I have:
- A hole in the corporate firewall allowing me to accept incoming connections on ports 80 and 443
- Exactly one domain name for external web access
- No access to corporate DNS settings
- An onsite Windows Server 2003 domain controller also configured as a Windows file server, relying heavily on NTFS permissions for access control
- An onsite Windows Server 2012 box with IIS 8 installed, not joined to the Windows Server 2003's domain, currently running a 3rd party web app that uses plain text logins; app currently appears at http://our.domain.address/appfolder from outside so it's all kinds of insecure
- Virtually no IIS administration experience
- A theoretical understanding of but no practical experience at all with SSL certs
- Easily enough scripting expertise to glue all my requirements together
- Plenty of time
I want to be able to:
- Restrict access to the 3rd party web app to SSL only, with client cert required. Users should still authenticate against the web app with existing usernames and passwords, so no client cert mapping; client cert's purpose is to authenticate the user's machine, not the user.
- Make a couple of shares on our file server externally available via https://our.domain.address/webdav
- Give each of my users a USB memory stick containing
- a self-signed SSL server cert for our IIS 8 box
- a unique-per-stick SSL client cert that our IIS 8 box will require on connection
- a one-click script they can use to install both certs into IE, Firefox and Chrome
- a script to prompt for a username and password, then map two WebDAV URLs to Windows drive letters. Again, I want IIS to map neither the client cert nor the client's current Windows credentials to Windows server logon credentials; I want my remote users to have to type the same username and password they'd use for Windows logon to an onsite domain-joined workstation, and have IIS pass those credentials along to the file server.
- Generate a client cert for each such USB stick by entering an arbitrary ID into a one-dialog script on the IIS 8 box
- Revoke any such client cert by entering the ID used to issue it into another one-dialog script on the IIS 8 box
Could some kind soul either direct me to walkthroughs for:
- Creating a self-signed SSL server cert and configuring IIS 8 for SSL-only operation using that
- Scripting the creation of SSL client certs and configuring IIS 8 to require them for SSL connections (in PowerShell, JScript, VBS, cmd or any mixture)
- Scripting revocation/cancellation/deregistration of SSL client certs on IIS 8
- Setting up WebDAV on IIS 8 with plain text auth over SSL, passing that auth on for access to UNC paths on other LAN-accessible but otherwise unrelated file servers
- Scripting installation of one self-signed server cert and one client cert into IE/Winhttp, Gecko-based browsers, and Webkit-based browsers
or tell me I'm going about this in a boneheaded way because there's something nifty already built into Windows that will do everything I want with two clicks and why don't I just use that? Thanks, all.