-
IWA Application With IIS and Windows Authentication
-
Generate the Necessary SSL Certificates
-
Importing the SSL Certificates
-
Import CA Certificate on the Web Server into the Trusted Root Certification Authorities Store
-
Import the Server Certificate on the Web Server into the Computer Account Personal Certificate Store
-
Import CA Certificate on the Client Machine into the Current Users Trusted Root Certification Authorities Store
-
Import Client Certificate on the Client Machine into the Current User's Personal Certificate Store
-
Configure IWA ASP application to use SSL Client Authentication
-
Testing out SSL Client Authentication
-
Troubleshooting SSL Authentication with IIS and ASP
- IWA Application With IIS and Windows Authentication
- Generate the Necessary SSL Certificates
-
Importing the SSL Certificates
- Import CA Certificate on the Web Server into the Trusted Root Certification Authorities Store
- Import the Server Certificate on the Web Server into the Computer Account Personal Certificate Store
- Import CA Certificate on the Client Machine into the Current Users Trusted Root Certification Authorities Store
- Import Client Certificate on the Client Machine into the Current User's Personal Certificate Store
- Configure IWA ASP application to use SSL Client Authentication
- Testing out SSL Client Authentication
- Troubleshooting SSL Authentication with IIS and ASP
IWA Application With IIS and Windows Authentication
Since our IWA connector runs as an ASP application on IIS, we can utilize the IIS SSL Client Authentication method to log users in. By default if you visit the IWA application (which by default uses Windows Authentication) on a machine that is not joined to the domain you will see a password prompt that will ask you for your AD password:
Let's see if we can enable SSL Client Authentication on the IWA ASP application in IIS to see if we can skip that password prompt.
Generate the Necessary SSL Certificates
There are couple of approaches to this: on windows we can use makecert and on linux we can use openssl.
Creating SSL certificates for SSL Client Authentication with makecert
There are actually a couple of sites that go over the setup:
- IIS 7 and Client Certificates
- How to create an IIS website that requires client certificate using self-signed certificates
- Creating self signed certificates with makecert.exe for development
- Testing with client certificate authentication in a development environment on IIS 8.5
First download the necessary tools, the above sites provides the links to download makercert and pvk2pfx. Next create a self signed CA with the makecert and create a pfx from the newly generated files with pvk2pfx:
C:\Users\Admin\Downloads\makecert_pvk2pfx>makecert.exe -n "CN=root-ca-sp66" -r -pe -a sha512 -len 4096 -cy authority -sv root-ca-sp66.pvk root-ca-sp66.cer Succeeded C:\Users\Admin\Downloads\makecert_pvk2pfx>pvk2pfx.exe -pvk root-ca-sp66.pvk -spc root-ca-sp66.cer -pfx root-ca-sp66.pfx C:\Users\Admin\Downloads\makecert_pvk2pfx>dir Volume in drive C has no label. Volume Serial Number is 26E4-53F1 Directory of C:\Users\Admin\Downloads\makecert_pvk2pfx 11 / 04 / 2016 12 : 52 PM <DIR> . 11 / 04 / 2016 12 : 52 PM <DIR> .. 11 / 04 / 2016 12 : 46 PM 69 , 824 makecert.exe 11 / 04 / 2016 12 : 46 PM 36 , 544 pvk2pfx.exe 11 / 04 / 2016 12 : 51 PM 1 , 305 root-ca-sp66.cer 11 / 04 / 2016 12 : 52 PM 4 , 254 root-ca-sp66.pfx 11 / 04 / 2016 12 : 51 PM 2 , 348 root-ca-sp66.pvk 5 File(s) 114 , 275 bytes 2 Dir(s) 19 , 559 , 297 , 024 bytes free |
Next we can create the Server SSL certificate and sign it with the newly created CA (and combine the files into one pfx file):
C:\Users\Admin\Downloads\makecert_pvk2pfx>makecert.exe -n "CN=iwa.singlepoint66.com" -iv root-ca-sp66.pvk -ic root-ca-sp66.cer -pe -a sha512 -len 4096 -b 11 / 01 / 2016 -e 11 / 01 / 2026 -sky exchange -eku 1.3 . 6.1 . 5.5 . 7.3 . 1 -sv iwa-sp66.pvk iwa-sp66.cer Succeeded C:\Users\Admin\Downloads\makecert_pvk2pfx>pvk2pfx.exe -pvk iwa-sp66.pvk -spc iwa-sp66.cer -pfx iwa-sp66.pfx C:\Users\Admin\Downloads\makecert_pvk2pfx>dir Volume in drive C has no label. Volume Serial Number is 26E4-53F1 Directory of C:\Users\Admin\Downloads\makecert_pvk2pfx 11 / 04 / 2016 01 : 09 PM <DIR> . 11 / 04 / 2016 01 : 09 PM <DIR> .. 11 / 04 / 2016 01 : 08 PM 1 , 318 iwa-sp66.cer 11 / 04 / 2016 01 : 09 PM 4 , 262 iwa-sp66.pfx 11 / 04 / 2016 01 : 08 PM 2 , 348 iwa-sp66.pvk 11 / 04 / 2016 12 : 46 PM 69 , 824 makecert.exe 11 / 04 / 2016 12 : 46 PM 36 , 544 pvk2pfx.exe 11 / 04 / 2016 12 : 51 PM 1 , 305 root-ca-sp66.cer 11 / 04 / 2016 12 : 52 PM 4 , 254 root-ca-sp66.pfx 11 / 04 / 2016 12 : 51 PM 2 , 348 root-ca-sp66.pvk 8 File(s) 122 , 203 bytes 2 Dir(s) 19 , 559 , 276 , 544 bytes free |
Lastly let's create the client SSL certificate and sign it with the same CA (and combine the files into a single pfx file):
C:\Users\Administrator.SINGLEPOINT66\Downloads\makecert_pvk2pfx>makecert.exe -n "CN=Karim-cert" -iv root-ca-sp66.pvk -ic root-ca-sp66.cer -pe -a sha512 -len 4096 -b 11 / 01 / 2016 -e 11 / 01 / 2026 -sky exchange -eku 1.3 . 6.1 . 5.5 . 7.3 . 2 -sv karim-cert.pvk karim-cert.cer Succeeded C:\Users\Admin\Downloads\makecert_pvk2pfx>pvk2pfx.exe -pvk karim-cert.pvk -spc karim-cert.cer -pfx karim-cert.pfx C:\Users\Admin\Downloads\makecert_pvk2pfx>dir Volume in drive C has no label. Volume Serial Number is 26E4-53F1 Directory of C:\Users\Admin\Downloads\makecert_pvk2pfx 11 / 04 / 2016 01 : 15 PM <DIR> . 11 / 04 / 2016 01 : 15 PM <DIR> .. 11 / 04 / 2016 01 : 08 PM 1 , 318 iwa-sp66.cer 11 / 04 / 2016 01 : 09 PM 4 , 262 iwa-sp66.pfx 11 / 04 / 2016 01 : 08 PM 2 , 348 iwa-sp66.pvk 11 / 04 / 2016 01 : 14 PM 1 , 307 karim-cert.cer 11 / 04 / 2016 01 : 15 PM 4 , 254 karim-cert.pfx 11 / 04 / 2016 01 : 14 PM 2 , 348 karim-cert.pvk 11 / 04 / 2016 12 : 46 PM 69 , 824 makecert.exe 11 / 04 / 2016 12 : 46 PM 36 , 544 pvk2pfx.exe 11 / 04 / 2016 12 : 51 PM 1 , 305 root-ca-sp66.cer 11 / 04 / 2016 12 : 52 PM 4 , 254 root-ca-sp66.pfx 11 / 04 / 2016 12 : 51 PM 2 , 348 root-ca-sp66.pvk 11 File(s) 130 , 112 bytes 2 Dir(s) 19 , 559 , 260 , 160 bytes free |
That should be it for the cert generation.
Creating SSL certificates for SSL Client Authentication with openssl
We can follow a similar process as with makecert. First let's create a self signed CA:
# generate private key for CA <> openssl genrsa -out root-ca-sp66.key 2048 Generating RSA private key, 2048 bit long modulus ....+++ ..................+++ e is 65537 ( 0x10001 ) # create the CA cert and sign it with the CA private key <> openssl req -x509 - new -nodes -key root-ca-sp66.key -days 1024 -out root-ca-sp66.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.' , the field will be left blank. ----- Country Name ( 2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Colorado Locality Name (eg, city) []:Boulder Organization Name (eg, company) [Internet Widgits Pty Ltd]:RSA Organizational Unit Name (eg, section) []:PM Common Name (e.g. server FQDN or YOUR name) []:root-ca-sp66 Email Address []: # combine the files into a pfx <> openssl pkcs12 -export -out root-ca-sp66.pfx -inkey root-ca-sp66.key -in root-ca-sp66.pem Enter Export Password: Verifying - Enter Export Password: # here are the resulted files <> ls root-ca-sp66.key root-ca-sp66.pem root-ca-sp66.pfx |
Now let's create the Server Certificate and sign it with our CA:
## Create Request for Server <> openssl req -nodes -newkey rsa: 2048 -keyout iwa-sp66.key -out iwa-sp66-req.csr Generating a 2048 bit RSA private key .........................................................................................................+++ ................+++ writing new private key to 'iwa-sp66.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.' , the field will be left blank. ----- Country Name ( 2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Colorado Locality Name (eg, city) []:Boulder Organization Name (eg, company) [Internet Widgits Pty Ltd]:RSA Organizational Unit Name (eg, section) []:PM Common Name (e.g. server FQDN or YOUR name) []:iwa.singlepoint66.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ## Sign Request with CA <> openssl x509 -req -in iwa-sp66-req.csr -CA root-ca-sp66.pem -CAkey root-ca-sp66.key -CAcreateserial -out iwa-sp66-cert.pem -days 500 Signature ok subject=/C=US/ST=Colorado/L=Boulder/O=RSA/OU=PM/CN=iwa.singlepoint66.com Getting CA Private Key ## Combine files into PFX <> openssl pkcs12 -export -out iwa-sp66.pfx -inkey iwa-sp66.key -in iwa-sp66-cert.pem Enter Export Password: Verifying - Enter Export Password: # All the Files <> ls iwa-sp66-cert.pem iwa-sp66.key root-ca-sp66.key root-ca-sp66.pfx iwa-sp66-req.csr iwa-sp66.pfx root-ca-sp66.pem root-ca-sp66.srl |
And lastly let's create the client cert:
## Let's create the request for the Client Cert <> openssl req -nodes -newkey rsa: 2048 -keyout karim-cert.key -out karim-req.csr Generating a 2048 bit RSA private key ............+++ .....................................+++ writing new private key to 'karim-cert.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.' , the field will be left blank. ----- Country Name ( 2 letter code) [AU]:US State or Province Name (full name) [Some-State]:Colorado Locality Name (eg, city) []:Boulder Organization Name (eg, company) [Internet Widgits Pty Ltd]:RSA Organizational Unit Name (eg, section) []:PM Common Name (e.g. server FQDN or YOUR name) []:Karim-Cert Email Address []:karim @singlepoint66 .com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: ## Create an openssl config for clients <> cat openssl-client.cnf [ client ] basicConstraints=CA:FALSE nsCertType = client, email keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = clientAuth subjectAltName=email:copy ### Now let's Sign it with the CA and use our custom config <> openssl x509 -req -in karim-req.csr -CA root-ca-sp66.pem -CAkey root-ca-sp66.key -CAserial root-ca-sp66.srl -out karim-cert.pem -days 365 -extfile openssl-client.cnf -extensions client Signature ok subject=/C=US/ST=Colorado/L=Boulder/O=RSA/OU=PM/CN=Karim-Cert/emailAddress=karim @singlepoint66 .com Getting CA Private Key # and let's combine the cert and key files into a pfx file <> openssl pkcs12 -export -out karim-cert.pfx -inkey karim-cert.key -in karim-cert.pem Enter Export Password: Verifying - Enter Export Password: ## All the files in the end <> ls iwa-sp66-cert.pem karim-cert.key openssl-client.cnf root-ca-sp66.srl iwa-sp66-req.csr karim-cert.pem root-ca-sp66.key iwa-sp66.key karim-cert.pfx root-ca-sp66.pem iwa-sp66.pfx karim-req.csr root-ca-sp66.pfx |
That should be it for the certificate creation on a Linux OS with openssl. A couple of notes, the srl file will contain the serial value of the last signed cert:
## Serial File Contents <> cat root-ca-sp66.srl F1CB13B8316DD0C1 ## Serial value of last cert <> openssl x509 -text -noout -in karim-cert.pem | grep -i serial -A 1 Serial Number: f1:cb: 13 :b8: 31 :6d:d0:c1 |
Also for comparison you can check out the purpose of the server cert and client cert:
<> openssl x509 -purpose -noout -in iwa-sp66-cert.pem Certificate purposes: SSL client : Yes SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : Yes S/MIME signing CA : No S/MIME encryption : Yes S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No |
Here is the client one:
<> openssl x509 -purpose -noout -in karim-cert.pem Certificate purposes: SSL client : Yes SSL client CA : No SSL server : No SSL server CA : No Netscape SSL server : No Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : No CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No |
For fun here are the ones created by makecert (in DER format):
<> openssl x509 -purpose -inform DER -noout -in iwa-sp66.cer Certificate purposes: SSL client : No SSL client CA : No SSL server : Yes SSL server CA : No Netscape SSL server : Yes Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No |
And here is client one:
<> openssl x509 -purpose -inform DER -noout -in karim-cert.cer Certificate purposes: SSL client : Yes SSL client CA : No SSL server : No SSL server CA : No Netscape SSL server : No Netscape SSL server CA : No S/MIME signing : No S/MIME signing CA : No S/MIME encryption : No S/MIME encryption CA : No CRL signing : Yes CRL signing CA : No Any Purpose : Yes Any Purpose CA : Yes OCSP helper : Yes OCSP helper CA : No Time Stamp signing : No Time Stamp signing CA : No |
At this point just copy all the PFX files to the windows server running IIS.
Importing the SSL Certificates
I just ended up using the certs generated with the makecert and pvk2pfx utilities. For the Certificate imports we can break it down into four parts:
- Import CA Certificate into the Web Server's Computer Account Trusted Root Certification Authorities store
- Import the Server Certificate into the Web Server's Compunter Account Personal Certificate store
- Import the CA Certificate into the Client Machine's Current User Trusted Root Certification Authorities store
- Import the Client Certificate into the Client Machine's Current User Personal Certificate store
Import CA Certificate on the Web Server into the Trusted Root Certification Authorities Store
To import the certificate we need to launch the Certificates Snap-In. Go to Start -> run -> mmc and then click on to the
Add/Remove Snap In option:
Then choose the Certificates Snap-In and pick the Computer Account:
And then choose Local Computer:
Then under the Trusted Root Certification Authorities store import the CA Cert:
After it's imported you can confirm the cert is there:
Import the Server Certificate on the Web Server into the Computer Account Personal Certificate Store
From the same certificate snap-in import the Server Certificate into the Personal Certificate store. After it's imported confirm it's able to see the CA that signed it:
Import CA Certificate on the Client Machine into the Current Users Trusted Root Certification Authorities Store
I was using a windows 10 machine, so I launched the cert manager (Start -> run -> certmgr.msc):
And then import the CA certificate into the Trusted Root Certification Authorities Store and after it's done you will be able to see it:
Import Client Certificate on the Client Machine into the Current User's Personal Certificate Store
In the same Certificate Manager import the Client Cert under the Personal Store and confirm it's signed by the correct CA:
You can also launch chrome and confirm the cert is present:
Now let's go to the next section.
Configure IWA ASP application to use SSL Client Authentication
This can be broken down into a couple of parts:
- Enable SSL Client Auth method on the IIS server
- Import The Server Certificate into IIS and Enable https binding with the Imported Server Certificate
- Enable SSL Client Authentication on the IWA Application
- Add One to One Mapping for the Certificate and the User
Let's go into each step
Enable SSL Client Authentication method on the IIS server
Launch the Server Manager and under Roles scroll down to the IIS role and click on Add Role Services
Then scroll down and enable the IIS Client Certificate Mapping Authentication option:
After it's installed you will see a success message at the end:
Import The Server Certificate into IIS and Enable HTTPS binding with the Imported Server Certificate
Start the IIS Manager (Start -> Run -> inetmgr) and under the Server Section click on the Server Certificates Module:
Then click Import (under the Actions section) and import the Server Certificate:
Then at the Default Site Level click Bindings and enable HTTPS with the uploaded certificate:
Enable SSL Client Authentication on the IWA ASP Application
Now at the Application level launch the SSL Settings module:
and set the Client Certificates to Required and click Apply:
You can also set it to Accept, that way only the browser has a cert will it use, else it will keep using Windows Authentication:
Add One to One Mapping for the Certificate and the User
Now let's map our certificate to a username and password. At the Application Level or the Site Level, I only had one application so I did it at the site Level, launch the Configuration Editor Module:
In the Section field enter system.webServer/security/authentication/iisClientCertificateMappingAuthentication (that will list the options available for that feature) and enable it:
Then click on oneToOneMappings and click the ... to add a new one:
Then add a new user (for the certificate paste in a X509 Base64 encoded version of the client ssl certificate):
Also make sure the certificate is one big line, if you have a new line characters in the cert it will only paste the first line. Then close this dialog and you will see the Count value increase:
Then click Apply and it will save the settings:
That should be it for the IIS settings. For good measure go ahead and restart the IIS Server (Start -> Run -> iisreset)
Testing out SSL Client Authentication
Now just go to the Portal and click on the IWA icon and after you are forwarded to the IWA server it will prompt you for your Certificate. Here is how it looked like in Chrome:
After choosing the certificate, I was forwarded to the portal and I was successfully logged in. Here is how the prompt looked like on the IE Edge:
For IE 11 and lower you can set a setting to only prompt if you have more than one certificate. Launch internet options (Start -> Run -> inetcpl.cpl) and go to Security -> Internet -> Custom Level and under the Miscellaneous section you can enable the Don’t prompt for client certificate selection when only one certificate exists option:
That's should be it
Troubleshooting SSL Authentication with IIS and ASP
Here are some troubleshooting tips for this setup. First enable detailed errors for ASP Applications. This is a two step process, in IIS manager under the Application Section launch the ASP module and under the Debugging Properties set the Send Errors to Browsers to true:
Second, under the Error Pages module click on Edit Features Settings and in the Error Responses Section set it to Detailed Errors:
Then when you don't have the client SSL Certificate in the browser you will see this:
Without enabling that you will just see the following:
Another thing to check out is the Security Section in the Event Viewer (Start -> Run -> eventvwr):
I entered the wrong password under the mapping section and I saw the following event:
- System - Provider [ Name] Microsoft-Windows-Security-Auditing [ Guid] { 54849625 - 5478 - 4994 -A5BA-3E3B0328C30D} EventID 4625 Version 0 Level 0 Task 12544 Opcode 0 Keywords 0x8010000000000000 - TimeCreated [ SystemTime] 2016 - 11 -05T17: 01 : 04 .790771500Z EventRecordID 4208 Correlation - Execution [ ProcessID] 464 [ ThreadID] 3020 Channel Security Computer IWA.singlepoint66.com Security - EventData SubjectUserSid S- 1 - 5 - 82 - 3006700770 - 424185619 - 1745488364 - 794895919 - 4004696415 SubjectUserName DefaultAppPool SubjectDomainName IIS APPPOOL SubjectLogonId 0x4f7fa TargetUserSid S- 1 - 0 - 0 TargetUserName karim TargetDomainName IWA Status 0xc000006d FailureReason %% 2313 SubStatus 0xc0000064 LogonType 8 LogonProcessName Advapi AuthenticationPackageName Negotiate WorkstationName IWA TransmittedServices - LmPackageName - KeyLength 0 ProcessId 0xbd8 ProcessName C:\Windows\System32\inetsrv\w3wp.exe IpAddress 10.10 . 10.10 IpPort 59372 |
The failure reason can be looked up here and in my case FailureReason %%2313 is wrong password or username (found a forum on that)