To acquire the full benefits of this document, the reader should have a general understanding of private/public key encryption, digital signatures, SSL, and public key certificates. They should also understand the concepts involved with client authentication and page security in Site Server and IIS.
It is possible with Site Server to map a client certificate to a set of user authentication credentials. Subsequent to creating the mapping, a user can supply the certificate during the negotiation of a client-authenticated SSL connection and be automatically authenticated with Site Server. The mapping is accomplished by storing a hash of the certificate DN (distinguished name) concatenated with the certificate issuer. Assuming all trusted certificate authorities assure no duplicate DNs can be signed to different public keys (usually a safe assumption), this works properly.
If you plan to use Microsoft Certificate Server for your certificate authority (CA), you must either set it up as a CA that is recognized by a certifying chain who’s root is already installed in IIS, or you must install it as a recognized root CA in IIS. That is the only way that IIS knows to trust certificates from your certificate server.
If you elect to use your certificate server as a stand-alone CA with no other certifying chain, you must perform the following steps to get your CA certificate in IIS:
A server certificate must be installed in IIS for an SSL negotiation to occur successfully. This is accomplished using the keyring utility. It can be invoked directly or by traversing the menus in MMC as follows:
In keyring:
There is one more important thing to keep in mind if you are going to use your Microsoft Certificate Server (MCS) to issue a server certificate and your MCS is defined as a root CA. All of the clients who attempt to establish an SSL connection will have to install the CA root certificate into their browser or they will encounter a message stating that a secure channel cannot be guaranteed.
There is a sample page called regcert.asp that ships with Site Server 3.0 Commerce Edition. This can be used to create a certificate mapping to a client’s credentials. You must have the virtual server instance mapped to a Site Server authentication instance. The page should be set up with the following security attributes:
The regcert sample page uses AUO to store a certificate hash created using the membership.verifusr.1 object. The certificate information is collected from the certificate object accessible through ASP.
The use of this page is simple, just request it using HTTPS, supply a username, password, and a valid user certificate.
After this, if a site, virtual directory, or page has certificate mapping enabled, the user's credentials will be automatically mapped when a client certificate is supplied via SSL.
The Site Server schema has a UserCertificate attribute that can be added to a user object. It is a multi-valued binary attribute. There is no way to view or manipulate binary data in the Site Server MMC snap-in or through AUO. If you wish to store and use binary certificates you must do so using the LDAP protocol. There are many alternatives for this: ADSI, wldap32 API, and so on. There is a sample ASP application that ships with the Site Server SDK. It requests a certificate from a Microsoft Certificate Server on behalf of an authenticated user then stores the certificate in the user's browser, a binary copy of the certificate in the user's Site Server user object, and optionally as base64 encoded text in the user's Site Server user object. It also creates and stores the certificate hash in the user’s credentials so they can subsequently auto-map. The nice thing about the base64 encoded form is that it can be viewed from the MMC snap-in and manipulated using AUO. An alternative way to accomplish storing a binary certificate in the LDAP store is to write a Certificate Server exit module that uses ADSI or wldap32.
The SDK sample can be found in the samples directory after installation:
Information in this document, including URL and other Internet web site references, is subject to change without notice. The entire risk of the use or the results of the use of this resource kit remains with the user. This resource kit is not supported and is provided as is without warranty of any kind, either express or implied. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 1999-2000 Microsoft Corporation. All rights reserved.
Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries/regions.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.