Click here to get back home

Question regarding Certificate Trust Lists
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Question regarding Certificate Trust Lists DLN 11-20-2007
Posted by DLN on November 20, 2007, 4:38 pm
Please log in for more thread options
 Hello all,

I have two Windows domains (domain "A" and domain "B", for the sake of
simplicity) with web servers sitting in both domains. I would like to be
able to secure all the sites in both domains using CTLs, but there is a
single site in domain B that I need to prevent users in domain A from
accessing. Anonymous access to this site needs to stay enabled (for various
reasons, I can't enable Windows authentication on the site). I was hoping I
could also use a CTL for this.

Both domains have enterprise subordinate CAs installed with the subordinate
CA certificate for both being issued by the same stand-alone root CA. My
thinking was that I could accomplish what I want by adding domain B's CA
cert to the CTL and require client certificates, thereby blocking access to
the site from domain A's users. The problem I'm running into is that in
order to create a CTL, I can only add the root CA to the CTL. If I attempt
to add the domain B's subordinate CA certificate to the CTL, I receive a
"Only self-signed certificates are added to the CTL" from the IIS CTL
wizard.

If I correctly understand the information I'm reading regarding CTLs, only
root CAs are allowed, so the error message I'm getting from the IIS CTL
wizard is valid, but it doesn't solve my problem. If I add the root CA to
the CTL, it'll accept certificates issued from the CAs in either domain. Is
there a way to create a CTL that includes a subordinate CA only, or am I
going to have to find a different mechanism to accomplish what I need?

Thanks.



Posted by Brian Komar on November 21, 2007, 10:27 am
Please log in for more thread options
 Your whole idea if flawed.
Trusted root certificates outweigh CTLs.
Since both CAs chain to the *same* trusted root, all certificates are
trusted by any client within the two domains.
Brian

> Hello all,
>
> I have two Windows domains (domain "A" and domain "B", for the sake of
> simplicity) with web servers sitting in both domains. I would like to be
> able to secure all the sites in both domains using CTLs, but there is a
> single site in domain B that I need to prevent users in domain A from
> accessing. Anonymous access to this site needs to stay enabled (for
> various reasons, I can't enable Windows authentication on the site). I
> was hoping I could also use a CTL for this.
>
> Both domains have enterprise subordinate CAs installed with the
> subordinate CA certificate for both being issued by the same stand-alone
> root CA. My thinking was that I could accomplish what I want by adding
> domain B's CA cert to the CTL and require client certificates, thereby
> blocking access to the site from domain A's users. The problem I'm
> running into is that in order to create a CTL, I can only add the root CA
> to the CTL. If I attempt to add the domain B's subordinate CA certificate
> to the CTL, I receive a "Only self-signed certificates are added to the
> CTL" from the IIS CTL wizard.
>
> If I correctly understand the information I'm reading regarding CTLs, only
> root CAs are allowed, so the error message I'm getting from the IIS CTL
> wizard is valid, but it doesn't solve my problem. If I add the root CA to
> the CTL, it'll accept certificates issued from the CAs in either domain.
> Is there a way to create a CTL that includes a subordinate CA only, or am
> I going to have to find a different mechanism to accomplish what I need?
>
> Thanks.
>


Posted by DLN on November 21, 2007, 11:36 am
Please log in for more thread options
Brian,

Thanks for the reply. If I understand your response correctly, I should be
looking at certificates just to verify the users' identity and some other
mechanism to authorize access to the web site. Would that be correct?

Thanks again.

> Your whole idea if flawed.
> Trusted root certificates outweigh CTLs.
> Since both CAs chain to the *same* trusted root, all certificates are
> trusted by any client within the two domains.
> Brian
>
>> Hello all,
>>
>> I have two Windows domains (domain "A" and domain "B", for the sake of
>> simplicity) with web servers sitting in both domains. I would like to be
>> able to secure all the sites in both domains using CTLs, but there is a
>> single site in domain B that I need to prevent users in domain A from
>> accessing. Anonymous access to this site needs to stay enabled (for
>> various reasons, I can't enable Windows authentication on the site). I
>> was hoping I could also use a CTL for this.
>>
>> Both domains have enterprise subordinate CAs installed with the
>> subordinate CA certificate for both being issued by the same stand-alone
>> root CA. My thinking was that I could accomplish what I want by adding
>> domain B's CA cert to the CTL and require client certificates, thereby
>> blocking access to the site from domain A's users. The problem I'm
>> running into is that in order to create a CTL, I can only add the root CA
>> to the CTL. If I attempt to add the domain B's subordinate CA
>> certificate to the CTL, I receive a "Only self-signed certificates are
>> added to the CTL" from the IIS CTL wizard.
>>
>> If I correctly understand the information I'm reading regarding CTLs,
>> only root CAs are allowed, so the error message I'm getting from the IIS
>> CTL wizard is valid, but it doesn't solve my problem. If I add the root
>> CA to the CTL, it'll accept certificates issued from the CAs in either
>> domain. Is there a way to create a CTL that includes a subordinate CA
>> only, or am I going to have to find a different mechanism to accomplish
>> what I need?
>>
>> Thanks.
>>
>



Similar ThreadsPosted
Trust for a (locally-issued) Certificate Authority November 1, 2006, 3:09 pm
Can I export Distribution Lists? February 13, 2006, 8:15 pm
Black Holing Spyware Sites by HOSTS Lists September 3, 2006, 3:37 pm
Certificate Services Question September 16, 2005, 1:16 pm
Certificate Services Question November 4, 2005, 10:59 am
permissions across domain without trust? August 7, 2006, 4:04 pm
Creating and verifying Domain trust programatically July 5, 2005, 7:09 pm
Re-establishing a trust relationship between a client and Win2K3...? July 31, 2007, 9:04 am
RPC Local Security Windows 2003 Trust Issue February 2, 2006, 9:02 am
Machine Cert Question - Web Request Question February 13, 2008, 1:11 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap