Many-To-One Mappings IIS

Many-to-one Client certificate mapping is used by the Internet Information Services (IIS) to associate an end user to a windows account when the client certificate is used for the user authentication. The user session is executed under the context of this mapped windows account by IIS. For this to work we need to ensure that the certificate to account mapping is configured correctly in IIS.

In IIS 6.0, the user had the option to configure Many-to-One client certificate mapping through the IIS Manager User Interface. In IIS 7/7.5, we don’t have such an interface for either One-to-One or Many-to-One mappings. This post talks about the Configuration Editor IIS 7/7.5 extension that can be used to achieve the mappings either for One-to-One or Many-to-One. Here we will talk in specific about Many-to-1 mapping.

IIS 7 or IIS 7.5 Schema

This is the schema for the IIS Client Certificate Mapping authentication feature in IIS 7 or IIS 7.5.
Prerequisites

These are the prerequisites needed for this walkthrough.
1.We have installed IIS Client Certificate Mapping module on the server.
2.A Web Site is configured with an HTTPS binding which can accept SSL connections.
3.We have a client certificate installed on the client.
4.IIS 7 Administration Pack is installed on the IIS 7.0 server. NOTE: Configuration Editor is shipped by default on IIS 7.5.

Walkthrough

Step 1:

1. Launch the IIS manager and select your web site which is being configured for client certificate authentication.

2. In the features View select Configuration Editor under Management section in the Features View.
3. Go to "system.webServer/security/authentication/iisClientCertificateMappingAuthentication" in the drop down box as shown below:

You will see a window to configure Many-to-One or One-to-One certificate mappings here. This is the UI provided through Configuration editor from where we can setup all the mapping configurations.

4. We can go ahead and modify the properties through this GUI.
•Set enabled to true
•Set manyToOneCertificateMappingsEnabled to True
•Select manyToOneMappings and click on the extreme end at the Ellipsis button to launch the new window for configuring mappings.

5. Under this new window go ahead and Add a new item. You can modify the properties from within the window as shown below:

6. Click on the Ellipsis button for rules and this will give you an option to add multiple patterns for matching based on certificate properties.

So here above we have two entries for rules for mapping the certificate. In the above case we are using two different fields named Subject and the Issuer in the certificate field and based on the matchcriteria property map the certificate to the account mydomain\testuser.

Shown below is how the final mapping for a specific windows account looks like. As you can see there are two entries for rules for this account.
Similarly we can have other mappings for various accounts based on the fields “Issuer” and “Subject” in the Certificate.

Download the details with screenshot from here configuring-many-to-one-client-certificate-mappings-for-iis-7-7-5

Relevant Sources:

http://www.iis.net/learn/manage/configuring-security/configuring-one-to-one-client-certificate-mappings

http://blogs.iis.net/webtopics/archive/2010/04/27/configuring-many-to-one-client-certificate-mappings-for-iis-7-7-5.aspx

http://www.iis.net/learn/manage/configuring-security/configuring-one-to-one-client-certificate-mappings

Share

Code Signing (Digital Signature) using Signtool

The following command adds the catalog file MyCatalogFileName.cat to the system component and driver database. The /v option generates a unique name if necessary to prevent replacing an existing catalog file named MyCatalogFileName.cat.

signtool catdb /v /u MyCatalogFileName.cat

The following command signs a file automatically by using the best certificate.

signtool sign /a MyFile.exe

The following command digitally signs a file by using a certificate stored in a password-protected PFX file. Continue reading “Code Signing (Digital Signature) using Signtool” »

Share

How to distribute root certificates as exe files

We start by creating a folder. We call it cer_as_exe and here we put our root certificate that we want to distribute and a small installation script.

image

 Our installation script is not that big. ;)

image

@echo off
certutil -addstore -f -enterprise -user root %tmp%\root_ca.cer > NUL
del /F %tmp%\root_ca.cer > NUL
del /F %tmp%\install.bat > NUL

 This is a very small script that installs a root certificate from a file to the root certificate container in the certificate store for the computer and the user. Then it does a quick cleanup by removing the original root certificate file and installation script that is unpacked in to the %tmp% folder by our installer. Now we need to pack everything as an .exe file that will install our root certificate automatically. ;) Continue reading “How to distribute root certificates as exe files” »

Share

Using an Aladdin eToken with firefox

A very easy method for importing (or removing) keys in your eToken is to add the eToken as a Security Device in Firefox. The procedure for Thunderbird and Mozilla/Seamonkey is nearly identical. To add your eToken as a security device , follow these steps

  • Start Firefox
  • (Linux) Go to Edit->Preferences->Advanced->Tab "Encryption"
  • (Windows) Go to Tools->Options->Advanced->Tab "Encryption"
  • Click on 'Security Devices'

You should see a screen similar to

this.

Share

Setting up an Apache Web Server as a proxy in front of EJBCA

This section will show you how to use an Apache Web Server Proxy in front of EJBCA. The resulting server will

  • Display EJBCA public web at https://ca-server.company.local/
  • Redirect all HTTP-requests to HTTPS, except for OCSP and CRL.
  • Require a client SSL certificate when accessing https://ca-server.company.local/adminweb/
  • Be able to loadbalance requests
  • Still answer to requests on https://ca-server.company.local/ejbca/*

This example was created on Ubuntu 64-bit Server 7.10 using the Apache Web Server 2.2 package, but should be easy to adapt to any system able to run Apache.

Start by installing EJBCA as normal. If you intend to have the CA on the same machine as the proxy you should modify $EJBCA_HOME/conf/web.properties to only listen to localhost Continue reading “Setting up an Apache Web Server as a proxy in front of EJBCA” »

Share

EJBCA Custom OID DN and altName oids

EJBCA supports custom (your own) OIDs in DN components.

In order to add such a DN you can simply call the DN for example:

CN=MyCommonName,1.1.1.1=MyCustomOid,C=SE

Where 1.1.1.1 is your custom OID.

Custom OIDs are always encoded as UTF8String in the DN.

To get support for custom OIDs in the Admin GUI you must edit the file src/java/profilemappings.properties and add your new OID in the end. Just follow the example in the file, and you will get the possibility to add you oid in the End Entity Profile, and following that also when adding new users. If you edit profilemappings.properties, you should also add an entry in src/adminweb/languages/languagefile.XX.properties (where XX is you language). Otherwise your new field will be displayed as the key that you entered (which is probably ok also) in the admin-GUI. The new field you must add in the language file is the last field in profilemappings.properties, i.e. the LanguageConstant. Continue reading “EJBCA Custom OID DN and altName oids” »

Share

Neighbour table overflow

If you have a big network with the hundreds of hosts you can expect “Neighbour table overflow” error which occurs in large networks when there are two many ARP requests which the server is not able to reply. For example you’re using server as a DHCP server, cable modems provisioning, etc.

Nov 10 03:18:17 myhost Neighbour table overflow.
Nov 10 03:18:23 myhost printk: 12 messages suppressed.

To check the present threshold level 1

cat /proc/sys/net/ipv4/neigh/default/gc_thresh1

It will give some value as 128 or 256 or 512.

This can be increased to the next level.Like if the value is 128 then

make the thresh1 value as 256 and thresh2 as 512 and thresh3 as 1024. Continue reading “Neighbour table overflow” »

Share

Connecting openvpn server using openvpn gui client for windows

Assuming that you have a openVPN server ready to allow vpn connectivity from its clients. It is also assumed that CA Certificate (.pem) is also obtained from a valid CA and signed with the openVPN server.

Because the large number of parameters you can define either in the configuration file or in the command line, you could configure OpenVPN in many different manners. In any case, to obtain a connection with a opnVPN server, you only need to define a small number of them in your client's configuration file. In order to further simplify the configuration of the OpenVPN client, you could use an example of configuration as below:  

Continue reading “Connecting openvpn server using openvpn gui client for windows” »

Share

Install Server Certificate for IIS 6 or 5

The following document is partly based on this Microsoft document: How to Import a Server Certificate for Use in Internet Information Services 5.0 (Q232137)

  1. Add Certificates snap-in to MMC
    1. Click Start, and then click Run.
    2. Type "MMC.EXE" (without the quotation marks) and click OK.
    3. Click Console in the new MMC you created, and then click Add/Remove Snap-in.
    4. In the new window, click Add.
    5. Highlight the Certificates snap-in, and then click Add.
    6. Choose the Computer account option and click Next.
    7. Select Local Computer on the next screen, and then click Finish.
    8. Click Close, and then click OK.
    9. You have now added the Certificates snap-in, which will allow you to work with any certificates in your computer's certificate store. You may want to save this MMC for later use. Continue reading “Install Server Certificate for IIS 6 or 5” »
Share