I want to get a security model implemented, but I'm not sure what terminology IIS/SSL uses in order to do that. Nor do I know how to make it happen in IIS7.5
The process I want to have
- Administrator users (multiple) of a website create a personal certificate (.p12/.pfx/something)
- Server operator installs one side of this certificate to IIS (for each admin)
- Administrator imports the other side of certificate to their browser
- Administrator then authenticates to their administration area of the website, using the SSL as a passport to be able to get anywhere near the admin login area
How would I go about implementing the model above? I pretty much require step by step with the certificate generation and IIS configuration. I'm unsure if I require some sort of windows based authentication on top of the website authentication and some sort of mapping of the certificates back to the windows user.
I'm guessing I'll need dedicated Windows Users for each administrator, with sync'd certificates. Note this is Win2k8 R2 + IIS 7.5, not exchange or domain driven stuff, just a plain server without all the AD crap.
You will need to map the client-side certificates for Windows Authentication (if that is desired). You may find the following two articles from microsoft helpful. They have a step-by-step process. One is an MSDN article. The other is a Microsoft Support Knowledge base article.
http://msdn.microsoft.com/en-us/library/ff649203.aspx
http://support.microsoft.com/?id=907274
Hope that it helps.
You have two separate issues.
Here are the details on how to setup client certificate authentication in IIS 7.5:
Now, you got different options (both can be enabled at the same time): many-to-one and one-to-one mapping. See this documentation of how to set it up but, basically, you create a base-64 encoded version of each certificate you want to accept, open it in a text editor, you remove the "begin certificate" and "end certificate" lines, remove all line breaks for it and then create a mapping entry in the configuration editor with the Windows Username and password to use for that cert logon and using the string you just created in the "certificate" field.
Using man-to-one mapping is a bit more complex because you have to specify which field of the client certificate will be used for verifying a client certificate (instead of using the whole certificate) but it can be easier to maintain if you have many users (since you won't need to install every individual certificate on the web server).
Also, know that all certificate you use NEED to be valid on the server: you'll need to install them in the server system's certificate store (not your user, the system's) either in the "trusted People" section (for self-signed and user certificates), in the "Trusted Root CA" (for certificate root) or in the Intermediary Certificate Authority" (for ICAs).
My inital thoughts were that you wanted SSL to do something it wasn't designed for but then of course there are client certificates....
Have a look at this article on iisadmin.co.uk
http://www.iisadmin.co.uk/?p=11
-Lewis