Karim Elatov

Using SSL Client Authentication with SecurID Access IWA running on IIS

Blog Post created by Karim Elatov Employee on Nov 16, 2016

IWA Application With IIS and Windows Authentication

Since our IWA connector runs as an ASP application on IIS, we can utilize the IIS SSL Client Authentication method to log users in. By default if you visit the IWA application (which by default uses Windows Authentication) on a machine that is not joined to the domain you will see a password prompt that will ask you for your AD password:

Let's see if we can enable SSL Client Authentication on the IWA ASP application in IIS to see if we can skip that password prompt.

Generate the Necessary SSL Certificates

There are couple of approaches to this: on windows we can use makecert and on linux we can use openssl.

Creating SSL certificates for SSL Client Authentication with makecert

There are actually a couple of sites that go over the setup:

First download the necessary tools, the above sites provides the links to download makercert and pvk2pfx. Next create a self signed CA with the makecert and create a pfx from the newly generated files with pvk2pfx:

C:\Users\Admin\Downloads\makecert_pvk2pfx>makecert.exe -n "CN=root-ca-sp66" -r -pe -a sha512 -len 4096 -cy authority -sv root-ca-sp66.pvk root-ca-sp66.cer
Succeeded
C:\Users\Admin\Downloads\makecert_pvk2pfx>pvk2pfx.exe -pvk root-ca-sp66.pvk -spc root-ca-sp66.cer -pfx root-ca-sp66.pfx
C:\Users\Admin\Downloads\makecert_pvk2pfx>dir
 Volume in drive C has no label.
 Volume Serial Number is 26E4-53F1
 Directory of C:\Users\Admin\Downloads\makecert_pvk2pfx
11/04/2016  12:52 PM    <DIR>          .
11/04/2016  12:52 PM    <DIR>          ..
11/04/2016  12:46 PM            69,824 makecert.exe
11/04/2016  12:46 PM            36,544 pvk2pfx.exe
11/04/2016  12:51 PM             1,305 root-ca-sp66.cer
11/04/2016  12:52 PM             4,254 root-ca-sp66.pfx
11/04/2016  12:51 PM             2,348 root-ca-sp66.pvk
               5 File(s)        114,275 bytes
               2 Dir(s)  19,559,297,024 bytes free

Next we can create the Server SSL certificate and sign it with the newly created CA (and combine the files into one pfx file):

C:\Users\Admin\Downloads\makecert_pvk2pfx>makecert.exe -n "CN=iwa.singlepoint66.com" -iv root-ca-sp66.pvk -ic root-ca-sp66.cer -pe -a sha512 -len 4096 -b 11/01/2016 -e 11/01/2026 -sky exchange -eku 1.3.6.1.5.5.7.3.1 -sv iwa-sp66.pvk iwa-sp66.cer
Succeeded
C:\Users\Admin\Downloads\makecert_pvk2pfx>pvk2pfx.exe -pvk iwa-sp66.pvk -spc iwa-sp66.cer -pfx iwa-sp66.pfx
C:\Users\Admin\Downloads\makecert_pvk2pfx>dir
 Volume in drive C has no label.
 Volume Serial Number is 26E4-53F1
 Directory of C:\Users\Admin\Downloads\makecert_pvk2pfx
11/04/2016  01:09 PM    <DIR>          .
11/04/2016  01:09 PM    <DIR>          ..
11/04/2016  01:08 PM             1,318 iwa-sp66.cer
11/04/2016  01:09 PM             4,262 iwa-sp66.pfx
11/04/2016  01:08 PM             2,348 iwa-sp66.pvk
11/04/2016  12:46 PM            69,824 makecert.exe
11/04/2016  12:46 PM            36,544 pvk2pfx.exe
11/04/2016  12:51 PM             1,305 root-ca-sp66.cer
11/04/2016  12:52 PM             4,254 root-ca-sp66.pfx
11/04/2016  12:51 PM             2,348 root-ca-sp66.pvk
               8 File(s)        122,203 bytes
               2 Dir(s)  19,559,276,544 bytes free

Lastly let's create the client SSL certificate and sign it with the same CA (and combine the files into a single pfx file):

C:\Users\Administrator.SINGLEPOINT66\Downloads\makecert_pvk2pfx>makecert.exe -n"CN=Karim-cert" -iv root-ca-sp66.pvk -ic root-ca-sp66.cer -pe -a sha512 -len 4096 -b 11/01/2016 -e 11/01/2026 -sky exchange -eku 1.3.6.1.5.5.7.3.2 -sv karim-cert.pvk karim-cert.cer
Succeeded
C:\Users\Admin\Downloads\makecert_pvk2pfx>pvk2pfx.exe -pvk karim-cert.pvk -spc karim-cert.cer -pfx karim-cert.pfx
C:\Users\Admin\Downloads\makecert_pvk2pfx>dir
 Volume in drive C has no label.
 Volume Serial Number is 26E4-53F1
 Directory of C:\Users\Admin\Downloads\makecert_pvk2pfx
11/04/2016  01:15 PM    <DIR>          .
11/04/2016  01:15 PM    <DIR>          ..
11/04/2016  01:08 PM             1,318 iwa-sp66.cer
11/04/2016  01:09 PM             4,262 iwa-sp66.pfx
11/04/2016  01:08 PM             2,348 iwa-sp66.pvk
11/04/2016  01:14 PM             1,307 karim-cert.cer
11/04/2016  01:15 PM             4,254 karim-cert.pfx
11/04/2016  01:14 PM             2,348 karim-cert.pvk
11/04/2016  12:46 PM            69,824 makecert.exe
11/04/2016  12:46 PM            36,544 pvk2pfx.exe
11/04/2016  12:51 PM             1,305 root-ca-sp66.cer
11/04/2016  12:52 PM             4,254 root-ca-sp66.pfx
11/04/2016  12:51 PM             2,348 root-ca-sp66.pvk
              11 File(s)        130,112 bytes
               2 Dir(s)  19,559,260,160 bytes free

That should be it for the cert generation.

Creating SSL certificates for SSL Client Authentication with openssl

We can follow a similar process as with makecert. First let's create a self signed CA:

# generate private key for CA
<> openssl genrsa -out root-ca-sp66.key 2048
Generating RSA private key, 2048 bit long modulus
....+++
..................+++
e is 65537 (0x10001)
 
# create the CA cert and sign it with the CA private key
<> openssl req -x509 -new -nodes -key root-ca-sp66.key -days 1024 -out root-ca-sp66.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:Boulder
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RSA
Organizational Unit Name (eg, section) []:PM
Common Name (e.g. server FQDN or YOUR name) []:root-ca-sp66
Email Address []:
 
# combine the files into a pfx
<> openssl pkcs12 -export -out root-ca-sp66.pfx -inkey root-ca-sp66.key -in root-ca-sp66.pem
Enter Export Password:
Verifying - Enter Export Password:
 
# here are the resulted files
<> ls
root-ca-sp66.key  root-ca-sp66.pem  root-ca-sp66.pfx

Now let's create the Server Certificate and sign it with our CA:

## Create Request for Server
<> openssl req -nodes -newkey rsa:2048 -keyout iwa-sp66.key -out iwa-sp66-req.csr
Generating a 2048 bit RSA private key
.........................................................................................................+++
................+++
writing new private key to 'iwa-sp66.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:Boulder
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RSA
Organizational Unit Name (eg, section) []:PM
Common Name (e.g. server FQDN or YOUR name) []:iwa.singlepoint66.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
## Sign Request with CA
<> openssl x509 -req -in iwa-sp66-req.csr -CA root-ca-sp66.pem -CAkey root-ca-sp66.key -CAcreateserial -out iwa-sp66-cert.pem -days 500
Signature ok
subject=/C=US/ST=Colorado/L=Boulder/O=RSA/OU=PM/CN=iwa.singlepoint66.com
Getting CA Private Key
 
## Combine files into PFX
<> openssl pkcs12 -export -out iwa-sp66.pfx -inkey iwa-sp66.key -in iwa-sp66-cert.pem
Enter Export Password:
Verifying - Enter Export Password:
 
# All the Files
<> ls
iwa-sp66-cert.pem  iwa-sp66.key  root-ca-sp66.key  root-ca-sp66.pfx
iwa-sp66-req.csr   iwa-sp66.pfx  root-ca-sp66.pem  root-ca-sp66.srl

And lastly let's create the client cert:

## Let's create the request for the Client Cert
<> openssl req -nodes -newkey rsa:2048 -keyout karim-cert.key -out karim-req.csr
Generating a 2048 bit RSA private key
............+++
.....................................+++
writing new private key to 'karim-cert.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Colorado
Locality Name (eg, city) []:Boulder
Organization Name (eg, company) [Internet Widgits Pty Ltd]:RSA
Organizational Unit Name (eg, section) []:PM
Common Name (e.g. server FQDN or YOUR name) []:Karim-Cert
Email Address []:karim@singlepoint66.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
## Create an openssl config for clients
<> cat openssl-client.cnf
[ client ]
basicConstraints=CA:FALSE
nsCertType = client, email
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectAltName=email:copy
 
### Now let's Sign it with the CA and use our custom config
<> openssl x509 -req -in karim-req.csr -CA root-ca-sp66.pem -CAkey root-ca-sp66.key -CAserial root-ca-sp66.srl -out karim-cert.pem -days 365 -extfile openssl-client.cnf -extensions client
Signature ok
subject=/C=US/ST=Colorado/L=Boulder/O=RSA/OU=PM/CN=Karim-Cert/emailAddress=karim@singlepoint66.com
Getting CA Private Key
# and let's combine the cert and key files into a pfx file
<> openssl pkcs12 -export -out karim-cert.pfx -inkey karim-cert.key -in karim-cert.pem
Enter Export Password:
Verifying - Enter Export Password:
 
## All the files in the end
<> ls
iwa-sp66-cert.pem  karim-cert.key  openssl-client.cnf  root-ca-sp66.srl
iwa-sp66-req.csr   karim-cert.pem  root-ca-sp66.key
iwa-sp66.key       karim-cert.pfx  root-ca-sp66.pem
iwa-sp66.pfx       karim-req.csr   root-ca-sp66.pfx


That should be it for the certificate creation on a Linux OS with openssl. A couple of notes, the srl file will contain the serial value of the last signed cert:

## Serial File Contents
<> cat root-ca-sp66.srl
F1CB13B8316DD0C1
 
## Serial value of last cert
<> openssl x509 -text -noout -in karim-cert.pem | grep -i serial -A 1
        Serial Number:
            f1:cb:13:b8:31:6d:d0:c1


Also for comparison you can check out the purpose of the server cert and client cert:

<> openssl x509 -purpose  -noout -in iwa-sp66-cert.pem
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : Yes
S/MIME signing CA : No
S/MIME encryption : Yes
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No


Here is the client one:

<> openssl x509 -purpose  -noout -in karim-cert.pem
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No


For fun here are the ones created by makecert (in DER format):

<> openssl x509 -purpose -inform DER -noout -in iwa-sp66.cer
Certificate purposes:
SSL client : No
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

And here is client one:

<> openssl x509 -purpose -inform DER -noout -in karim-cert.cer
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : No
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : Yes
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

At this point just copy all the PFX files to the windows server running IIS.

Importing the SSL Certificates

I just ended up using the certs generated with the makecert and pvk2pfx utilities. For the Certificate imports we can break it down into four parts:

  • Import CA Certificate into the Web Server's Computer Account Trusted Root Certification Authorities store
  • Import the Server Certificate into the Web Server's Compunter Account Personal Certificate store
  • Import the CA Certificate into the Client Machine's Current User Trusted Root Certification Authorities store
  • Import the Client Certificate into the Client Machine's Current User Personal Certificate store

Import CA Certificate on the Web Server into the Trusted Root Certification Authorities Store

To import the certificate we need to launch the Certificates Snap-In. Go to Start -> run -> mmc and then click on to the
Add/Remove Snap In option:

Then choose the Certificates Snap-In and pick the Computer Account:

And then choose Local Computer:

Then under the Trusted Root Certification Authorities store import the CA Cert:

After it's imported you can confirm the cert is there:

Import the Server Certificate on the Web Server into the Computer Account Personal Certificate Store

From the same certificate snap-in import the Server Certificate into the Personal Certificate store. After it's imported confirm it's able to see the CA that signed it:

Import CA Certificate on the Client Machine into the Current Users Trusted Root Certification Authorities Store

I was using a windows 10 machine, so I launched the cert manager (Start -> run -> certmgr.msc):

And then import the CA certificate into the Trusted Root Certification Authorities Store and after it's done you will be able to see it:

Import Client Certificate on the Client Machine into the Current User's Personal Certificate Store

In the same Certificate Manager import the Client Cert under the Personal Store and confirm it's signed by the correct CA:

You can also launch chrome and confirm the cert is present:

Now let's go to the next section.

Configure IWA ASP application to use SSL Client Authentication

This can be broken down into a couple of parts:

  1. Enable SSL Client Auth method on the IIS server
  2. Import The Server Certificate into IIS and Enable https binding with the Imported Server Certificate
  3. Enable SSL Client Authentication on the IWA Application
  4. Add One to One Mapping for the Certificate and the User

Let's go into each step

Enable SSL Client Authentication method on the IIS server

Launch the Server Manager and under Roles scroll down to the IIS role and click on Add Role Services

Then scroll down and enable the IIS Client Certificate Mapping Authentication option:

After it's installed you will see a success message at the end:

Import The Server Certificate into IIS and Enable HTTPS binding with the Imported Server Certificate

Start the IIS Manager (Start -> Run -> inetmgr) and under the Server Section click on the Server Certificates Module:

Then click Import (under the Actions section) and import the Server Certificate:

Then at the Default Site Level click Bindings and enable HTTPS with the uploaded certificate:

Enable SSL Client Authentication on the IWA ASP Application

Now at the Application level launch the SSL Settings module:

and set the Client Certificates to Required and click Apply:

You can also set it to Accept, that way only the browser has a cert will it use, else it will keep using Windows Authentication:

 

Add One to One Mapping for the Certificate and the User

Now let's map our certificate to a username and password. At the Application Level or the Site Level, I only had one application so I did it at the site Level, launch the Configuration Editor Module:

In the Section field enter system.webServer/security/authentication/iisClientCertificateMappingAuthentication (that will list the options available for that feature) and enable it:

Then click on oneToOneMappings and click the ... to add a new one:

Then add a new user (for the certificate paste in a X509 Base64 encoded version of the client ssl certificate):

Also make sure the certificate is one big line, if you have a new line characters in the cert it will only paste the first line. Then close this dialog and you will see the Count value increase:

Then click Apply and it will save the settings:

That should be it for the IIS settings. For good measure go ahead and restart the IIS Server (Start -> Run -> iisreset)

Testing out SSL Client Authentication

Now just go to the Portal and click on the IWA icon and after you are forwarded to the IWA server it will prompt you for your Certificate. Here is how it looked like in Chrome:

After choosing the certificate, I was forwarded to the portal and I was successfully logged in. Here is how the prompt looked like on the IE Edge:

For IE 11 and lower you can set a setting to only prompt if you have more than one certificate. Launch internet options (Start -> Run -> inetcpl.cpl) and go to Security -> Internet -> Custom Level and under the Miscellaneous section you can enable the Don’t prompt for client certificate selection when only one certificate exists option:

That's should be it

Troubleshooting SSL Authentication with IIS and ASP

Here are some troubleshooting tips for this setup. First enable detailed errors for ASP Applications. This is a two step process, in IIS manager under the Application Section launch the ASP module and under the Debugging Properties set the Send Errors to Browsers to true:

Second, under the Error Pages module click on Edit Features Settings and in the Error Responses Section set it to Detailed Errors:

Then when you don't have the client SSL Certificate in the browser you will see this:

Without enabling that you will just see the following:

Another thing to check out is the Security Section in the Event Viewer (Start -> Run -> eventvwr):

I entered the wrong password under the mapping section and I saw the following event:

- System
  - Provider
   [ Name]  Microsoft-Windows-Security-Auditing
   [ Guid]  {54849625-5478-4994-A5BA-3E3B0328C30D} 
   EventID 4625
   Version 0
   Level 0
   Task 12544
   Opcode 0
   Keywords 0x8010000000000000
 
  - TimeCreated
   [ SystemTime]  2016-11-05T17:01:04.790771500Z
   EventRecordID 4208
   Correlation
 
  - Execution
   [ ProcessID]  464
   [ ThreadID]  3020
   Channel Security
   Computer IWA.singlepoint66.com
   Security
 
- EventData
  SubjectUserSid S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
  SubjectUserName DefaultAppPool
  SubjectDomainName IIS APPPOOL
  SubjectLogonId 0x4f7fa
  TargetUserSid S-1-0-0
  TargetUserName karim
  TargetDomainName IWA
  Status 0xc000006d
  FailureReason %%2313
  SubStatus 0xc0000064
  LogonType 8
  LogonProcessName Advapi 
  AuthenticationPackageName Negotiate
  WorkstationName IWA
  TransmittedServices -
  LmPackageName -
  KeyLength 0
  ProcessId 0xbd8
  ProcessName C:\Windows\System32\inetsrv\w3wp.exe
  IpAddress 10.10.10.10
  IpPort 59372

The failure reason can be looked up here and in my case FailureReason %%2313 is wrong password or username (found a forum on that)

Outcomes