Is it possible to force IIS to accept any client ssl certificate?
Tester
Does anyone know if it is possible to tell IIS to accept any client
certificate (even self signed and not trusted). We have to do custom
authentication of legacy system, which uses self signed certificates without
"client" usage specified in certificate.
Alternatively is it possible to intercept invalid certificate through ISAPI
filter and tell IIS to accept the connection and get a hold of client
certificate?
Thanks for any advise
![David Cross [MS]'s profile photo](https://lh3.googleusercontent.com/a/default-user=s40-c)
David Cross [MS]
the acceptable methods
--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
"Tester" <test> wrote in message
news:%23dIujGX...@TK2MSFTNGP10.phx.gbl...
Ryan D Johnson [MS]
> No, the client certs must be trusted and map to an account through one of
> the acceptable methods
Not entirely true. IIS will reject the client cert if the chain
doesn't verify or if the cert doesn't contain the client auth EKU.
However, it is not necessary for the cert to map to an account unless
you have denied anonymous access to the directory.
I don't know if the chain and policy validation behavior of IIS can be
configured or not. Seems unlikely.
--
Ryan D Johnson [MS]
rjoh...@online.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no
rights. Use of included script samples are subject to the terms
specified at http://www.microsoft.com/info/cpyright.htm
Tester
CertChainCheckUsage/CheckCertRevocation are both false by default.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/ref_mb_certcheckmode.asp
http://www.microsoft.com/windows2000/en/server/iis/htm/asp/apro4e3p.htm
MD_CERT_NO_USAGE_CHECK "When MD_CERT_NO_USAGE_CHECK is set to true, the
certificate provided by the client is not verified as valid."
Is this win2k3 only? Does it do what it says?
Thanks for any response
"Ryan D Johnson [MS]" <rjoh...@online.microsoft.com> wrote in message
news:uy8sbz...@online.microsoft.com...
Tester
CertChainCheckUsage/CheckCertRevocation are both false by default.
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/standard/ref_mb_certcheckmode.asp
http://www.microsoft.com/windows2000/en/server/iis/htm/asp/apro4e3p.htm
MD_CERT_NO_USAGE_CHECK "When MD_CERT_NO_USAGE_CHECK is set to true, the
certificate provided by the client is not verified as valid."
Is this win2k3 only? Does it do what it says?
Thanks for any response
"Ryan D Johnson [MS]" <rjoh...@online.microsoft.com> wrote in message
news:uy8sbz...@online.microsoft.com...
Michel Gallant
work properly with SSL/IIS.
For example generating the following self-signed cert:
makecert -sky Exchange -r -n "E=mig...@somedomain.ca,CN=Mitch SSL ClientTest" -ss MY
creates a very basic certificate. If that certificate is also added to the Machine
Trusted Root CA (for IIS to properly recognize the single-entity chain with client cert
authentication)
then it certainly works with no problems.
The certificate view for this cert shows an "Authority Key Identifier" extension which
shows the name/SN of issuer (same is cert itself). No other extensions were created for this cert.
I think this works properly because the cert extensions place no restrictions on what the
cert should be used for and thus the cert is considered valid for all usages the issuer
(cert itself importing as CA cert) also has no usage restrictions specified.
- Mitch Gallant
MVP Security
"Ryan D Johnson [MS]" <rjoh...@online.microsoft.com> wrote in message
news:uy8sbz...@online.microsoft.com...