Understanding Mutual SSL

Posted on 2012-08-28
Medium Priority
Last Modified: 2012-08-30
I strong apologizes if this question has been answered some where on the site. I'm not sure how to phrase the keywords to find it.

Okay, I've read many sites on how to setup Mutual SSL on IIS6 or II7.

I think I understand how to do that but what I want to do is:

1) Control Access to the site using Mutual SSL
2) Once the user is on the site control what pages or items are displayed based on "WHO" the individual is.

Basically, once  you certificate has been authentcated. I only want the user to see the parts or items on the page that pertain to his/her role or identity.

I haven't found any sites that go that next step to show how to control or use the items in the certificate.

Any help or suggestions are appreciated.
Question by:Twardone45
  • 2
  • 2
LVL 66

Expert Comment

ID: 38345176
mutual ssl is client cert presented to server as well. It looks to me that you wanted specific thing to appear on the site and mask out those that the user is not supposed (or authroised) to see. If that is the case, it needed more than just the web server but the web appl to cater to that or else have some gateway to do that content filter based on UserID (in the cert).

many alluded this to app aware filter with contextual info such as the user id as well. NGFW like Palo Alto does that, BlueCoat goes into the appl micro filtering and some with SSL VPN gateway managing certain resource accessible in portal format (not really down to web page widget though)....

Author Comment

ID: 38346824
I believe I understand your comment but would you know of a site or something that I can look at that is close to what I am looking for?

Even a site that shows me how to pull the cert apart and then I can go from there.

LVL 85

Expert Comment

by:David Johnson, CD, MVP
ID: 38348168

mutual ssl allows the user to access the site
use a login page so the user can login
use your normal security to limit access to areas of the site
LVL 66

Accepted Solution

btan earned 1185 total points
ID: 38349019
May not be IIS but the fundamental and how it works for mutual auth is similar.


Actually I see Web Services has greater flexibility where it can specify specify attribute for identity check and bindings to resource through SOA style of application service delivery. The link show some glimpse of using certificate subjectname as attribute to present to service requested. I believe it can be extended further to such as alternate name etc.


Also on related note, SAML is gaining traction as the next auth and authz scheme due to identity federation across different identity directory (multiple AD, etc). It is supposed to be "simpler" and adaptable compared to typical PKI deployment. But as of the assurance and trust model, the latter has longer history establishment ...

Author Closing Comment

ID: 38349587
Thank you for the help and direction.

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

You do not need to be a security expert to make the RIGHT security. You just need some 3D guidance, to help lay out an action plan to secure your business operations. It does not happen overnight. You just need to start now and do the first thin…
A discussion about Penetration Testing and the Tools used to help achieve this important task.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

619 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question