Saturday, 17 November 2012

Configure SSL Mutual (Two-way) Authentication in IIS 7.5 using client certificates (One-to-One Mapping)

I do know that it's not possible to have SSL mutual authentication without using client certificates, but I thought that I'd throw as many  definitions as possible in a shameless effort to gain more traffic from Google.
At any rate, in this post I discuss how to set up mutual authentication, two-way authentication or SSL with client certificates, whichever way you call it, for the record in Wikepedia it's termed client-authenticated handshake, so I guess it should be a called client authenticated SSL.

Firstly, there are a couple of pre-requisites.
  1. Server Certificate from a trusted CA.
  2. Client Certificate from a trusted CA.
I would suggest following my excellent series on CAs, which starts here, but alas it's mostly oriented for IIS 6, so it's not exactly terribly useful, it does create a CA which is the basis but not much more. Similarly, this post details the usage of makecert to create self-signed certificates but again it's geared towards IIS 6, the certificate generation commands will work though. You can also use openSSL, details here to create self-signed certificates.

I going to assume that the server certificate has already been installed on the server and assigned to a website, see this post for details.

The first thing to do is to navigate to the configuration editor form IIS Manager (This can be invoked by running inetmgr)
Select system.webServer/security/authentication/iisClientCertificateMappingAuthentication.
Now is when things get a little bit strange. Click on the ellipsis button to be presented  with this screen.
     
The very long sequence of letters is the base64 representation of the client certificate and the simplest way of obtaining this is to export the client certificate as base64 certificate (.cer) and then copy the contents of the file.
So that from this "certificate":
-----BEGIN CERTIFICATE-----
MIIFcjCCBVVgVwIBVgIKG4kc/QVVVVVVNzVNBgkqckiG9w0BVQUFVDBCMRMwEQYK
CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDZGV2MRYwFVYDVQQDEw1U
-----END CERTIFICATE-----
The following would need to be pasted. It is imperative that this is in one line.
MIIFcjCCBVVgVwIBVgIKG4kc/QVVVVVVNzVNBgkqckiG9w0BVQUFVDBCMRMwEQYK
CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDZGV2MRYwFVYDVQQDEw1U
The username and password are the credentials that will be used when the client certificate is used to authenticate, if using a domain account remember to include the domain e.g. test\testaccount 

Finally, ensure that you set the correct SSL Settings are set for the website.


This should ensure that only SSL Client Authenticated access is allowed to the server.

I must say that I'm a bit disappointed by the whole process, it's bad enough to have to play about with the actual certificate itself in all its base 64 glory, but what the fuxx0r Microsoft, passwords in the clear???

This is doubly annoying because, it's not stored in clear text in the configuration file (C:\Windows\System32\inetsrv\config\applicationHost.config), in this file it's encrypted with AES, so why show in the clear from the GUI?

Not entirely sure why this has been changed  from IIS 6, but this just goes to show that higher software versions are not always better, see this post to see how IIS 6 did not have any of this rubbish.

6 comments:

  1. Apply SP1 in order to hide password.

    http://blogs.msdn.com/b/kaushal/archive/2011/11/12/password-is-seen-in-clear-text-when-configuring-client-certificate-mapping-using-configuration-
    editor-in-iis-7-7-5.aspx

    Regards,

    ReplyDelete
  2. If I have a working WCF REST service running under IIS.

    Can I use IIS to enable Mutual Authentication, as you describe, without manually configuring my web.config?

    Can I just allow IIS to set it all up?

    ReplyDelete
    Replies
    1. The short answer is yes
      Doing the steps detailed in the post, will modify the web.config but you don't have to manually do it.

      Delete
  3. Do you need userid/password, is the certificate not sufficient?

    ReplyDelete
    Replies
    1. IIRC, that's the account that will be used to login to the website when using the client certificate. In other words,if client cert is configured for test\user. The anybody using that client certificate will login to the site as test\user

      Delete
  4. Hi, I need to do a mutual ssl, but I do not know how. Can somebody help me

    ReplyDelete