• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 245
  • Last Modified:

web application authentication control

This is my problem. I have a web database application (ASP) hosted on IIS7 on the company's server, behind a regular COMCAST router. This is cloning an internal database that the employees (about 20) can access while at work. The web side would allow them to access the data in the same way while on the road or at a client or home. The request is that only these 20 people should access the website and if they give their username/password to
anybody, these latter ones should be prevented from accessing. Hence machine level control.

I tried to use client certificates, I was even successful on my test server and one client. Porting the steps on the production server did not work for me.

I would try any other solution that would allow me to control at the machine level the access to this web application. Please help.
  • 5
  • 3
2 Solutions
Paul MacDonaldDirector, Information SystemsCommented:
This isn't a solution but a question:  If you don't trust these people to not give out their usernames/passwords, why trust them with access to the database (after all, they can just give out the data)?

What can you tell us about the clients, the client certificates you created and what indications you got when you tried to port them to production?
adinicag2Author Commented:
Hi. Thank you for replying. I agree with your assessment, in private, but this is the requirement. I tried to raise the same argument but it did not work.

Ok,some more details. The certificates are self issued. I used this guide: http://support.microsoft.com/kb/315588/en-us

On the production server, initially, I did not have a fqdn name and the first time it worked until I reached the point where ssl was ok and the client certificate did not find a chain of trust. Since then I tried 2 more times. The last try was after I got a dyndns domain name for it, to make it as similar as possible to my test server configuration. Before, I was using the computer name. Right now, I cannot even get it to where the ssl will work without giving an error. Between tries I deleted the certificates from IIS and from mmc->certificates stores.

I am not sure this answers your question. I hope it does. Is this clent-certificate solution the only one for my problem? Thank you.
Paul MacDonaldDirector, Information SystemsCommented:
I think the certificate solution is the only practical one.  I suppose you could do something like mock up a cookie, install it on the machines in question, then check for it on your site.  

I take it the test environment is internal?  Is there a way for the clients to validate the certificates from outside your network?
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

adinicag2Author Commented:
Thank you for your patience. No, it is actually public. The only thing is that now it works only from the only test "client" that I did the client certificate and brought it to the server. Then I thought I will be able to port the solution... and I could not.

I am not sure how clear I was in my previous, obviously I am not that versed in this. Could I assume that maybe I tried too many times and maybe I screwed up that part of the server? If that was the case, is there a safe way to clean up? I cannot redo the server completely.

Is there a better guide to do this out there, as far as you know? Thanks again.

adinicag2Author Commented:
Hello again. Sorry for the delay but I did not have the time to revisit. I decided to start fresh and document each step I took. Obviously I do something wrong the site is up in the exact state I am in the steps. Please take a look and help me if you can:

This is what I did:
1.      I deleted the website in IIS7
2.      Created a new website in IIS7. Name: lmcap, defaultAppPool, binding all unassigned, port 80, lmcap.dyndns.org, added default page.
3.      Revoked all certificates I created previous in Administrative Tools -> Certification Authority
4.      Deleted all certificates I saved in the various mmc->certificates – I opened this one as computer account, local computer – as per some instructions from the web. Right now I have a NTSERVER0-CA certificate that I did not create, in the following stores: Personal, Trusted Root, and Intermediate
5.      Restarted the server
6.      I can get to the site: http://lmcap.dyndns.org
7.      Created request for the server: select server, server certificates, there are 2 certificates there: NTSERVER0-CA and VMSvc-NTSERVER0, started wizard: common name: lmcap.dyndns.org, spelled out the state and completed the rest. Next, Saved as text, Finish. Went to the text file and copy content.
8.      IE, localhost/certsrv, Request a Certificate, advanced cert request, request… (second, long line), pasted the text, next, received page that request submitted
9.      Administrative tools – certificate authority- Pending, select, Issue. The cert shows in issued.
10.      Open cert, Details, copy to file, select base64, name it, save it, export successful, finish
11.      IIS7-Server-server certificates-complete request, select certificate in 10., finish, the certificate shows as third in the list.
12.      Select site (lmcap), bindings, add ssl and select the certificate above. Save.
13.      Test https://lmcap.dyndns.org - UNTRUSTED, wants to add exception
14.      Open mmc-certificates: the new cert is in Personal store only.
15.      Add to Trusted Root. Restart site, Test, UNTRUSTED
16.      Add to intermediate, test, UNTRUSTED
adinicag2Author Commented:
Please, somebody help :(
David Johnson, CD, MVPOwnerCommented:
you need a certificate authority to get a chain of trust. A self signed certificate does not have this chain of trust, since anyone can generate this certificate.   A domain certificate authority might help within the domain (the CA has to be added and configured on a domain server and certificates generated. That or use godaddy or verisign and get a domain certificate for your network. Using this and a domain CA then the certificate will be trusted.
adinicag2Author Commented:
I was actually hoping for a step-by-step solution or troubleshooting of the problem I laid out, not a "study more" and  "you cannot get there from here". I already stated that I was successful on my first attempt, by using a replica of the production environment. Same server OS, same website. I will continue on my own and scrap this solution if unsuccessful. I was really hoping for a non-existent magic expert wand, I guess. Not here. Thanks.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now