Restrict website access based on certificate

[jetpoet@yahoo.com]

Hi all!

I would like to know how I can restrict access to a specific website
or subdirectory in a website based on certificates.

I have a webbased administration interface for a website that I
administer. This is in a subdirectory on the webserver. This
subdirectory has restricted access based on IP addresses and
passwords, but unfortunately I also have people that need access to
this who are on dynamic IP addresses.

So I would like to just have them install a certificate on their
client machine and have this be the authentication. I am not sure if I
can issue a personal certificate to each client so I can "turn off"
certain clients if I want to.

I am not interested in these certificates being authenticated or
issued by somebody like Verisign. I just want to issue them myself.

What would I need for this scenario? I have a Windows 2003 server
where this runs. The application is programmed in C# and ASP.NET.

I would need to install a Certificate Server on the webserver to issue
certificates, that much I know. But how do I configure IIS to request
the certificates from the clients.

What are the security implications with this approach as opposed to
the IP filter?

All the best, and thank you in advance for your time.

Pete

[Teemu Keiski]

Hi,

you need first to issue a server certificate for IIS (can be done with
certificate services). Then you are able to manage security settings related
to certificates, SSL etc and one option there is to map client certificates
to users and so on. With certificate services you are also able to issue
client certificates.

--
Teemu Keiski
MCP, Microsoft MVP (ASP.NET), AspInsiders member
ASP.NET Forum Moderator, AspAlliance Columnist


<jetpoet@yahoo.com> wrote in message
news:9d093ada.0310290128.3f6982d3@posting.google.c om...

> Hi all!
>
> I would like to know how I can restrict access to a specific website
> or subdirectory in a website based on certificates.
>
> I have a webbased administration interface for a website that I
> administer. This is in a subdirectory on the webserver. This
> subdirectory has restricted access based on IP addresses and
> passwords, but unfortunately I also have people that need access to
> this who are on dynamic IP addresses.
>
> So I would like to just have them install a certificate on their
> client machine and have this be the authentication. I am not sure if I
> can issue a personal certificate to each client so I can "turn off"
> certain clients if I want to.
>
> I am not interested in these certificates being authenticated or
> issued by somebody like Verisign. I just want to issue them myself.
>
> What would I need for this scenario? I have a Windows 2003 server
> where this runs. The application is programmed in C# and ASP.NET.
>
> I would need to install a Certificate Server on the webserver to issue
> certificates, that much I know. But how do I configure IIS to request
> the certificates from the clients.
>
> What are the security implications with this approach as opposed to
> the IP filter?
>
> All the best, and thank you in advance for your time.
>
> Pete