IIS, AD Authentication, and Internet Explorer

[JoeyF]

I'm setting up a site on an IIS server that will only be accessible to users in a certain Active Directory group. I'm using IIS's built in authentication to handle this, as the script I'm setting up is unable to do authentication on its own. So far, I have everything working from Firefox and Chrome - a user goes to support.domain.org, IIS prompts them for their credentials, they enter their username and password, and IIS lets them in.

However, Internet Explorer is a different story. With Internet Explorer, they have to enter the domain before their username (such as "district\username" instead of just "username"). If they enter just their username, IIS rejects their authentication, and prompts them for a username again. The second time it prompts them, the prompt displays "support.domain.org\username".

Is there anyway, ether through a setting on the IIS server or via a GPO for the clients, to prevent IE from doing this?

[g33kb0y]

Change authentication from integrated to Basic, then change the realm to your AD domain.

[JoeyF]

Basic seems to be working, but it's insecure. Is there a way to get this working with Digest or Integrated Windows Authentication?

[g33kb0y]

  On 07/02/2011 at 19:58, Joey H said:

Basic seems to be working, but it's insecure. Is there a way to get this working with Digest or Integrated Windows Authentication?

Hmm... I don't recall an option in IE to disable integrated auth. Is this IIS 6, 7, or 7.5? Unfortunately, to secure basic auth you'll need to use SSL.

[g33kb0y]

Ah, there is indeed a setting in IE to disable integrated ntlm auth. YMMV, I've never used it myself. :p We use basic+ssl auth at my workplace.

http://ie7triage.spaces.live.com/blog/cns!3B6634EF5458F389!422.entry

[JoeyF]

How difficult is it to setup a server as a CA and get all of the clients on the domain to trust certificates from that CA? Are there any guides available? I've tried once and didn't have much luck.

Our domain has 12 domain controllers and about 2700 clients. However, only one of our servers (the Exchange server) has an SSL cert issued by a trusted third party (DigiCert). Right now, we have to other services that are used internally, and those servers have self-signed SSL certs, but of course that generates errors. Is there a way I could generate Certs for those on a central CA, so that domain clients won't get that error. These sites won't really be used too heavily outside the network, so we won't care too much if there's a SSL error externally.

[Scott Hellewell]

  On 07/02/2011 at 23:08, Joey H said:

How difficult is it to setup a server as a CA and get all of the clients on the domain to trust certificates from that CA? Are there any guides available? I've tried once and didn't have much luck.

Our domain has 12 domain controllers and about 2700 clients. However, only one of our servers (the Exchange server) has an SSL cert issued by a trusted third party (DigiCert). Right now, we have to other services that are used internally, and those servers have self-signed SSL certs, but of course that generates errors. Is there a way I could generate Certs for those on a central CA, so that domain clients won't get that error. These sites won't really be used too heavily outside the network, so we won't care too much if there's a SSL error externally.

Take a look at www.startssl.com. It allows you to generate certificates for free. And they will work both in and outside the firewall.

[g33kb0y]

  On 07/02/2011 at 23:08, Joey H said:

How difficult is it to setup a server as a CA and get all of the clients on the domain to trust certificates from that CA? Are there any guides available? I've tried once and didn't have much luck.

Hmm... I configured ours back in 2006, so I'm a bit fuzzy tbh... From what I remember, you install the certification authority service on a member server or domain controller as an Enterprise Root CA, then modify the domain default group policy to configure Autoenrollment for your clients/server (Computer Configuration -> Windows Settings -> Security Settings->Public Key Policies).

I know our domain workstations and servers retrieve the CA certificate automatically as members of the domain, not through GPO. Like I said I'm fuzzy, but I believe this is because an Enterprise Root CA's public cert is published to the domain/forest it's a member of, and clients will automatically retrieve it during the next refresh. Sorry I can't be more precise, here. :\

This technet article focuses on 2008, but I know they've got others for 2003/2000 depending on your servers & domain level.

http://technet.microsoft.com/en-us/library/cc731183(WS.10).aspx

[random_n]

You could also install a certificate authority. It's a built-in feature of Windows Server 2000+, and pretty easy to manage. If you add the root certificate of your CA to the trusted root certificate authorities in the domain default policy (or any domain-wide GPO), then every computer in your domain will trust any certificate generated by your CA as long as the host name and validity period are OK.

As for guides... that's too much like actual work. :laugh: But both the domain CA and the free certs from startssl are good options, and you should be able to Google your way to victory from there. :yes:

[g33kb0y]

  On 08/02/2011 at 01:38, Ottsca said:

Take a look at www.startssl.com. It allows you to generate certificates for free. And they will work both in and outside the firewall.

This is true, StartSSL is trusted by a lot of browsers. Do you ever have trouble w/their request site? Sometimes I would get looping redirects, other times it wouldn't detect the client cert in the browser. I eventually had to give it up. :(

[JoeyF]

It looks like setting up an internal CA and pushing it out through the Trusted Root CA settings in AD seems to work for IE and Chrome, and using that + basic authentication is working for those browsers now.

Firefox maintains its own list of CAs though, and is ignoring the GPO. Is there a way to get Firefox to accept my CA's certificate via a batch script or GPO or something?

[g33kb0y]

  On 08/02/2011 at 14:19, Joey H said:

It looks like setting up an internal CA and pushing it out through the Trusted Root CA settings in AD seems to work for IE and Chrome, and using that + basic authentication is working for those browsers now.

Firefox maintains its own list of CAs though, and is ignoring the GPO. Is there a way to get Firefox to accept my CA's certificate via a batch script or GPO or something?

We found the simplest way (for us) was to provide instructions for Firefox users to manually import our CA root cert into Firefox's cert store. A good example can be found at http://wiki.cacert.org/BrowserClients

There are GPO options for Firefox (with caveats, of course), this site may help in that regard: http://www.frontmotion.com/Firefox/fmfirefox.htm

[Scott Hellewell]

  On 08/02/2011 at 01:56, g33kb0y said:

This is true, StartSSL is trusted by a lot of browsers. Do you ever have trouble w/their request site? Sometimes I would get looping redirects, other times it wouldn't detect the client cert in the browser. I eventually had to give it up. :(

It seems to work well in Internet Explorer, but does have issues in Chrome.

[JoeyF]

Frontmotion looks pretty interesting, I think I'll give that a try. Thanks everyone!