SUMMARY

For highly secure Web applications, such as Internet banking sites, you may want to implement a more secure solution for user authentication than the user name and password combination. You can use client-side digital certificates to verify the identity of the user. In addition, you can map client-side digital certificates to Windows accounts on the server if necessary.

back to the top

Requirements

The following list outlines the recommended hardware, software, network infrastructure, and service packs that you need:

• Microsoft Windows 2000 Service Pack 2 Server
• Microsoft Internet Explorer 6.0
• Microsoft Visual Studio .NET
• Microsoft Certificate Services (if you must generate your own certificates)

This article assumes that you are familiar with the following topics:

• ASP.NET development with Visual Basic or Visual C#
• Microsoft Internet Information Services (IIS) configuration

back to the top

Create the ASP.NET Web Application

In this section, you create a simple ASP.NET application. In the sections to follow, you will use client-side certificate authentication to secure this application.

1. Start Visual Studio .NET, and then create a new ASP.NET Web Application project named SecureSite.
2. Drag a Label control from the toolbox onto the WebForm1.aspx Web form, and then set its ID property to greetingLabel.
3. Drag a second Label control onto WebForm1.aspx, and then set its ID property to certDataLabel.

4. Add the following code to the Page_Load event procedure:

   'Visual Basic
   Dim username As String
   userName = User.Identity.Name
   greetingLabel.Text = "Welcome " & userName
   Dim cert As HttpClientCertificate = Request.ClientCertificate
   If cert.IsPresent Then
       'Get the Organization (O) field from the Subject section.
       certDataLabel.Text = cert.Get("Subject O")
   Else
       certDataLabel.Text = "No certificate was found."
   End If
                       

   //Visual C#
   string userName;
   userName = User.Identity.Name;
   greetingLabel.Text = "Welcome " + userName;
   HttpClientCertificate cert = Request.ClientCertificate;
   if (cert.IsPresent)
       certDataLabel.Text = cert.Get("SUBJECT O");
   else
       certDataLabel.Text="No certificate was found.";
                       

5. Build and save the project, and then close Visual Studio.
6. Start Internet Explorer, and then browse to the following page:

   http://localhost/SecureSite/WebForm1.aspx

   Notice that the page displays the "Welcome" and "No certificate was found" messages. Notice that the page does not display a user name because the user has not been authenticated.
7. Close Internet Explorer.

back to the top

Configure the Web Server for Certificate-Based Authentication

In this section, you configure the SecureSite project to use certificates for authentication. To use client-side certificates, you must install a server-side certificate. You can use an existing server certificate from any certificate authority, or you can generate a server-side certificate with Microsoft Certificate Services.

back to the top

To Create a Server-Side Certificate Request

1. On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
2. Expand the node for your server, and then click Default Web Site.
3. On the Action menu, click Properties.
4. On the Directory Security tab, click Server Certificate. Follow these steps in the wizard:
   1. Click Next on the first page of the wizard.
   2. On the Server Certificate page, click Create a new certificate, and then click Next.
   3. On the Delayed or Immediate Request page, click Prepare the request now, but send it later, and then click Next.
   4. On the Name and Security Settings page, accept the default settings, and then click Next.
   5. On the Organization Information page, type MSDN for the organization, type How To Articles for the organizational unit, and then click Next.
   6. On the Your Site's Common Name page, type localhost, and then click Next.
   7. On the Geographical Information page, type your country, region, and city details, and then click Next.
   8. On the Certificate Request File Name page, accept the default file name (usually c:\certreq.txt), and then click Next.
   9. On the Request File Summary page, confirm that all of the details are correct, and then click Next.
   10. Click Finish to close the wizard.
5. Open the certificate file that is generated, and then copy the entire contents of the certificate file to the clipboard.

back to the top

To Submit a Server-Side Certificate Request

1. Start Internet Explorer, and then browse to the following page:

   http://localhost/CertSrv

   NOTE: The Microsoft Certificate Services must be installed.
2. Follow these steps in the wizard:
   1. Click Request a Certificate, and then click Next.
   2. On the Choose Request Type page, click Advanced request, and then click Next.
   3. On the Advanced Certificate Requests page, click Submit a certificate request using a base64 encoded PKCS#10 file, and then click Next.
   4. On the Submit a Saved Request page, click in the Base64 Encoded Certificate Request (PKCS #10 or #7) box, and then press the CTRL+V key combination to paste the certificate request that you copied to the clipboard earlier. Click Submit.
3. Close Internet Explorer.

back to the top

To Issue a Server-Side Certificate

1. On the Start menu, point to Programs, point to Administrative Tools, and then click Certificate Authority.
2. Expand the node for your certificate authority, and then select Pending Requests.
3. Select the certificate request that you just submitted. On the Action menu, point to All Tasks, and then click Issue.
4. Confirm that the certificate appears in the Issued Certificates folder, and then double-click the certificate to view it.
5. On the Details tab, click Copy to File. Save the certificate as a Base-64 encoded X.509 certificate to C:\Servercert.cer.
6. Close the Properties dialog box for the certificate.
7. Close the Certificate Authority tool.

back to the top

To Install a Server-Side Certificate

1. On the Start menu, point to Programs, point to Administrative Tools, and then click Internet Services Manager.
2. Expand the node for your server, and then click Default Web Site.
3. On the Action menu, click Properties.
4. On the Directory Security tab, click Server Certificate. Follow these steps in the wizard:
   1. Click Next on the first page of the wizard.
   2. Click Process the Pending Request to install the certificate, and then click Next.
   3. Browse to the C:\Servercert.cer certificate file that you saved previously. Click Next twice, then click Finish.
5. Click OK to close the Properties dialog box.

back to the top

To Configure SecureSite Site for SSL and Client-Side Certificates

1. In Internet Services Manager, select the SecureSite subweb, and view its properties.
2. Follow these steps in the wizard:
   1. On the Directory Security tab, click Edit in the Secure communications section.
   2. Select the Require secure channel (SSL) check box. This ensures that communications to this subweb are encrypted.
   3. Select the Require client certificates check box. This ensures that the site can only be viewed by users who have a client-side certificate installed.
   4. Select the Enable client certificate mapping check box. This is used to map client certificates to Windows user accounts.
   5. Click Edit. Notice that you can map each certificate to an individual Windows account, or you can map many certificates to the same Windows account.
   6. On the Many-to-1 tab, click Add to add a mapping rule. Name this rule Mapping Rule, and then click Next.
   7. Click New to create a new rule in which the O sub field (Organization) of the Subject section of the certificate has the criteria "MSDN". Click OK to apply the mapping to users whose certificates contain an Organization attribute of "MSDN". In a production environment, the mapping rule is stricter and often validates the issuer of the certificate as well as the subject. Click Next.
   8. On the Mapping page, select Accept this certificate for Logon Authentication. Click Browse to select the Windows account that you want to map MSDN users to. For this example, use the Administrator account. (In a real application, you create a dedicated Windows account with restricted privileges.) Make sure that you type the correct password.
   9. Click Finish, and then confirm the password.
3. Click OK to close the Account Mappings dialog box.
4. Click OK to close the Secure Communications dialog box. If you are prompted to apply the settings to child files and folders, click Select All, and then click OK.
5. Click OK to close the SecureSite Properties dialog box.

back to the top

To Verify Certificate-Based Authentication

1. Start Internet Explorer, and then browse to the following page:

   https://localhost/SecureSite/WebForm1.aspx

   Notice that you use the secure protocol, https.
2. Confirm that you receive a message that the page requires a client certificate.
3. Close Internet Explorer.

back to the top

Install a Client Certificate

In this section, you install a client-side certificate. You can use a certificate from any certificate authority, or you can use Microsoft Certificate Services to generate your own certificate.

back to the top

To Request a Client-Side Certificate

1. Start Internet Explorer, and then browse to the following page:

   http://localhost/CertSrv

2. Follow these steps in the wizard:
   1. Click Request a Certificate, and then click Next.
   2. On the Choose Request Type page, click Web Browser Certificate, and then click Next.
   3. Type the required information. Make sure that you type MSDN in the Company text box.
   4. Click Submit to complete the request.
3. Close Internet Explorer.

back to the top

To Issue a Client-Side Certificate

1. Start the Certificate Authority tool from the Administrative Tools program group.
2. Expand the node for your certificate authority, and then select Pending Requests.
3. Select the certificate request that you just submitted. On the Action menu, point to All Tasks, and then click Issue.
4. Confirm that the certificate appears in the Issued Certificates folder, and then double-click the certificate to view it.
5. On the Details tab, click Copy to File. Save the certificate as a Base-64 encoded X.509 certificate to C:\Clientcert.cer.
6. Close the Properties dialog box for the certificate.
7. Close the Certificate Authority tool.

back to the top

To Install a Client-Side Certificate

1. Open Windows Explorer, and double-click Clientcert.cer to view the certificate file.
2. Follow these steps in the Certificate Import Wizard:
   1. On the first page of the wizard, click Install Certificate, and then click Next.
   2. Select the Automatically select the certificate store based on the type of certificate check box, and then click Next.
   3. Click Finish to complete the wizard.
3. Dismiss the confirmation message box, and then click OK to close the certificate.

back to the top

Verify That It Works

In this section, you verify that client applications with certificates that specify "MSDN" as the company can view the SecureSite site. Users are mapped to the account that you specified in the mapping rule.

1. Start Internet Explorer, and then browse to the following page:

   https://localhost/SecureSite/WebForm1.aspx

2. Confirm that:
   • The Web page appears.
   • The appropriate Windows account is used.
   • The organization "MSDN" is read from the certificate.

back to the top