Click here to get back home

IIS 6 behavior on checking clients' certificates (again)
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
IIS 6 behavior on checking clients' certificates (again) Vsevolod 09-16-2005
Posted by Vsevolod on September 16, 2005, 4:47 am
Please log in for more thread options
 Hello !

What should I do that I wouldn't need to have all intermediate CA
certificates on IIS 6 side to sucessful certification chain build ?
I'm sorry for repeated question but my last post to "Different IIS 5 & IIS
6 behavior on checking clients' certificates" thread is unanswered yet.
Could Anybody help me ? Whose this bug ? Mine, IIS 5, IIS 6, ASP or
anything else ?

BR,
Vsevolod.


Posted by Brian Komar [MVP] on September 16, 2005, 8:57 am
Please log in for more thread options
 Vsevolod@discussions.microsoft.com says...
> Hello !
>
> What should I do that I wouldn't need to have all intermediate CA
> certificates on IIS 6 side to sucessful certification chain build ?
> I'm sorry for repeated question but my last post to "Different IIS 5 & IIS
> 6 behavior on checking clients' certificates" thread is unanswered yet.
> Could Anybody help me ? Whose this bug ? Mine, IIS 5, IIS 6, ASP or
> anything else ?
>
> BR,
> Vsevolod.
>
For certificate revocation checking to work, you must ensure that the
server can grab *all* certificates and their CRLs for the *entire*
certificate chain.

You *cannot* do certificate validation *without* the intermediate
certificates, as it will resultin a revocation status cannot be
determined error.

With the release of MS04-11 last year, the revocation checking engine is
the same for btoh IIS 5 and IIS 6 (to be honest, for 2k and 2k3/XP).

What you will need to do is ensure that all certificates (other than the
root CA) have the AIA and CDP extensions in the issued certificates.

Brian


Posted by Vsevolod on September 16, 2005, 7:50 am
Please log in for more thread options
Hello, Brian !

"Brian Komar [MVP]" wrote:
>
> What you will need to do is ensure that all certificates (other than the
> root CA) have the AIA and CDP extensions in the issued certificates.
>
As I wrote before I had made simple test. I installed two Microsoft CA
Server ( Root & Suburdinate ) with default settings. Then I issued WEB sever
certificate by Root CA and client certificate by Subordinate CA. When I try
open page on IIS 6 I receive the error:
403.16. <ALL> issed certificates have AIA and CDP extensions. All resources
where AIA and CDP extensions point are available.

IMHO I think you can make the same test with the same result.


Thanks for your attention to my person.
BR,
Vsevolod.



Posted by Brian Komar [MVP] on September 16, 2005, 2:05 pm
Please log in for more thread options
Vsevolod@discussions.microsoft.com says...
> Hello, Brian !
>
> "Brian Komar [MVP]" wrote:
> >
> > What you will need to do is ensure that all certificates (other than the
> > root CA) have the AIA and CDP extensions in the issued certificates.
> >
> As I wrote before I had made simple test. I installed two Microsoft CA
> Server ( Root & Suburdinate ) with default settings. Then I issued WEB sever
> certificate by Root CA and client certificate by Subordinate CA. When I try
> open page on IIS 6 I receive the error:
> 403.16. <ALL> issed certificates have AIA and CDP extensions. All resources
> where AIA and CDP extensions point are available.
>
> IMHO I think you can make the same test with the same result.
>
>
> Thanks for your attention to my person.
> BR,
> Vsevolod.
>
>
Run two tests for me:

At the client, run certutil -verify -urlfetch <certfile>
against the Web server certificate as the certfile.

Do the same test at the Web server against the client certificate as the
certfile.

Post the output. You may have to load the 2k3 Adminpak at both the IIS
6.0 server and at the XP client to run the command. My bet is that,
because you used the default configuration, there are issues with the
AIA and CDP extensions.

Brian


Posted by Vsevolod on September 19, 2005, 12:58 am
Please log in for more thread options
Hello, Brian !

"Brian Komar [MVP]" wrote:
> >
> Run two tests for me:
>
> At the client, run certutil -verify -urlfetch <certfile>
> against the Web server certificate as the certfile.
>
> Do the same test at the Web server against the client certificate as the
> certfile.
>
> Post the output. You may have to load the 2k3 Adminpak at both the IIS
> 6.0 server and at the XP client to run the command. My bet is that,
> because you used the default configuration, there are issues with the
> AIA and CDP extensions.
Brian, you won :) I'm fool :(
After I have run certutils at the Web server against the client
certificate I saw that almost everything is Ok excepting expired Delta CRL
for client certificate issuer. After pubishing new one my problem have
disapeared.

I'm very grateful you for your assistance.

My conclusions :
1. IIS 6 requires mandatory CDP & AIA certificate extensions for correct
certificate chain building while IIS 5 doesn't.
2. All basic & Delta CRL have to be valid and not expired.

Am I right ?


BR,
Vsevolod.


Similar ThreadsPosted
Different IIS 5 & IIS 6 behavior on checking clients' certificates September 5, 2005, 11:55 pm
IIS 6 behavior on checking clients' certificates (again 2) September 29, 2005, 12:40 am
bypass traverse checking August 9, 2005, 3:35 pm
Checking group security October 5, 2007, 10:31 am
What security policies effect tasklist.exe password prompt behavior? February 29, 2008, 9:29 am
clients separated from DC by firewall June 7, 2007, 5:22 pm
Auto-renewing certs w/ VPN clients February 15, 2006, 9:44 am
Win2003 Server automated password changes. What about Mac clients March 7, 2008, 12:32 pm
vista domain clients no longer see USB drives June 9, 2008, 7:05 pm
server 2000 Group policy for windows xp clients January 18, 2006, 9:59 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap