosed via the proprietary authentication protocol. All of this would be easy to do with built-in Windows functionality if the machines are "local" to each other. It is hard because the Proxy used at the Bureaus obscures the internal client machine's IP (by-design), so using standard tools, you can only approximate authentication based on the IP of the Proxy. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] Assimalyst wrote:
> I have just found out the client machines operate from a DHCP server. I > presume then that IPSec will not work in this instance? > > Thanks > > Assimalyst wrote: > > I will elaborate on the situation as i am still a little unclear on the > > bets course of action. > > > > I have Windows server 2003 SP1 running a website. I want to allow only > > specific machines to access this website over the internet. They will > > likely originate from 1 or 2 IP addresses, belonging to bureau of > > machines, where users may be using different machines within the bureau > > day to day. > > > > Ideally i would like to be able to track which machines are logged on, > > and which user is logged on with that machine. I can track users > > through the website, but am not so sure how to track the machine. > > > > I thought by using client certificates that the machine could be > > tracked, but the certificate is installed on a per user basis. I found > > i was able to install on the local machine certificate store, but the > > certificate still needed to be installed per user for them to gain > > access to the website. > > > > Any comments would be much appreciated. > > > > Assimalyst wrote: > > > Hi David, > > > > > > Thank you for your response. > > > > > > Yes, the intention is to allow a machine access regardless of user, the > > > website has a user login to track that. > > > > > > So it seems client certificates are not the way to go on this? I will > > > look into IPSec, but of course any further comments are always welcome. > > > > > > Thanks again > > > > > > David Wang wrote: > > > > What are you trying to accomplish? > > > > > > > > Are you trying to install one client certificate on machine and have > > > > all users logged into that machine automatically use that certificate > > > > to make a SSL request to your server? Because if so, what you want is > > > > very contrary to the whole security design of a client certificate. > > > > > > > > The whole purpose of client certificate is proof of identity. If you > > > > have multiple users that can use the same certificate, you might as > > > > well not bother requiring client certificates in the first place. > > > > > > > > Unless you are trying to enforce the requirement that only certain > > > > machines with client certificates, used by anyone, can access your > > > > server, but you can do that in other ways, like with IPSec. > > > > > > > > So... can you please describe what you are actually trying to do? > > > > > > > > > > > > //David > > > > http://w3-4u.blogspot.com > > > > http://blogs.msdn.com/David.Wang > > > > // > > > > > > > > > > > > > > > > > > > > Assimalyst wrote: > > > > > Hi, > > > > > > > > > > Using Windows Server 2003, i have set up a standalone certificate > > > > > using the certsrv tools. > > > > > > > > > > When a client machine registers you can use the advanced form to 'Store > > > > > Certificate in Local Computer Certificate Store'. > > > > > > > > > > This all works as intended when the client machine registers, but when > > > > > a user logs on to the site using IE6 they still are met with the 'The > > > > > page requires a client certificate' web page. > > > > > > > > > > I know i can export the local machine store certificate and then import > > > > > per user through IE, but is there an easier way to do it? Ideally i > > > > > want all users on a particular machine to automatically use the local > > > > > computer stored certificate without need for individual IE install. > > > > > > > > > > Thanks for your help.
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |