Understanding Mutual SSL

Posted on 2012-08-28
Last Modified: 2012-08-30
I strong apologizes if this question has been answered some where on the site. I'm not sure how to phrase the keywords to find it.

Okay, I've read many sites on how to setup Mutual SSL on IIS6 or II7.

I think I understand how to do that but what I want to do is:

1) Control Access to the site using Mutual SSL
2) Once the user is on the site control what pages or items are displayed based on "WHO" the individual is.

Basically, once  you certificate has been authentcated. I only want the user to see the parts or items on the page that pertain to his/her role or identity.

I haven't found any sites that go that next step to show how to control or use the items in the certificate.

Any help or suggestions are appreciated.
Question by:Twardone45
    LVL 60

    Expert Comment

    mutual ssl is client cert presented to server as well. It looks to me that you wanted specific thing to appear on the site and mask out those that the user is not supposed (or authroised) to see. If that is the case, it needed more than just the web server but the web appl to cater to that or else have some gateway to do that content filter based on UserID (in the cert).

    many alluded this to app aware filter with contextual info such as the user id as well. NGFW like Palo Alto does that, BlueCoat goes into the appl micro filtering and some with SSL VPN gateway managing certain resource accessible in portal format (not really down to web page widget though)....

    Author Comment

    I believe I understand your comment but would you know of a site or something that I can look at that is close to what I am looking for?

    Even a site that shows me how to pull the cert apart and then I can go from there.

    LVL 77

    Expert Comment

    by:David Johnson, CD, MVP

    mutual ssl allows the user to access the site
    use a login page so the user can login
    use your normal security to limit access to areas of the site
    LVL 60

    Accepted Solution

    May not be IIS but the fundamental and how it works for mutual auth is similar.

    Actually I see Web Services has greater flexibility where it can specify specify attribute for identity check and bindings to resource through SOA style of application service delivery. The link show some glimpse of using certificate subjectname as attribute to present to service requested. I believe it can be extended further to such as alternate name etc.

    Also on related note, SAML is gaining traction as the next auth and authz scheme due to identity federation across different identity directory (multiple AD, etc). It is supposed to be "simpler" and adaptable compared to typical PKI deployment. But as of the assurance and trust model, the latter has longer history establishment ...

    Author Closing Comment

    Thank you for the help and direction.

    Featured Post

    Find Ransomware Secrets With All-Source Analysis

    Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

    Join & Write a Comment

    How to sign a powershell script so you can prevent tampering, and only allow users to run authorised Powershell scripts
    Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now