Hey fellow experts, need some help with locking down the site. I inherited a support of a website and I am having an issue securing several folders on a website SSL. The site is running on Win2K3 standard, IIS 6 (obviously), service pack 2, latest hotfixes. No server hardening has been done yet. The underlying code is C#, .Net, both .net 2.0 and 1.1.4 are in use .
The website has a certificate that client obtained from GoDaddy. The certificate appears to be valid and I have both .p7b and .cer.cs files. Obviously cert chain is included as part of p7b. I'm not a PKI expert, so my knowledge is somewhat spotty. I've installed the cert in personal store and that allowed me to configure the website with the certificate. When I select it - it shows that cert is available.
The main page is supposed to be open to public say, http://www.somecorp.com
. When customer hits the site, they have an option to log in as an admin or a client. This corresponds to /admin and /client sub-folders. When I select directory security for www.somecorp.com/admin
and tell it to require SSL, 128bit and then remove basic and integrated authentication, the site does not come up. The log was showing 403 15 5 - so, I granted the IUSR_computername account read rights to the content folder and also made sure that document type was registered. However, still no luck.
I'd appreciate some thorough step-by-step advise on what to do to get the https: to work on /admin and /client folders.
Thanks in advance.