Recommended Posts

I'm setting up a site on an IIS server that will only be accessible to users in a certain Active Directory group. I'm using IIS's built in authentication to handle this, as the script I'm setting up is unable to do authentication on its own. So far, I have everything working from Firefox and Chrome - a user goes to support.domain.org, IIS prompts them for their credentials, they enter their username and password, and IIS lets them in.

However, Internet Explorer is a different story. With Internet Explorer, they have to enter the domain before their username (such as "district\username" instead of just "username"). If they enter just their username, IIS rejects their authentication, and prompts them for a username again. The second time it prompts them, the prompt displays "support.domain.org\username".

Is there anyway, ether through a setting on the IIS server or via a GPO for the clients, to prevent IE from doing this?

  On 07/02/2011 at 19:58, Joey H said:

Basic seems to be working, but it's insecure. Is there a way to get this working with Digest or Integrated Windows Authentication?

Hmm... I don't recall an option in IE to disable integrated auth. Is this IIS 6, 7, or 7.5? Unfortunately, to secure basic auth you'll need to use SSL.

How difficult is it to setup a server as a CA and get all of the clients on the domain to trust certificates from that CA? Are there any guides available? I've tried once and didn't have much luck.

Our domain has 12 domain controllers and about 2700 clients. However, only one of our servers (the Exchange server) has an SSL cert issued by a trusted third party (DigiCert). Right now, we have to other services that are used internally, and those servers have self-signed SSL certs, but of course that generates errors. Is there a way I could generate Certs for those on a central CA, so that domain clients won't get that error. These sites won't really be used too heavily outside the network, so we won't care too much if there's a SSL error externally.

  On 07/02/2011 at 23:08, Joey H said:

How difficult is it to setup a server as a CA and get all of the clients on the domain to trust certificates from that CA? Are there any guides available? I've tried once and didn't have much luck.

Our domain has 12 domain controllers and about 2700 clients. However, only one of our servers (the Exchange server) has an SSL cert issued by a trusted third party (DigiCert). Right now, we have to other services that are used internally, and those servers have self-signed SSL certs, but of course that generates errors. Is there a way I could generate Certs for those on a central CA, so that domain clients won't get that error. These sites won't really be used too heavily outside the network, so we won't care too much if there's a SSL error externally.

Take a look at www.startssl.com. It allows you to generate certificates for free. And they will work both in and outside the firewall.

  On 07/02/2011 at 23:08, Joey H said:

How difficult is it to setup a server as a CA and get all of the clients on the domain to trust certificates from that CA? Are there any guides available? I've tried once and didn't have much luck.

Hmm... I configured ours back in 2006, so I'm a bit fuzzy tbh... From what I remember, you install the certification authority service on a member server or domain controller as an Enterprise Root CA, then modify the domain default group policy to configure Autoenrollment for your clients/server (Computer Configuration -> Windows Settings -> Security Settings->Public Key Policies).

I know our domain workstations and servers retrieve the CA certificate automatically as members of the domain, not through GPO. Like I said I'm fuzzy, but I believe this is because an Enterprise Root CA's public cert is published to the domain/forest it's a member of, and clients will automatically retrieve it during the next refresh. Sorry I can't be more precise, here. :\

This technet article focuses on 2008, but I know they've got others for 2003/2000 depending on your servers & domain level.

http://technet.microsoft.com/en-us/library/cc731183(WS.10).aspx

You could also install a certificate authority. It's a built-in feature of Windows Server 2000+, and pretty easy to manage. If you add the root certificate of your CA to the trusted root certificate authorities in the domain default policy (or any domain-wide GPO), then every computer in your domain will trust any certificate generated by your CA as long as the host name and validity period are OK.

As for guides... that's too much like actual work. :laugh: But both the domain CA and the free certs from startssl are good options, and you should be able to Google your way to victory from there. :yes:

  On 08/02/2011 at 01:38, Ottsca said:

Take a look at www.startssl.com. It allows you to generate certificates for free. And they will work both in and outside the firewall.

This is true, StartSSL is trusted by a lot of browsers. Do you ever have trouble w/their request site? Sometimes I would get looping redirects, other times it wouldn't detect the client cert in the browser. I eventually had to give it up. :(

It looks like setting up an internal CA and pushing it out through the Trusted Root CA settings in AD seems to work for IE and Chrome, and using that + basic authentication is working for those browsers now.

Firefox maintains its own list of CAs though, and is ignoring the GPO. Is there a way to get Firefox to accept my CA's certificate via a batch script or GPO or something?

  On 08/02/2011 at 14:19, Joey H said:

It looks like setting up an internal CA and pushing it out through the Trusted Root CA settings in AD seems to work for IE and Chrome, and using that + basic authentication is working for those browsers now.

Firefox maintains its own list of CAs though, and is ignoring the GPO. Is there a way to get Firefox to accept my CA's certificate via a batch script or GPO or something?

We found the simplest way (for us) was to provide instructions for Firefox users to manually import our CA root cert into Firefox's cert store. A good example can be found at http://wiki.cacert.org/BrowserClients

There are GPO options for Firefox (with caveats, of course), this site may help in that regard: http://www.frontmotion.com/Firefox/fmfirefox.htm

  On 08/02/2011 at 01:56, g33kb0y said:

This is true, StartSSL is trusted by a lot of browsers. Do you ever have trouble w/their request site? Sometimes I would get looping redirects, other times it wouldn't detect the client cert in the browser. I eventually had to give it up. :(

It seems to work well in Internet Explorer, but does have issues in Chrome.

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Posts

    • Yeah, just like he was "donating" all this while through the Bill and Melinda Gates foundation, nice PR stunt Bill: Who Is Bill Gates? (Full Documentary, 2020)
    • It's odd to call it "totally fine" when it is a blatant violation of the TOS. I'm not attacking the behavior or calling it immoral, do what you want to do, I have no dog in the race. However, you can't say it is fine when the company offering the service explicitly spells it out in the black and white that it is NOT fine. Again, do what you want, I don't care, just have the intellectual honest to acknowledge that you are using a service in a way other than intended.
    • I must be! 🤔 Are you having problems attaching a video from YouTube? Having to add a link instead of simply pasting the URL? I think another member mentioned having the same issue this week?
    • Hopefully Solved for Good Now   Ran WSReset.exe as Admin on Standard User account Prior to that logged into my Admin account that i rarely log into, and went thru Settings, and selected Terminate Store, then Reset, Restarted system. Logged into Standard User MS Account, open Windows Search, searched for WSReset.exe, right clicked Run as Admin, then restarted system a 2nd time.         Opened Windows store, checked for updates--no list of same apps came up that time thankfully.       Hopefully now fully fixed for good, as I was dealing with that since i don't know when, as normally I don't check it too often, since Auto Updates are on, and i expect it to auto update the apps correctly lol.  Now if it does somehow return, then I'm going to prepare for a full clean Windows 11 24H2 install, once RL annoyances are done within the next week or two. So, one way or the other this issue going to be permanently solved   
  • Recent Achievements

    • Week One Done
      mywakehealth earned a badge
      Week One Done
    • Dedicated
      jbatch earned a badge
      Dedicated
    • Week One Done
      Leonard grant earned a badge
      Week One Done
    • One Month Later
      portacnb1 earned a badge
      One Month Later
    • Week One Done
      portacnb1 earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      295
    2. 2
      snowy owl
      160
    3. 3
      +FloatingFatMan
      155
    4. 4
      ATLien_0
      142
    5. 5
      Xenon
      126
  • Tell a friend

    Love Neowin? Tell a friend!