| Groups | Blog | Home |
iis security : s it possible to force IIS to accept any certificate?
why would you want to do this?
[quoted text, click to view] "Stanko Milosev" <testerayu@yahoo.com> wrote in message news:OvRH0003HHA.3684@TK2MSFTNGP02.phx.gbl... > Hello, > > I am trying to configure IIS to accept any certificate, from anyone, is > that possible? > > TIA! > Stanko. >
Hello,
I am trying to configure IIS to accept any certificate, from anyone, is that possible? TIA! Stanko.
We want to make web site with PHP, that if a user have a certificate, then,
for example, to give this user welcome screen, but if he don't have a certificate then to give him login screen. I have found that with _SERVER["CERT_SERIALNUMBER"] variable I can get client certificate serial number, but only if IIS server accepted user certificate... [quoted text, click to view] "Consultant" <consultant_mcngp@yahoo.com> wrote in message news:unhfGL33HHA.5360@TK2MSFTNGP03.phx.gbl... > why would you want to do this? > > "Stanko Milosev" <testerayu@yahoo.com> wrote in message > news:OvRH0003HHA.3684@TK2MSFTNGP02.phx.gbl... >> Hello, >> >> I am trying to configure IIS to accept any certificate, from anyone, is >> that possible? >> >> TIA! >> Stanko. >> > >
Your authentication protocol is not possible to implement in the
smooth fashion that you imagine, especially if you plan to use generic browsers like IE/Firefox/Opera or generic servers like Apache/IIS/ Java. With SSL, IIS supports ignoring, accepting, or requiring client certificate. With the latter two options, IIS certainly supports accepting any certificate from anyone. The question is whether you can *compel* the user to send the certificate when it is optional. If you don't force the user to send the certificate, then you'll never get the logic of "certificate first, then fallback to login screen". If you DO force the user to send the certificate, no web server will allow a "fallback to login screen". Why? Because that is a custom authentication scheme unsupported by standards. SSL Client Certificate protocol never says it works like what you dream. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang // [quoted text, click to view] On Aug 16, 12:02 am, "Stanko Milosev" <tester...@yahoo.com> wrote: > We want to make web site with PHP, that if a user have a certificate, then, > for example, to give this user welcome screen, but if he don't have a > certificate then to give him login screen. > > I have found that with _SERVER["CERT_SERIALNUMBER"] variable I can get > client certificate serial number, but only if IIS server accepted user > certificate... > > "Consultant" <consultant_mc...@yahoo.com> wrote in message > > news:unhfGL33HHA.5360@TK2MSFTNGP03.phx.gbl... > > > > > why would you want to do this? > > > "Stanko Milosev" <tester...@yahoo.com> wrote in message > >news:OvRH0003HHA.3684@TK2MSFTNGP02.phx.gbl... > >> Hello, > > >> I am trying to configure IIS to accept any certificate, from anyone, is > >> that possible? > > >> TIA! > >> Stanko.- Hide quoted text - > > - Show quoted text -
Thank you David, for your help.
I am just searching for a way to solve my task. Is there way, any how, that we can accept client certificates? We are trying to find a way to allow our users to log on to our site with their certificate, but we don't want them to force to get new certificate, since we already started pki system for signing and encrypting xml documents, and our users already have some certificates, now we don't want them to force to get another one. Stanko. [quoted text, click to view] "David Wang" <w3.4you@gmail.com> wrote in message news:1187252080.373084.162030@q4g2000prc.googlegroups.com... > Your authentication protocol is not possible to implement in the > smooth fashion that you imagine, especially if you plan to use generic > browsers like IE/Firefox/Opera or generic servers like Apache/IIS/ > Java. > > With SSL, IIS supports ignoring, accepting, or requiring client > certificate. With the latter two options, IIS certainly supports > accepting any certificate from anyone. The question is whether you can > *compel* the user to send the certificate when it is optional. > > If you don't force the user to send the certificate, then you'll never > get the logic of "certificate first, then fallback to login screen". > If you DO force the user to send the certificate, no web server will > allow a "fallback to login screen". Why? Because that is a custom > authentication scheme unsupported by standards. SSL Client Certificate > protocol never says it works like what you dream. > > > //David > http://w3-4u.blogspot.com > http://blogs.msdn.com/David.Wang > // > > > > > > On Aug 16, 12:02 am, "Stanko Milosev" <tester...@yahoo.com> wrote: >> We want to make web site with PHP, that if a user have a certificate, >> then, >> for example, to give this user welcome screen, but if he don't have a >> certificate then to give him login screen. >> >> I have found that with _SERVER["CERT_SERIALNUMBER"] variable I can get >> client certificate serial number, but only if IIS server accepted user >> certificate... >> >> "Consultant" <consultant_mc...@yahoo.com> wrote in message >> >> news:unhfGL33HHA.5360@TK2MSFTNGP03.phx.gbl... >> >> >> >> > why would you want to do this? >> >> > "Stanko Milosev" <tester...@yahoo.com> wrote in message >> >news:OvRH0003HHA.3684@TK2MSFTNGP02.phx.gbl... >> >> Hello, >> >> >> I am trying to configure IIS to accept any certificate, from anyone, >> >> is >> >> that possible? >> >> >> TIA! >> >> Stanko.- Hide quoted text - >> >> - Show quoted text - > >
I am sorry,
I don't understad this: [quoted text, click to view] > With SSL, IIS supports ignoring, accepting, or requiring client > certificate. With the latter two options, IIS certainly supports > accepting any certificate from anyone. As much as I know, I must follow certificate chain? This mean, that IIS will not accept certificate which is not followed by certificate from server? Obviously, I have little knowledge about IIS SSL, can you please recommend me a book about it? Thank you again, Stanko
[quoted text, click to view]
On Aug 16, 2:44 am, "Stanko Milosev" <tester...@yahoo.com> wrote: > I am sorry, > > I don't understad this: > > > With SSL, IIS supports ignoring, accepting, or requiring client > > certificate. With the latter two options, IIS certainly supports > > accepting any certificate from anyone. > > As much as I know, I must follow certificate chain? This mean, that IIS will > not accept certificate which is not followed by certificate from server? > > Obviously, I have little knowledge about IIS SSL, can you please recommend > me a book about it? > > Thank you again, > Stanko I think your problem is a PKI key distribution/management problem, not IIS/SSL problem. You want an authentication protocol that is not supported by all web browsers and web servers without writing custom software. And you want that protocol because you don't want users to get a second certificate. That sounds like the wrong solution to the PKI certificate distribution problem. At my company, certificate distribution is automatic and it just works. IIS requires certificates all the time, and the client automatically chooses the correct one out of all the distributed certificates to me. //David http://w3-4u.blogspot.com http://blogs.msdn.com/David.Wang //
Actually, I think the problem here is that:
a) As part of the SSL/TLS handshake, the server indicates that it can accept client certificate. It presents a list of trusted CAs to the client b) the client automatically selects an appropriate certificate *if* there is a single certificate that is issued by one of the trusted CAs. If there are multiple client auth certificates from multiple trusted CAs, then the user is prompted to choose which certificate to present to the server c) Your problem is that IIS doesn't trust certs from every CA in the world. If your partners have their own CAs, you need to install the root CA certs into IIS. Cheers Ken [quoted text, click to view] "Stanko Milosev" <testerayu@yahoo.com> wrote in message
news:u7N0Eo%233HHA.5724@TK2MSFTNGP05.phx.gbl... >I am sorry, > > I don't understad this: > >> With SSL, IIS supports ignoring, accepting, or requiring client >> certificate. With the latter two options, IIS certainly supports >> accepting any certificate from anyone. > > As much as I know, I must follow certificate chain? This mean, that IIS > will not accept certificate which is not followed by certificate from > server? > > Obviously, I have little knowledge about IIS SSL, can you please recommend > me a book about it? > > Thank you again, > Stanko >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |