IIS and client certificate ad authentication

Hello,

would you please be able to give me some info on two things regarding IIS
7/6 client certificate AD authentication?

a) does the CA certficate - which issued the client certificate - need to be
in NtAuth store?
b) or would IIS accept client certficates signed by any trusted CA?
c) if b) is correct, how can I limit the list of trusted CAs?

thank you very much.

Ondra

Ondrej Sevecek napisal:
> Hello,
>
> would you please be able to give me some info on two things regarding IIS
> 7/6 client certificate AD authentication?
>
> a) does the CA certficate - which issued the client certificate - need
> to be
> in NtAuth store?
> b) or would IIS accept client certficates signed by any trusted CA?
> c) if b) is correct, how can I limit the list of trusted CAs?
>
> thank you very much.
>
> Ondra
>
>


Well,

a) The CA certificate doesn't need to be in NTAuth store. NTAuth store is used
for smart card logon purposes.

b) The CA needs to be trusted for client authetnication purposes (extended key
usage).

c) see b), also see certificate trust lists.

Don't forget that you'll need to have CRL distribution points accessible by server.

Please feel free to ask more questions if needed.

Greetings,

Martin

--
Replace nospam with google's mail for e-mail communication