This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.
WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.
This environment is continuation from the "Creating an ALL-IN-ONE VM Image" series. (links below)
Following configuration will be setup.
01. Basic setup - Create application and protect using Forms Authentication.
- Service configuration
- Startup/Shutdown scripts
- Basic Concepts
02. Standard Authentication Schemes
- Basic Concepts
- HTML Forms
- HTML using UID and EMAIL
- Basic over SSL
03. Certificate Authentication Schemes
- X.509 Certificate Only
- X.509 Certificate or Basic
- X.509 Certificate and Basic
- X.509 Certificate or Form
- X.509 Certificate and Form
04. Windows Authentication Scheme
05. OAuth Authentication Scheme
06. Cookie Provider
07. Directory Mapping
08. Password Services
10. Session Assurance
11. SAML 2.0 Partnership Federation - SSO
12. SAML 2.0 Partnership Federation - SLO
13. SAML 2.0 Partnership Federation - RelayState
14. SAML 2.0 Partnership Federation - Negative Assertion
15. SAML 1.x Partnership Federation
16. Audit Log import
17. Generating Reports
18. SiteMinder Test Tool
19. Global Delivery Modules
Continued from Part 4.
Before we goto Certificate Authentication, I installed Chrome browser and when accessing AdminUI it is giving me an error message and would like to address that.
Follow the instruction above if you prefer to use chrome to administer instead of IE.
Now back to Certificate Authentication.
There are prerequisites to configure certificate authentication.
This is also called 2 way authentication.
When you visit https://www.test.lab and if you get the contents without any certificate or ssl related warnings, then that is because you(your browser) are trusting this web server(web server is authenticated).
How this is done is by the client trusting the ROOT Certificate Authority.
Any certificates issued by this ROOT CA is going to be authenticated as long as the CN value of the server certificate matches the address the browser is accessing.
Let's say the server certificate was "CN=www.test.lab,O=TrustMe" and you access it via https://www.test.lab then the CN value matches.
The browser trusts this ROOT Certificate Authority by storing this CA's certificate in its certificate data store as a Trusted Authority.
So, if you are able to access https://www.test.lab without any certificate related warnings, then the server is authenticated(server certificate is issued by a Certificate Authority which the browser trusts).
The client knows this server is genuinely the server it wanted to access.
This is 1 way authentication (server authentication).
Now the next authentication is the other way, the client authenticating itself to the web server.
Browser submits a certificate which the server trusts. Server must verify this client certificate is issued by its trusted CA.
This makes 2 way authentication (server then client authentication).
SiteMinder involves in this authentication and finds a matching user in the user store and issues SMSESSION cookie.
SiteMinder takes part of the client certificate's subjectDN value and use it to find a matching user.
If a user is found, the user is authenticated.
In this sample, same Microsoft Certificate System CA issues both the web server and client certificate so there is no trust problem.
As the server already has server certificate and can be accessed via https, we need to issue a certificate for a test user account.
But before we go and create a user, there are few things that need to be performed.
• Configure correct CRL path
• Disable IE ESC
• Register www.sso.lab to local intranet zone
Load "Certificate Authority" management console.
Right click and select "Properties".
Click on "Extensions" tab and you will find "CRL Distribution Point" selected.
Click on "Add" and enter the following.
Copy the URL in the "Example location" in the text window and paste it into "Location" input field.
Then replace the <ServerDNSName> to www.sso.lab as above.
Then click OK.
Then select all three below and click "OK".
"Include in CRLs."
"Include in the CDP"
"Include in the IDP"
Click "Yes" to restart the Certificate Services".
Then you need to disable IE "Enhanced Security Configuration".
Load your Service Manager Console.
At the "Security Information" section on the right pane, you will find "Configure IE ESC".
Then you need to register http://www.sso.lab and https://www.sso.lab to Local Intranet Zone.
Load Internet Options from IE.
Select Security tab and select "Local intranet" icon then click on "Sites" button.
Click on "Advanced" button at the bottom.
If these are not performed, you will get an error when issuing user certificates as below.
I am going to create a container to store test users as below.
Then I moved the "user1" to above OU.
Now the user's DN will be "CN=user1,OU=People,DC=SSO,DC=LAB".
I will explain why I am doing this later (after configuring a successful Certificate Authentication).
Easiest way to make certificate generation/issue request is to logon to the desktop as that user and access https://www.sso.lab/certsrv and submit the user certificate request.
But as this ALL-IN-ONE image itself is a Domain Controller, normal users are not allowed to logon.
Let's promote this user to a domain admin.
Sometimes, when you add a user to an administrators group it does not get recognized immediately but after running gpupdate it usually works immediately.
So, you can logon as "user1" on this All-In-One image without delay.
Switch User or Logon to this machine as "user1".
Open IE and goto Options.
At the Security tab, select "Local intranet" and lower the security level.
Then click on "Sites" button and register https://www.sso.lab to local intranet zone.
Now visit https://www.sso/lab/certsrv
You will not be challenged as this site is now registered as Local intranet zone.
Click on "Request a certificate"
Click on "More Options" link if you want to change some parameters but this should be sufficient to just submit and get a certificate.
For exploration, click on "More Options".
Request format can be changed to PKCS10 if you plan on saving this Certificate Sign Request and send it out to external CA. But the "Save" option is in the "use the Advanced Certificate Request form".
If you want a prompt each time you are accessing your private key(to submit your certificate, or have options to cancel submitting your certificate) then you can select "Enable strong private key protection".
Not much here.
Click on "use the Advanced Certificate Request form" button to explore further.
Now you can see there is an option to change the Key Size.
But this does not allow you to get SHA2 certificates. Probably MS will release an update for this if not already available.
If you click on "Save request", you can save it as mentioned earlier.
That will change the "Submit" button to "Save" button.
The screen will appear as below, you can copy the CSR content to user1.csr in case if you plan to submit to different CA.
Continuing from "Advanced Certificate Request" screen, click on "Submit" button.
Click on "Install this certificate"
Load Internet Options from IE.
Click on "Content" tab and click "Certificates" button.
You will find the issued certificate in the "Personal" tab.
Export this certificate, click on "Export" button.
You must select "Yes, export the private key".
You don't have to select anything here.
Enter a passphrase to protect private key export.
Export it to Desktop.
Click "Finish" to complete the export.
Copy this user1.pfx file to C:\ so Administrator can import it to its IE.
Switch user to Administrator.
Open IE, open Internet Options window, Contents tab and "Certificates" button.
At the "Personal" tab, click on "Import".
Enter the passphrase that you entered for export.
Select "Mark this key as exportable." so you can export this if needed.
Select the default, "Personal" store is good.
Click on "Finish" to complete this import.
Now, you can see "user1" certificate in Administrator's IE.
There is just one more configuration required on the Web Server side.
But I will demonstrate the configuration requirement while setting up the Authentication Scheme so it will make better sense.
In the next article, we will be setting up X509 Client Cert Template.