IIS Configuration for Smart Cards

8:44 PM j. montgomery 0 Comments

Page 3 of 9

Previous Page: Building and Installing the Smart Card HttpModule | Next Page: IHttpModule Implementation

If you have not worked with Client Certificates/Smart Cards with IIS before, then this will probably be new information. This setup will work with IIS 5.0 (Windows Server 2000), IIS 5.1 (Windows XP) and IIS 6.0 (Windows Server 2003). I’ve not had the opportunity to try this on Vista yet, but I suspect the configuration options are similar, if not the same as Server 2003, though care will need to be taken in choosing the right components to install to add Client Certificate, and or Active Directory account mapping support in IIS 7 since the installation options are incredibly modular now.

If you do not see the options for Client Certificates in IIS on Vista, you probably have not installed the proper components.

The Web Server will need to be aware of and fully integrated into your Enterprise PKI Solution:

  • The Trusted CA’s will need to be installed in the Trusted Roots Certificate Stores
  • Certificate Revocation will need to be configured to work with IIS (CRL/OCSP, etc.)
    • If a users’ Smart Card certificate is revoked before it expires, you need to be able to prevent the user from accessing the web site.
    • Third party CRL/OCSP solutions DO support IIS integration; check your vendor’s documentation. It is typically as easy as selecting a checkbox in the software’s configuration properties.
  • Etc. – there are potential complexities and specific implementation details based on the PKI deployment that are outside the scope of this article. You do need to know how your specific implementation of PKI works, and that all the pieces are in place to provide proper authentication to your web site.

Here are the specific steps to setup Smart Card Authentication in IIS once the Web Server has been PKI enabled.

  1. Generate an SSL Certificate Request for the Root Web Site you will PKI enable.
  2. Get the Request signed by a Certificate Authority (CA), most likely you will use your internal Root Certificate Authority (CA) or Intermediate CA.
    1. If your users are strictly IntRAnet users, you can use your internal CA that you use for PKI to Sign the Certificate
    2. If your users are IntERnet Users, you will need a way to deploy your Root CA’s to the client’s computer Certificate Store for your Root CA servers to be trusted on a client’s computer.
  3. In IIS, on the folder or Web Site you want to enable for smart card authentication/authorization, open the properties and Click on the Directory Security Tab.
  4. In the Secure Communications section, click on the “Edit” button
  5. For each folder or web site requires Smart Card authentication, check the “Require Secure Channel (SSL). 
  6. Under “Client Certificates”, the default option is to “Ignore Client Certificates” – for all the sites or folders you want to accept Smart Cards, choose “Require Client Certificates

    Figure 4 – SSL/Client Certificate Settings for Production Systems

    Figure 4 – SSL/Client Certificate Settings for Production Systems

    NOTE: If you are doing this on a development system and you want to be able to use Visual Studio.NET, you cannot “Require secure channel (SSL)” or “Require Client Certificates” or VS.net will not be able to interact properly with the web site. Also, you must LEAVE “Integrated Security” on as well, or you will have a similar problem.

    When launching your ASP.NET web application for Debugging from Visual Studio, manually change your URL in IE when debugging from HTTP:// to HTTPS://. As long as “Accept Client Certificates” is checked, it will prompt you to use a client certificate providing HTTPS:// is in the URL. Alternatively, change the Web Project settings of the site to launch the web page with the HTTPS:// prefix in the URL.

  7. There are a couple ways to map Smart Cards to Active Directory Users. Check the “Enable client certificate mapping” option and then click Edit. On this screen you will setup the 1–to–1 mapping. To map all Smart Cards to one Active Directory Users, setup the Many–to–1 mappings.

    NOTE: I don’t recommend the 1–to–Mapping if you have a large number of users accessing the web site

    The difficulty with the 1–to–1 mapping is you must have a copy of the client certificate (the public portion of X509 certificate) for each user you want to map. You also need to know the Domain Password of each user as well. If you have a large enterprise and all the users need access, you are in for a management nightmare. If someone has other suggestions for easily managing this, please let me know.

    A Many–to–1 Mapping has more promise since you can map a portion of Smart Cards based on Wildcard Rules using fields in the X509 Certificate Distinguished Name to one AD User Account. This allows different sets of users to be mapped to related AD Accounts based on role, essentially allowing Role based authorization with Windows Principals.

    If you haven’t realized this yet, if you are able to do 1–to–Many Mapping or 1–to–1 Mapping, there is no need for this HttpModule as you can move over to the built in Windows Authentication model in ASP.NET and apply Principal Permissions based on Groups in Active Directory.

  8. Check the “Enable certificate trust list” and create a new IIS CTL. Trust only the CA’s that have Signed the Smart Card certificates that users will be using to authentication with.
    NOTE: This option is a Web Site setting. You will not see “Enable certificate trust list” option setting for each Virtual Folder.

    Figure 5 – Example of setting Certificate Trust Lists for Web Site.
    Figure 5 – Example of setting Certificate Trust Lists for Web Site.

    In the above screen, “Require SSL and Require Client Certificates” are not selected because we set it on a folder by folder basis. You could set them here to apply it to the entire Web Site depending on your requirements.

    IMPORTANT: If you include any other Certificate Authorities other then the ones who signed your Smart Card Certificates (like Verisign’s CA’s, or others) any user could purchase a client Certificate from Verisign and present it as a Client Certificate to your web site and you would let them in!!
  9. Finally, make sure you have enabled Anonymous Access to this web site in Directory Security. Otherwise users will be presented with a system or domain logon prompt as well as the Client Certificate dialog box.

Previous Page: Building and Installing the Smart Card HttpModule | Next Page: IHttpModule Implementation

Page 3 of 9