Does anyone know if it is possible to tell IIS to accept any client
certificate (even self signed and not trusted). We have to do custom
authentication of legacy system, which uses self signed certificates without
"client" usage specified in certificate.
Alternatively is it possible to intercept invalid certificate through ISAPI
filter and tell IIS to accept the connection and get a hold of client
certificate?
Thanks for any advise
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Tester" <test> wrote in message
news:%23dIujGX...@TK2MSFTNGP10.phx.gbl...
> No, the client certs must be trusted and map to an account through one of
> the acceptable methods
Not entirely true. IIS will reject the client cert if the chain
doesn't verify or if the cert doesn't contain the client auth EKU.
However, it is not necessary for the cert to map to an account unless
you have denied anonymous access to the directory.
I don't know if the chain and policy validation behavior of IIS can be
configured or not. Seems unlikely.
--
Ryan D Johnson [MS]
rjoh...@online.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm
CertChainCheckUsage/CheckCertRevocation are both false by default.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/ref_mb_certcheckmode.asp
http://www.microsoft.com/windows2000/en/server/iis/htm/asp/apro4e3p.htm
MD_CERT_NO_USAGE_CHECK "When MD_CERT_NO_USAGE_CHECK is set to true, the
certificate provided by the client is not verified as valid."
Is this win2k3 only? Does it do what it says?
Thanks for any response
"Ryan D Johnson [MS]" <rjoh...@online.microsoft.com> wrote in message
news:uy8sbz...@online.microsoft.com...
CertChainCheckUsage/CheckCertRevocation are both false by default.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/ref_mb_certcheckmode.asp
http://www.microsoft.com/windows2000/en/server/iis/htm/asp/apro4e3p.htm
MD_CERT_NO_USAGE_CHECK "When MD_CERT_NO_USAGE_CHECK is set to true, the
certificate provided by the client is not verified as valid."
Is this win2k3 only? Does it do what it says?
Thanks for any response
"Ryan D Johnson [MS]" <rjoh...@online.microsoft.com> wrote in message
news:uy8sbz...@online.microsoft.com...
I think this works properly because the cert extensions place no restrictions on what the
cert should be used for and thus the cert is considered valid for all usages the issuer
(cert itself importing as CA cert) also has no usage restrictions specified.
- Mitch Gallant
MVP Security
"Ryan D Johnson [MS]" <rjoh...@online.microsoft.com> wrote in message
news:uy8sbz...@online.microsoft.com...