web application authentication control

Posted on 2011-10-24
Last Modified: 2013-12-14
This is my problem. I have a web database application (ASP) hosted on IIS7 on the company's server, behind a regular COMCAST router. This is cloning an internal database that the employees (about 20) can access while at work. The web side would allow them to access the data in the same way while on the road or at a client or home. The request is that only these 20 people should access the website and if they give their username/password to
anybody, these latter ones should be prevented from accessing. Hence machine level control.

I tried to use client certificates, I was even successful on my test server and one client. Porting the steps on the production server did not work for me.

I would try any other solution that would allow me to control at the machine level the access to this web application. Please help.
Question by:adinicag2
    LVL 33

    Expert Comment

    This isn't a solution but a question:  If you don't trust these people to not give out their usernames/passwords, why trust them with access to the database (after all, they can just give out the data)?

    What can you tell us about the clients, the client certificates you created and what indications you got when you tried to port them to production?

    Author Comment

    Hi. Thank you for replying. I agree with your assessment, in private, but this is the requirement. I tried to raise the same argument but it did not work.

    Ok,some more details. The certificates are self issued. I used this guide:

    On the production server, initially, I did not have a fqdn name and the first time it worked until I reached the point where ssl was ok and the client certificate did not find a chain of trust. Since then I tried 2 more times. The last try was after I got a dyndns domain name for it, to make it as similar as possible to my test server configuration. Before, I was using the computer name. Right now, I cannot even get it to where the ssl will work without giving an error. Between tries I deleted the certificates from IIS and from mmc->certificates stores.

    I am not sure this answers your question. I hope it does. Is this clent-certificate solution the only one for my problem? Thank you.
    LVL 33

    Expert Comment

    I think the certificate solution is the only practical one.  I suppose you could do something like mock up a cookie, install it on the machines in question, then check for it on your site.  

    I take it the test environment is internal?  Is there a way for the clients to validate the certificates from outside your network?

    Author Comment

    Thank you for your patience. No, it is actually public. The only thing is that now it works only from the only test "client" that I did the client certificate and brought it to the server. Then I thought I will be able to port the solution... and I could not.

    I am not sure how clear I was in my previous, obviously I am not that versed in this. Could I assume that maybe I tried too many times and maybe I screwed up that part of the server? If that was the case, is there a safe way to clean up? I cannot redo the server completely.

    Is there a better guide to do this out there, as far as you know? Thanks again.

    LVL 33

    Accepted Solution


    Author Comment

    Hello again. Sorry for the delay but I did not have the time to revisit. I decided to start fresh and document each step I took. Obviously I do something wrong the site is up in the exact state I am in the steps. Please take a look and help me if you can:

    This is what I did:
    1.      I deleted the website in IIS7
    2.      Created a new website in IIS7. Name: lmcap, defaultAppPool, binding all unassigned, port 80,, added default page.
    3.      Revoked all certificates I created previous in Administrative Tools -> Certification Authority
    4.      Deleted all certificates I saved in the various mmc->certificates – I opened this one as computer account, local computer – as per some instructions from the web. Right now I have a NTSERVER0-CA certificate that I did not create, in the following stores: Personal, Trusted Root, and Intermediate
    5.      Restarted the server
    6.      I can get to the site:
    7.      Created request for the server: select server, server certificates, there are 2 certificates there: NTSERVER0-CA and VMSvc-NTSERVER0, started wizard: common name:, spelled out the state and completed the rest. Next, Saved as text, Finish. Went to the text file and copy content.
    8.      IE, localhost/certsrv, Request a Certificate, advanced cert request, request… (second, long line), pasted the text, next, received page that request submitted
    9.      Administrative tools – certificate authority- Pending, select, Issue. The cert shows in issued.
    10.      Open cert, Details, copy to file, select base64, name it, save it, export successful, finish
    11.      IIS7-Server-server certificates-complete request, select certificate in 10., finish, the certificate shows as third in the list.
    12.      Select site (lmcap), bindings, add ssl and select the certificate above. Save.
    13.      Test - UNTRUSTED, wants to add exception
    14.      Open mmc-certificates: the new cert is in Personal store only.
    15.      Add to Trusted Root. Restart site, Test, UNTRUSTED
    16.      Add to intermediate, test, UNTRUSTED

    Author Comment

    Please, somebody help :(
    LVL 77

    Assisted Solution

    by:David Johnson, CD, MVP
    you need a certificate authority to get a chain of trust. A self signed certificate does not have this chain of trust, since anyone can generate this certificate.   A domain certificate authority might help within the domain (the CA has to be added and configured on a domain server and certificates generated. That or use godaddy or verisign and get a domain certificate for your network. Using this and a domain CA then the certificate will be trusted.

    Author Closing Comment

    I was actually hoping for a step-by-step solution or troubleshooting of the problem I laid out, not a "study more" and  "you cannot get there from here". I already stated that I was successful on my first attempt, by using a replica of the production environment. Same server OS, same website. I will continue on my own and scrap this solution if unsuccessful. I was really hoping for a non-existent magic expert wand, I guess. Not here. Thanks.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    Suggested Solutions

    This demonstration started out as a follow up to some recently posted questions on the subject of logging in: and…
    Lync server 2013 Backup Service Error ID 4049 – After File Share Migration
    Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now