adinicag2
asked on
web application authentication control
Hello.
This is my problem. I have a web database application (ASP) hosted on IIS7 on the company's server, behind a regular COMCAST router. This is cloning an internal database that the employees (about 20) can access while at work. The web side would allow them to access the data in the same way while on the road or at a client or home. The request is that only these 20 people should access the website and if they give their username/password to
anybody, these latter ones should be prevented from accessing. Hence machine level control.
I tried to use client certificates, I was even successful on my test server and one client. Porting the steps on the production server did not work for me.
I would try any other solution that would allow me to control at the machine level the access to this web application. Please help.
This is my problem. I have a web database application (ASP) hosted on IIS7 on the company's server, behind a regular COMCAST router. This is cloning an internal database that the employees (about 20) can access while at work. The web side would allow them to access the data in the same way while on the road or at a client or home. The request is that only these 20 people should access the website and if they give their username/password to
anybody, these latter ones should be prevented from accessing. Hence machine level control.
I tried to use client certificates, I was even successful on my test server and one client. Porting the steps on the production server did not work for me.
I would try any other solution that would allow me to control at the machine level the access to this web application. Please help.
ASKER
Hi. Thank you for replying. I agree with your assessment, in private, but this is the requirement. I tried to raise the same argument but it did not work.
Ok,some more details. The certificates are self issued. I used this guide: http://support.microsoft.com/kb/315588/en-us
On the production server, initially, I did not have a fqdn name and the first time it worked until I reached the point where ssl was ok and the client certificate did not find a chain of trust. Since then I tried 2 more times. The last try was after I got a dyndns domain name for it, to make it as similar as possible to my test server configuration. Before, I was using the computer name. Right now, I cannot even get it to where the ssl will work without giving an error. Between tries I deleted the certificates from IIS and from mmc->certificates stores.
I am not sure this answers your question. I hope it does. Is this clent-certificate solution the only one for my problem? Thank you.
Ok,some more details. The certificates are self issued. I used this guide: http://support.microsoft.com/kb/315588/en-us
On the production server, initially, I did not have a fqdn name and the first time it worked until I reached the point where ssl was ok and the client certificate did not find a chain of trust. Since then I tried 2 more times. The last try was after I got a dyndns domain name for it, to make it as similar as possible to my test server configuration. Before, I was using the computer name. Right now, I cannot even get it to where the ssl will work without giving an error. Between tries I deleted the certificates from IIS and from mmc->certificates stores.
I am not sure this answers your question. I hope it does. Is this clent-certificate solution the only one for my problem? Thank you.
I think the certificate solution is the only practical one. I suppose you could do something like mock up a cookie, install it on the machines in question, then check for it on your site.
I take it the test environment is internal? Is there a way for the clients to validate the certificates from outside your network?
I take it the test environment is internal? Is there a way for the clients to validate the certificates from outside your network?
ASKER
Thank you for your patience. No, it is actually public. The only thing is that now it works only from the only test "client" that I did the client certificate and brought it to the server. Then I thought I will be able to port the solution... and I could not.
I am not sure how clear I was in my previous, obviously I am not that versed in this. Could I assume that maybe I tried too many times and maybe I screwed up that part of the server? If that was the case, is there a safe way to clean up? I cannot redo the server completely.
Is there a better guide to do this out there, as far as you know? Thanks again.
I am not sure how clear I was in my previous, obviously I am not that versed in this. Could I assume that maybe I tried too many times and maybe I screwed up that part of the server? If that was the case, is there a safe way to clean up? I cannot redo the server completely.
Is there a better guide to do this out there, as far as you know? Thanks again.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello again. Sorry for the delay but I did not have the time to revisit. I decided to start fresh and document each step I took. Obviously I do something wrong the site is up in the exact state I am in the steps. Please take a look and help me if you can:
This is what I did:
1. I deleted the website in IIS7
2. Created a new website in IIS7. Name: lmcap, defaultAppPool, binding all unassigned, port 80, lmcap.dyndns.org, added default page.
3. Revoked all certificates I created previous in Administrative Tools -> Certification Authority
4. Deleted all certificates I saved in the various mmc->certificates – I opened this one as computer account, local computer – as per some instructions from the web. Right now I have a NTSERVER0-CA certificate that I did not create, in the following stores: Personal, Trusted Root, and Intermediate
5. Restarted the server
6. I can get to the site: http://lmcap.dyndns.org
7. Created request for the server: select server, server certificates, there are 2 certificates there: NTSERVER0-CA and VMSvc-NTSERVER0, started wizard: common name: lmcap.dyndns.org, spelled out the state and completed the rest. Next, Saved as text, Finish. Went to the text file and copy content.
8. IE, localhost/certsrv, Request a Certificate, advanced cert request, request… (second, long line), pasted the text, next, received page that request submitted
9. Administrative tools – certificate authority- Pending, select, Issue. The cert shows in issued.
10. Open cert, Details, copy to file, select base64, name it, save it, export successful, finish
11. IIS7-Server-server certificates-complete request, select certificate in 10., finish, the certificate shows as third in the list.
12. Select site (lmcap), bindings, add ssl and select the certificate above. Save.
13. Test https://lmcap.dyndns.org - UNTRUSTED, wants to add exception
14. Open mmc-certificates: the new cert is in Personal store only.
15. Add to Trusted Root. Restart site, Test, UNTRUSTED
16. Add to intermediate, test, UNTRUSTED
This is what I did:
1. I deleted the website in IIS7
2. Created a new website in IIS7. Name: lmcap, defaultAppPool, binding all unassigned, port 80, lmcap.dyndns.org, added default page.
3. Revoked all certificates I created previous in Administrative Tools -> Certification Authority
4. Deleted all certificates I saved in the various mmc->certificates – I opened this one as computer account, local computer – as per some instructions from the web. Right now I have a NTSERVER0-CA certificate that I did not create, in the following stores: Personal, Trusted Root, and Intermediate
5. Restarted the server
6. I can get to the site: http://lmcap.dyndns.org
7. Created request for the server: select server, server certificates, there are 2 certificates there: NTSERVER0-CA and VMSvc-NTSERVER0, started wizard: common name: lmcap.dyndns.org, spelled out the state and completed the rest. Next, Saved as text, Finish. Went to the text file and copy content.
8. IE, localhost/certsrv, Request a Certificate, advanced cert request, request… (second, long line), pasted the text, next, received page that request submitted
9. Administrative tools – certificate authority- Pending, select, Issue. The cert shows in issued.
10. Open cert, Details, copy to file, select base64, name it, save it, export successful, finish
11. IIS7-Server-server certificates-complete request, select certificate in 10., finish, the certificate shows as third in the list.
12. Select site (lmcap), bindings, add ssl and select the certificate above. Save.
13. Test https://lmcap.dyndns.org - UNTRUSTED, wants to add exception
14. Open mmc-certificates: the new cert is in Personal store only.
15. Add to Trusted Root. Restart site, Test, UNTRUSTED
16. Add to intermediate, test, UNTRUSTED
ASKER
Please, somebody help :(
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I was actually hoping for a step-by-step solution or troubleshooting of the problem I laid out, not a "study more" and "you cannot get there from here". I already stated that I was successful on my first attempt, by using a replica of the production environment. Same server OS, same website. I will continue on my own and scrap this solution if unsuccessful. I was really hoping for a non-existent magic expert wand, I guess. Not here. Thanks.
What can you tell us about the clients, the client certificates you created and what indications you got when you tried to port them to production?