IIS and client certificate ad authentication

Discussion in 'Server Security' started by Ondrej Sevecek, Apr 28, 2009.

  1. Hello,

    would you please be able to give me some info on two things regarding IIS
    7/6 client certificate AD authentication?

    a) does the CA certficate - which issued the client certificate - need to be
    in NtAuth store?
    b) or would IIS accept client certficates signed by any trusted CA?
    c) if b) is correct, how can I limit the list of trusted CAs?

    thank you very much.

    Ondra
     
    Ondrej Sevecek, Apr 28, 2009
    #1
    1. Advertisements

  2. Ondrej Sevecek napisal:

    Well,

    a) The CA certificate doesn't need to be in NTAuth store. NTAuth store is used
    for smart card logon purposes.

    b) The CA needs to be trusted for client authetnication purposes (extended key
    usage).

    c) see b), also see certificate trust lists.

    Don't forget that you'll need to have CRL distribution points accessible by server.

    Please feel free to ask more questions if needed.

    Greetings,

    Martin
     
    Martin Rublik, Apr 28, 2009
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.