client certicate authentication to iis

Amin El-Zein
Amin El-Zein used Ask the Experts™
on
Hello,
I have a rdweb service that is  published over the interent I want to secure the authentication with client certificate so the user can't access without it.
so how I can do it ?
can I make it on usb flashdisk and secure it ?
thanks.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
At your RD Host, you would need to use a firewall rule. Secure firewall rules allow to use kerberos domain authentication, that is easier than certificates. Is the client that you use a domain joined machine?
David FavorFractional CTO
Distinguished Expert 2018

Commented:
1)I have a rdweb service that is  published over the interent I want to secure the authentication with client certificate so the user can't access without it.

You'll use a standard SSL cert for this. https://LetsEncrypt.org has provided these free for years now.

2) so how I can do it ?

This Microsoft Forum Article goes through the steps.

3) can I make it on usb flashdisk and secure it ?

No. SSL certs peg to an IP, not a USB device.

4) The above is the normal approach to securing rdweb. Where anyone can access your rdweb instance + they'll require login credentials to use the service. In other words, users will require a user/pass for the destination they're trying to reach using your rdweb instance.

If you must block who can even access your rdweb instance, then one of these will work.

a) Use firewall rules to only allow access to your rdweb instance from certain IPs.

b) Front end your rdweb instance with some sort of login screen, either Webserver or PHP based... or however you normally write code.

Likely all of #4 is overkill as a person will require a valid user/pass to access any endpoint, so the user/pass requirement is likely sufficient.
Distinguished Expert 2018

Commented:
Unfortunately, David, using a certificate that way does not do what the question is targeted at: it does not ensure that the user can't access the server without it. Using the certificate that way merely encrypts the connection and tells the client that the server is indeed the expected server.
Expert Spotlight: Joe Anderson (DatabaseMX)

We’ve posted a new Expert Spotlight!  Joe Anderson (DatabaseMX) has been on Experts Exchange since 2006. Learn more about this database architect, guitar aficionado, and Microsoft MVP.

Author

Commented:
I mean a client certificate not a server certificate like the banks usb token.
thanks.
Distinguished Expert 2018

Commented:
That was already understood and that is what I replied to: you may use certificates within secure firewall rules, but it is easier to do it with kerberos domain authentication. That's why I asked you, whether the client is joined to the same domain as the target server. Is it?
David FavorFractional CTO
Distinguished Expert 2018

Commented:
@McKnife - Item #4 in my list answers original question. I listed this answer last as likely this is overkill.
Distinguished Expert 2018

Commented:
Well, the question was, how to do it by means of a certificate and 4) does not use certificates.
[Please note, that I have asked the author, whether he would possibly rather use domain kerberos authentication than certificates]

Author

Commented:
Hello,
in pki in general  and under iis website there is an option client certificate required.
so the client will authenticate through the rdweb and the client certificate.
thanks.
Distinguished Expert 2018

Commented:
So you found a way through IIS? Good, then please indicate that and close the question by selecting your own comment as solution.

Author

Commented:
yes but I want to know how to do it ! and how to generated and make it on secure flash disk.
thanks.
Distinguished Expert 2018
Commented:
I understand.
I have never done it that way, and that's why I keep proposing to use the firewall way that can rely on kerberos alone (if domain connected - are you?) or on certificates.

Still, let me give you this link to the microsoft documentation, it might help you:
https://docs.microsoft.com/en-us/iis/configuration/system.webserver/security/authentication/iisclientcertificatemappingauthentication/

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial