Digi-Sign, The Certificate Corporation
Published on Digi-Sign, The Certificate Corporation (http://www2.digi-sign.com)

Home > Microsoft IIS 5.x+

By Digi-Sign
Created Feb 19 2008 - 11:34

Microsoft IIS 5.x+

IIS Secure Two Factor Authenticated Access



1.Enabling SSL communication security on IIS 5.x+ web server
1.1. Generating a Certificate Signing Request (CSR) using Microsoft IIS 5.x+
1.2. Installing your Digi-SSL™ Certificate on Microsoft IIS 5.x+
1.2.1 Installing the Root & Intermediate Certificates
1.2.2 Installing your Digi-SSL™ Certificate
2. Enabling Client Certificate Authentication on IIS 5.x+ web server
2.1 Obtaining the Digi-Sign Certification Authority Certificate
2.2 Preparing IIS 5.x+ for Digi-Access™ Client Certificate Authentication
3. Obtaining a Digi-Access™ [1] Client Certificate from Digi-Sign
3.1 Applying for a Digi-Access™ Certificate
3.2 Activating and Installing a Digi-Access™ Certificate
4. Setting up a Digi-Access™ User
4.1 Setting up a Windows Local/Active Directory Domain User Account
4.1.1 Setting up a Windows Local User Account
4.1.2 Setting up a Windows Active Directory User Account
4.2 Setting up a Client Certificate Mapping – Digi-Access™ User on IIS 5.x+

Enabling SSL

Enabling SSL communication security on IIS 5.x+ web server

To enable the SSL facility on your website using IIS 5.x+, a Digi-SSL™ certificate is necessary. To obtain your Digi-SSL™ certificate, a Certificate Signing Request [CSR] is required. A CSR is your server's unique "fingerprint" and is generated from your server.

The next section will explain in detail how to generate a CSR.

1.1 Generating a Certificate Signing Request (CSR) using Microsoft IIS 5.x+

To generate keys (private and public) and Certificate Signing Request:

Go to Windows Administrative Tools.

  • Start Internet Services Manager.

  • IMAGE


  • Open the properties window for the website the CSR is going to be generated for. You can do this by right clicking on the Default Website and selecting Properties from the menu.
  • Open Directory Security by right clicking on the Directory Security tab.

  • IMAGE


  • Click Server Certificate. The Wizard will appear.

  • IMAGE


  • Click Create a new certificate and click Next.

  • IMAGE


  • Select Prepare the request… and click Next.

  • IMAGE


  • Provide a name for the certificate; this needs to be easily identifiable if you are working with multiple domains. This is for your records only.
  • If your server is 256 bit enabled, you will generate a 2048 bit key. If your server is 128 bit, you can generate up to 1024 bit keys. We recommend you stay with the default of 1024 bit key if the option is available. Click Next.

Enabling SSL (part II)

Enabling SSL communication security on IIS 5.x web server (part II)


IMAGE


  • Enter the Organisation and Organisation Unit; these are your registered company name and department respectively. Click Next.
  • The Common Name field should be the Fully Qualified Domain Name (FQDN) or the web address for which you plan to use your Digi-SSL™ Certificate, e.g. the area of your site you wish customers to connect to using SSL. For example, a Digi-SSL™ Certificate issued for digi-sign.com will not be valid for secure.digi-sign.com. If the web address to be used for SSL is secure.digi-sign.com, ensure that the common name submitted in the CSR is secure.digi-sign.com.

  • IMAGE


  • Click Next.

  • IMAGE


  • Enter your country, state and city. Click Next.

  • IMAGE


  • Enter a filename and location to save your CSR. You will need this CSR to enrol for your Digi-SSL™ Certificate. Click Next.

  • IMAGE


  • Check the details you have entered. If you have made a mistake, click Back and amend the details. Be especially sure to check the domain name the Digi-SSL™ Certificate is to be "Issued To". Your Certificate will only work on this domain. Click Next when you are happy the details are absolutely correct.
  • When you make your application, make sure you include the CSR in its entirety into the appropriate section of the Digi-SSL™ web application form – including:

    -----BEGIN CERTIFICATE REQUEST-----to-----END CERTIFICATE REQUEST-----

  • Click Next.
  • Confirm your details in the Digi-SSL™ web application form.
  • Finish
  • You may also backup your private key, which will allow you to restore your certificate in case of any system or registry damage.

    To save your private key:

  • Click Start and Run and type MMC (standing for Microsoft Management Console).
  • Go to Certificates snap-in in the MMC.
  • Select Requests.
  • Select All tasks.
  • Select Export.

We recommend that you make a note of your password and backup your key as these are known only to you. A floppy diskette or other removable media (CD-ROM, CD-RW) is recommended for your backup files.

Installing SSL Server Certificate

Installing the Digi-SSL™ Root CA & Intermediate CA Certificates

You will receive 3 Certificates from Digi-Sign. Save these Certificates to the desktop
(or another directory on the hard drive) of the web server machine, then:

  • Click the Start button, then select Run and type MMC (standing for Microsoft Management Console).
  • Click File and select Add/Remove Snap-in
  • Select Add, select Certificates from the Add Standalone Snap-in box and click Add.
  • Select Computer Account and click Finish.
  • Close the Add Standalone Snap-in box and click OK in the Add/Remove Snap-in.
  • Return to the MMC

To install the UTN-USERFirst-Hardware.crt Certificate file:

IMAGE


    - Right click the Trusted Root Certification Authorities, select All Tasks, and then select Import.

    IMAGE



    - Click Next.

    IMAGE


    - Locate the UTN-USERFirst-Hardware.crt Certificate file and click Next.

    - When the wizard is completed, click Finish.

To install the Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt:

IMAGE


    - Right click the Intermediate Certification Authorities, select All Tasks, and then select Import.

    - Complete the import wizard again, but this time locating the Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt when prompted for the Certificate file.

    - Ensure that the UTN-USERFirst-Hardware.crt certificate appears under Trusted Root Certification Authorities.

    - Ensure that the Digi-SignCADigi-SSLXp.crt or Digi-SignCADigi-SSLXs.crt appears under Intermediate Certification Authorities.



1.2.2 Installing your Digi-SSL™ Certificate

To install the Digi-SSL™ certificate:

Go to Windows Administrative Tools.

    - Start Internet Services Manager.

    IMAGE



    - Open the properties window for the website that you have generated the CSR on. You can do this by right clicking on the Default Website and selecting Properties from the menu.

    - Open Directory Security by right clicking on the Directory Security tab.

    IMAGE



    - Click Server Certificate. The Wizard will appear.

    IMAGE



    - Choose to Process the Pending Request and Install the Certificate. Click Next.

    - Enter the location of your certificate (you may also browse to locate your certificate file), and then click Next.

    - Read the summary screen to be sure that you are processing the correct certificate, and then click Next.

    - You will see a confirmation screen. When you have read this information, click Next.

    - You now have a Digi-SSL™ server certificate installed.

Important: You must now restart the IISAdmin service or reboot the computer to complete the installation.

You may want to test the Web site to ensure that everything is working correctly. Be sure to use https:// when you test connectivity to the site.

Digi-Access™ Two Factor Authentication on IIS

Enabling Enabling Digi-Access™ Two Factor Authentication on IIS 5.x+ web server

To enable Client Certificate Authentication on IIS 5.x+ you will need to obtain Certification Authority [CA] Certificates, your own Digi-Access™ [1] Client Certificate and setup a local user (or Active Directory Domain) account on a Windows Server that the IIS 5.x+ web server is installed and running on.

2.1 Obtaining and installing the Digi-Access™ Certification Authority Certificates

    To obtain the Digi-Access™ Root Certification Authority Certificate, use the following URL:

    Digi-Sign Root CA [2]

To obtain the Digi-Access™ Intermediate Certification Authority Certificate, use the following URL:

Digi-Sign CA Digi-Access Xs [3]

Once you save these Certificates to the desktop (or another directory on the hard drive) of the web server machine, then:

  • Click the Start button, then select Run and type MMC (standing for Microsoft Management Console).
  • Click File and select Add/Remove Snap-in
  • Select Add, select Certificates from the Add Standalone Snap-in box and click Add.
  • Select Computer Account, then Local Computer and click Finish.
  • Close the Add Standalone Snap-in box and click OK in the Add/Remove Snap-in.
  • Return to the MMC

To install the Digi-Sign_Root_CA.cer Certificate file:

IMAGE


    - Right click the Trusted Root Certification Authorities, select All Tasks, and then select Import.

    IMAGE



    - Click Next.

    IMAGE


    - Locate the Digi-Sign_Root_CA.cer Certificate file and click Next.

    - When the wizard is completed, click Finish.

To install the Digi-Sign_CA_Digi-Access_Xs.cer:

IMAGE


    - Right click the Intermediate Certification Authorities, select All Tasks, and then select Import.

    - Complete the import wizard again, but this time locating the Digi-Sign_CA_Digi-Access_Xs.cer when prompted for the Certificate file.

    - Ensure that the Digi-Sign_Root_CA.cer certificate appears under Trusted Root Certification Authorities.

    - Ensure that the Digi-Sign_CA_Digi-Access_Xs.cer appears under Intermediate Certification Authorities.


Important: You must now restart the IISAdmin service or reboot the computer to complete the installation.

2.2 Preparing IIS 5.x+ for Digi-Access™ Client Certificate Authentication

To prepare IIS 5.x+ for Digi-Access™ Client Certificate Authentication:

Go to Windows Administrative Tools.

  • Start Internet Services Manager.
  • IMAGE
  • Open the properties window for the website that you have enabled SSL on. You can do this by right clicking on the Default Website and selecting Properties from the menu.
  • Open Directory Security by right clicking on the Directory Security tab.

  • IMAGE


  • Click Edit in the Anonymous access and authentication control section.
  • An Authentication Methods window will appear.

  • IMAGE


  • Make sure that all options (check boxes) in this section are disabled, including the Anonymous Access, Basic Authentication, Digest Authentication and Integrated Windows Authentication.
  • Click OK to apply changes.
  • Click Edit in Secure communications section.
  • A Secure Communications window will appear.

  • IMAGE


  • Ensure that Require secure channel (SSL) option is enabled. Require 128-bit encryption option should be disabled. You may enable it if you are sure that all end users connecting to your Digi-Access™ protected web site will have 128-bit enabled browsers.
  • Ensure that Require client certificates radio button is enabled.
  • Ensure that Enable client certificate [4] mapping option is enabled.
  • Ensure that Enable certificate trust list option is enabled.
  • Under Current CTL, click New.
  • Click Next.
  • A Certificate Trust List Wizard window will appear.

  • IMAGE


  • Click Add from file.
  • Browse for the Digi-Sign_Root_CA.cer Certificate file that you downloaded and saved on/uploaded to the server in section 2.1 of this document.
  • Once located, select the file and click Open.
  • Click Next.

  • IMAGE


  • Type Friendly Name, for example: Digi-Access.
  • Type Description, for example: Digi-Access Client Authentication for my system.
  • Click Next.
  • Click Finish.
  • You should now see your CTL List on the Secure Communications window.

  • IMAGE


  • Click OK and then OK again.

Your IIS 5.x+ web server is now ready to start working with Digi-Access™ Client Certificate Authentication.

Enabling Client Authentication

Enabling Client Certificate Authentication on IIS 5.x+ web server

To enable Client Certificate Authentication on IIS 5.x+ you will need to obtain Certification Authority [CA] Certificates, your own Digi-Access™ [1] Client Certificate and setup a local user (or Active Directory Domain) account on a Windows Server that the IIS 5.x+ web server is installed and running on.

2.1 Obtaining and installing the Digi-Access™ Certification Authority Certificates

    To obtain the Digi-Access™ Root Certification Authority Certificate, use the following URL:

    Digi-Sign Root CA [5]

To obtain the Digi-Access™ Intermediate Certification Authority Certificate, use the following URL:

Digi-Sign CA Digi-Access Xs [6]

Once you save these Certificates to the desktop (or another directory on the hard drive) of the web server machine, then:

  • Click the Start button, then select Run and type MMC (standing for Microsoft Management Console).
  • Click File and select Add/Remove Snap-in
  • Select Add, select Certificates from the Add Standalone Snap-in box and click Add.
  • Select Computer Account, then Local Computer and click Finish.
  • Close the Add Standalone Snap-in box and click OK in the Add/Remove Snap-in.
  • Return to the MMC

To install the Digi-Sign_Root_CA.cer Certificate file:

IMAGE


    - Right click the Trusted Root Certification Authorities, select All Tasks, and then select Import.

    IMAGE



    - Click Next.

    IMAGE


    - Locate the Digi-Sign_Root_CA.cer Certificate file and click Next.

    - When the wizard is completed, click Finish.

To install the Digi-Sign_CA_Digi-Access_Xs.cer:

IMAGE


    - Right click the Intermediate Certification Authorities, select All Tasks, and then select Import.

    - Complete the import wizard again, but this time locating the Digi-Sign_CA_Digi-Access_Xs.cer when prompted for the Certificate file.

    - Ensure that the Digi-Sign_Root_CA.cer certificate appears under Trusted Root Certification Authorities.

    - Ensure that the Digi-Sign_CA_Digi-Access_Xs.cer appears under Intermediate Certification Authorities.


Important: You must now restart the IISAdmin service or reboot the computer to complete the installation.

2.2 Preparing IIS 5.x+ for Digi-Access™ Client Certificate Authentication

To prepare IIS 5.x+ for Digi-Access™ Client Certificate Authentication:

Go to Windows Administrative Tools.

  • Start Internet Services Manager.
  • IMAGE
  • Open the properties window for the website that you have enabled SSL on. You can do this by right clicking on the Default Website and selecting Properties from the menu.
  • Open Directory Security by right clicking on the Directory Security tab.

  • IMAGE


  • Click Edit in the Anonymous access and authentication control section.
  • An Authentication Methods window will appear.

  • IMAGE


  • Make sure that all options (check boxes) in this section are disabled, including the Anonymous Access, Basic Authentication, Digest Authentication and Integrated Windows Authentication.
  • Click OK to apply changes.
  • Click Edit in Secure communications section.
  • A Secure Communications window will appear.

  • IMAGE


  • Ensure that Require secure channel (SSL) option is enabled. Require 128-bit encryption option should be disabled. You may enable it if you are sure that all end users connecting to your Digi-Access™ protected web site will have 128-bit enabled browsers.
  • Ensure that Enable client certificate [4] mapping option is enabled.
  • Ensure that Enable certificate trust list option is enabled.
  • Under Current CTL, click New.
  • Click Next.
  • A Certificate Trust List Wizard window will appear.

  • IMAGE


  • Click Add from file.
  • Browse for the Digi-Sign_Root_CA.cer Certificate file that you downloaded and saved on/uploaded to the server in section 2.1 of this document.
  • Once located, select the file and click Open.
  • Click Next.

  • IMAGE


  • Type Friendly Name, for example: Digi-Access.
  • Type Description, for example: Digi-Access Client Authentication for my system.
  • Click Next.
  • Click Finish.
  • You should now see your CTL List on the Secure Communications window.

  • IMAGE


  • Click OK and then OK again.

Your IIS 5.x+ web server is now ready to start working with Digi-Access™ Client Certificate Authentication.

Obtaining Digi-Access™ Certificate

Obtaining a Digi-Access™ Client Certificate from Digi-Sign

3.1 Applying for a Digi-Access™ Certificate

To obtain a Digi-Access™ Client Certificate from Digi-Sign, you need to send an email request to
support@digi-sign.com [7] providing your (or the end users) first name, last name and email address. Digi-Sign will then send you (or to any user you requested) a Digi-Access™ invitation email message containing instructions on how to apply for a Digi-Access™ certificate and the relevant Digi-Access™ web application URL.

NOTE: If you already supplied a full list of Digi-Access™ end users to Digi-Sign, you will not be requested to send a request email to our Support Department for each of these users.

Once entered the web application form the user is asked for specific personal information that is going to be inserted into his/her certificate.

Each of the above fields has an on-line help available explaining precisely how to fill it or which option to enable.

IMAGE


Digi-Access™ User Configuration

Setting up a Digi-Access™ User

Setting up a Digi-Access™ user requires a Windows Local or Active Directory Domain (depending on the Windows Server configuration) User account, and a Digi-Access™ [1] certificate containing the public key.

Based on the TTM™ [8] (Total Trust Management) agreement between Digi-Sign and the company which uses
Digi-Access™ facility, Digi-Sign will automatically send the user’s Digi-Access™ Certificate containing only the public key to the Digi-Access™ Administrator.
The user's Digi-Access™ Certificate file will be sent as an email attachment and should be saved on/uploaded to the Windows Server where the Digi-Access™ has been installed.

Further actions with the user's Digi-Access™ Certificate will be described later in this document in section 4.2.

  • 4.1 Setting up a Windows Local/Active Directory Domain User Account
  • Depending on your Windows Server setup you can choose a Windows Local User Account setup, section 3.1.1 or if you have a Windows Active Directory present, you may choose Windows Active Directory User Account setup, section 3.1.2.

      4.1.1 Setting up a Windows Local User Account

      Log on as an Administrator to the Windows Server where Digi-Access™ is setup and:

      Go to Windows Administrative Tools.
      - Start Computer Management.

      IMAGE


      - From the Computer Management (Local) tree, select Local Users and Groups.
      - Right click on Users and choose New user from the menu.

      IMAGE



      - Provide User Name, for example: user1
      - Provide Full Name, which will be the first and the last name of the end user.
      - Provide a short Description for the user account, for example: Digi-Access user
      - Provide and confirm the Password for the user account. You also need to write down this password for later usage – this password will be needed when a Digi-Access™ Client Certificate Mapping will be setup on IIS 5.x+, which is described later in this document in section 4.2.
      - Ensure that the User must change password after first log on option is disabled.
      - Ensure that the User cannot change password and Password never expires options are enabled.
      - Complete the setup by clicking the Create button and then click the Close button.

      The Windows Local User Account is now created.

Active Directory Users

Setting up Directory User Account

Log on as a Domain Administrator to the Windows Server where Windows Active Directory is installed on and the Windows server containing the Digi-Access™ facility is connected to and:

Go to Windows Administrative Tools.

  • Start the Active Directory Users and Computers.
  • Right click on Users, and then select New and User from the menu.

  • IMAGE


  • A New Object – User window will appear.

  • IMAGE


  • Provide First Name, Last Name and User logon name.
  • Click Next.
  • Provide and confirm the Password for the user account. You also need to write down this password for later usage – this password will be needed when a Digi-Access™ Client Certificate Mapping will be setup on IIS 5.x, which is described later in this document in section 4.2.
  • Ensure that the User must change password at next log on option is disabled.
  • Ensure that the User cannot change password and Password never expires options are enabled.
  • Click Next.
  • Complete the setup by clicking the Finish button.
  • The Windows Active Directory User Account is now created.

Mapping Clients

Setting up a Client Certificate Mapping – Digi-Access™ User on IIS 5.x+

Once the Windows User Account (from section 3.1) is present, you may move to the final step of this document where you setup a Digi-Access™ user. Before you do this, make sure that you have the following items available:

  • Windows User account password
  • Digi-Access™ [1] Certificate (with public key) file that will match the Windows User Account.
  • The file should be previously saved on the Windows server as described at the beginning of section 3.
    To complete the setup of a Digi-Access™ user:

  • Go to Windows Administrative Tools.
  • Start Internet Services Manager.

  • IMAGE


  • Open the properties window for the website that you have enabled SSL on. You can do this by right clicking on the Default Website and selecting Properties from the menu.

  • IMAGE


  • Open Directory Security by right clicking on the Directory Security tab.
  • Click Edit in Secure communications section.
  • A Secure Communications window will appear.

  • IMAGE


  • Click Edit in the Enable client certificate [4] mapping section.
  • An Account Mappings window will appear.

  • IMAGE


  • Ensure you are working on 1-to-1 tab.
  • Click Add and browse for the Digi-Access™ user’s certificate file.
  • Once the file is located click Open.
  • A Map to Account window will appear.

  • IMAGE


  • Ensure that Enable this mapping option is enabled.
  • Provide Map Name, for example user's first and last name.
  • Browse for and select the Windows User Account, which was created in section 3.1. of this document.
  • Provide the Password that was created for the Windows User Account in section 3.1. of this document.
  • Click OK.
  • Confirm the Password and click OK.
  • A new mapping should appear in Account Mappings window.
  • Click OK to close the Account Mappings window.
  • Click OK to close the Secure Communications window.
  • Click OK to close the web site properties window.
  • The Digi-Access™ user setup is now completed. The user may now connect to your
    Digi-Access™ protected web site using your web site URL with the https:// phrase typed before the web site name.

    Once connected to the site, user will be asked for a Digi-Access™ Client Certificate and if the Digi-Access™ Certificate is present on the user’s machine, access to the web site will be granted, otherwise the user will be not allowed to enter your web site.

    For any technical information which is not included in this document, or for further technical support, contact our Support Department by email at support@digi-sign.com [7] or by telephone: +353-1-410-0701.

    Thank you for your Custom!

    Digi-Sign Technical Department
    E: support@digi-sign.com [7]
    W: http://www.digi-sign.com [9]
    T: +48 22 789 64 92
    F: +48 22 789 64 91

  • IIS Implementation Guide

Source URL: http://www2.digi-sign.com/support/digi-access/iis

Links:
[1] http://www2.digi-sign.com/digi-access
[2] http://www.digi-sign.com/downloads/certificates/dsroot/Digi-Sign_Root_CA.cer
[3] http://www.digi-sign.com/downloads/certificates/digi-access/Digi-Sign_CA_Digi-Access_Xs.cer
[4] http://www2.digi-sign.com/digital+certificate
[5] https://www.digi-sign.com/downloads/certificates/dsroot/Digi-Sign_Root_CA.cer
[6] https://www.digi-sign.com/downloads/certificates/digi-access/Digi-Sign_CA_Digi-Access_Xs.cer
[7] mailto:support@digi-sign.com
[8] http://www2.digi-sign.com/service/certificate+authority+management+services#ttm
[9] http://www.digi-sign.com