Discussion:
Is it possible to force IIS to accept any client ssl certificate?
(too old to reply)
Tester
2004-01-13 01:07:39 UTC
Permalink
Hello all,

Does anyone know if it is possible to tell IIS to accept any client
certificate (even self signed and not trusted). We have to do custom
authentication of legacy system, which uses self signed certificates without
"client" usage specified in certificate.

Alternatively is it possible to intercept invalid certificate through ISAPI
filter and tell IIS to accept the connection and get a hold of client
certificate?

Thanks for any advise
David Cross [MS]
2004-01-13 13:18:36 UTC
Permalink
No, the client certs must be trusted and map to an account through one of
the acceptable methods
--
David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com
Post by Tester
Hello all,
Does anyone know if it is possible to tell IIS to accept any client
certificate (even self signed and not trusted). We have to do custom
authentication of legacy system, which uses self signed certificates without
"client" usage specified in certificate.
Alternatively is it possible to intercept invalid certificate through ISAPI
filter and tell IIS to accept the connection and get a hold of client
certificate?
Thanks for any advise
Ryan D Johnson [MS]
2004-01-13 19:42:45 UTC
Permalink
Post by David Cross [MS]
No, the client certs must be trusted and map to an account through one of
the acceptable methods
Not entirely true. IIS will reject the client cert if the chain
doesn't verify or if the cert doesn't contain the client auth EKU.

However, it is not necessary for the cert to map to an account unless
you have denied anonymous access to the directory.

I don't know if the chain and policy validation behavior of IIS can be
configured or not. Seems unlikely.
--
Ryan D Johnson [MS]
***@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm
Tester
2004-01-14 04:42:02 UTC
Permalink
There is CertCheckMode/CertChainCheckUsage/CheckCertRevocation:

CertChainCheckUsage/CheckCertRevocation are both false by default.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/ref_mb_certcheckmode.asp
http://www.microsoft.com/windows2000/en/server/iis/htm/asp/apro4e3p.htm

MD_CERT_NO_USAGE_CHECK "When MD_CERT_NO_USAGE_CHECK is set to true, the
certificate provided by the client is not verified as valid."

Is this win2k3 only? Does it do what it says?

Thanks for any response
Post by Ryan D Johnson [MS]
Post by David Cross [MS]
No, the client certs must be trusted and map to an account through one of
the acceptable methods
Not entirely true. IIS will reject the client cert if the chain
doesn't verify or if the cert doesn't contain the client auth EKU.
However, it is not necessary for the cert to map to an account unless
you have denied anonymous access to the directory.
I don't know if the chain and policy validation behavior of IIS can be
configured or not. Seems unlikely.
--
Ryan D Johnson [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm
Tester
2004-01-14 12:26:09 UTC
Permalink
There is CertCheckMode/CertChainCheckUsage/CheckCertRevocation:

CertChainCheckUsage/CheckCertRevocation are both false by default.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/ref_mb_certcheckmode.asp
http://www.microsoft.com/windows2000/en/server/iis/htm/asp/apro4e3p.htm

MD_CERT_NO_USAGE_CHECK "When MD_CERT_NO_USAGE_CHECK is set to true, the
certificate provided by the client is not verified as valid."

Is this win2k3 only? Does it do what it says?

Thanks for any response
Post by Ryan D Johnson [MS]
Post by David Cross [MS]
No, the client certs must be trusted and map to an account through one of
the acceptable methods
Not entirely true. IIS will reject the client cert if the chain
doesn't verify or if the cert doesn't contain the client auth EKU.
However, it is not necessary for the cert to map to an account unless
you have denied anonymous access to the directory.
I don't know if the chain and policy validation behavior of IIS can be
configured or not. Seems unlikely.
--
Ryan D Johnson [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm
Michel Gallant
2004-01-15 02:02:29 UTC
Permalink
You don't really even need the Client Auth EKU to have client-cert authentication
work properly with SSL/IIS.
For example generating the following self-signed cert:
makecert -sky Exchange -r -n "E=***@somedomain.ca,CN=Mitch SSL ClientTest" -ss MY
creates a very basic certificate. If that certificate is also added to the Machine
Trusted Root CA (for IIS to properly recognize the single-entity chain with client cert
authentication)
then it certainly works with no problems.
The certificate view for this cert shows an "Authority Key Identifier" extension which
shows the name/SN of issuer (same is cert itself). No other extensions were created for this cert.

I think this works properly because the cert extensions place no restrictions on what the
cert should be used for and thus the cert is considered valid for all usages the issuer
(cert itself importing as CA cert) also has no usage restrictions specified.

- Mitch Gallant
MVP Security
Post by Ryan D Johnson [MS]
Post by David Cross [MS]
No, the client certs must be trusted and map to an account through one of
the acceptable methods
Not entirely true. IIS will reject the client cert if the chain
doesn't verify or if the cert doesn't contain the client auth EKU.
However, it is not necessary for the cert to map to an account unless
you have denied anonymous access to the directory.
I don't know if the chain and policy validation behavior of IIS can be
configured or not. Seems unlikely.
--
Ryan D Johnson [MS]
This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm
Loading...