Smart Card (CAC) Authentication with IIS 8.5

In this example I will show you how to setup IIS to require smart card authentication using the DoD Root CA 2, but you can configure IIS to use any trusted root certificate authority.

For this example I am using Windows Server 2012 R2 (IIS 8.5), but these steps should also work for Windows Server 2008 R2 (IIS 7.5).

1. Install Root Certificates

The first step is to ensure you have the root certificates installed for the certificate authority you will authenticate against. For the DoD, we will install them using the “InstallRoot 4” application available at the IASE website: http://iase.disa.mil/pki-pke/.

Clipboard07

After the application installs, run “InstallRoot” and click on “Install Certs”. Verify that the DoD certificates are installed and subscribed.

Clipboard08

2. Configure the IIS Site for SSL

We now need to setup our website to use SSL. For this example, we will create a “self-signed” certificate. In IIS Manager, click on your server and choose “Server Certificates”.

Clipboard01

Choose “Create Self-Signed Certificate” for the list on the right. Give your certificate a name and choose “Web Hosting” for the certificate store.

Clipboard02

Next we need to bind the certificate to the website. Browse to your website and choose “Bindings”. Select “https” for the “Type” and choose the certificate we created earlier in the “SSL certificate” box.

Clipboard04

Now choose “SSL Settings”

Clipboard05

Check “Require SSL” and choose “Require” under “Client certificates”.

Clipboard06

Now when we browse to our website we are prompted for our smart card. Select your certificate and enter your pin and the website now loads.

Clipboard10

3. Certificate Trust List

At this point, we verified that our website is able to authenticate using our smart card, but there is a problem. Windows will authenticate any smart card that has a certificate issued by any certificate authority in the servers “Trusted Root Certificate Authority”. In order to limit which certificate authority can authenticate, we need to create a certificate trust list.

To create the Certificate Trust List (CTL) we will use the Microsoft MakeCTL.exe tool. Run this tool on the server “As Administrator” to start the CTL Wizard.

Clipboard11

Enter a name for your CTL in the “prefix” box. Click the “Add Purpose” button and enter 1.3.6.1.4.1.311.10.1 for the “Object ID”.

Click “Add from Store” and choose the root certificate authority that you will use for authentication.

Clipboard12

Click “Browse” on “Select Certificate Store” and make sure to check the “Show physical stores” box. Choose “Local Computer” under “Intermediate Certificate Authorities”.

Clipboard13

Complete the wizard. Use the same name (prefix) you used in the beginning for the the “Friendly name”.

Clipboard14

Now we need to associate the CTL with our website. Start an Administrative Command Prompt and type:

netsh http show sslcert

Note the IP Port, Certificate Hash, and Application ID. We also will need the friendly name of our CTL.

Clipboard15

Now we delete the existing SSL binding:

“netsh http delete sslcert ipport=0.0.0.0.:443”

Clipboard16

Now add the new binding with the CTL. Replace the ipport, certhash, appid, and sslctlidentifier with your unique configuration.

netsh http add sslcert ipport=0.0.0.0:443 certhash=e50a486ffd7b22431db143cfa24ffd61d9170890 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlidentifier=”DoD CTL” sslctlstorename=CA

That’s it. Now the site should now only authenticate users who have certificates trusted by certificate authorities listed in the CTL.

Advertisements
Posted in Uncategorized | 7 Comments

My new Samsung Galaxy S4

image

Purchased a new Samsung Galaxy S4. Its a nice device and my first smartphone. I was not a big fan of the Touch wiz interface and opted to install Apex.

Next step is to root the phone and perhaps a custom ROM. I have to consider how I will use the phone, tablet, and laptop and share data between devices.

Posted in Uncategorized | Leave a comment

Windows 8, Office 2013, and Visual Studio 2012

I finally took the jump to Windows 8. I wanted to get used to the experience so I can answer questions about the new operation system.

Windows 8

start

The modern interface and its live tiles are interesting, but I have not found any compelling reason to use the modern start menu over the desktop. Most of the modern applications that I tested had less features than their desktop version. For example, Skype for the desktop has additional proxy settings that I require for the office, but these settings were missing from the modern Skype application.

Office 2013

word

The new office has a much clearer interface, but it still runs on the desktop. I had some problems with the new Outlook application freezing when working offline. The ability to edit PDF files is a big plus.

Visual Studio 2012

I love the new Visual Studio. The only issue I had with my older applications is that my setup projects are not compatible. The new SCRUM templates with TFS are nice.

story

PowerPoint Storyboarding is a big time saver.

One excellent resource that I discovered is the Microsoft Virtual Academy. There are many excellent free classes and resources to explore. Take a look at: http://www.microsoftvirtualacademy.com

Posted in Uncategorized | Leave a comment

Asus TF300 Transformer Pad

Picked up the Asus Transformer Pad $350. It’s a solid device and I am getting use to Android now.
The goal is to replace my laptop as much as possible.

Interesting Apps
Syngic – Offline maps, navigation with GPS.
2X Client – Remote Desktop with support for Desktop Composition.
Pulse – News reader
IM+ Pro – Chat with multi protocol support.

Posted in Computers and Internet | Leave a comment

How To Open More Than One Instance of Microsoft Excel 2010

Microsoft Excel defaults to using a single window for all open workbooks. This is not the idea situation when working with multiple monitors. If you want to have each workbook open in it’s own instance of Microsoft Excel, click on “File” then “Options”. Under “Advanced” check the box “Ignore other applications that use Dynamic Data Exchange (DDE).

Capture

Posted in Computers and Internet | Tagged , | 1 Comment

Extract Images From a Microsoft Word Document

You can easily extract images from a Microsoft Word Document by choosing “Save As” and selecting “HTML” as the output format. Microsoft Word will create an HTML file with the text and a folder that contains all the images in the document.

Posted in Computers and Internet | Tagged , , | Leave a comment

Enable a Windows fileserver to support Linux filenames with invalid characters.

Enable a Windows fileserver to support Linux filenames with invalid characters.

Background

We have a Windows Server 2008 R2 fileserver that has the “c:\data” folder shared as “data”. We use this share as a repository for files from both Windows and Linux operation systems. We noticed that some network file copy operations would fail and discovered that the files that were failing all had colons in their filename. The colon is an invalid character for Windows filenames and renaming was not an option.

clip_image002[1]

Issue

Windows and Linux have a different set of invalid characters for filenames. A Window filename cannot contain any of the following characters:

\ / : * ? ” < > |

Solution

On the Windows server, turn on NFS sharing and enable character translation. Access the NFS share instead of the Windows share from the Linux operating system.

Instructions (Windows Server)

On the Windows Server we need to install support for NFS shares, create an NFS share for our Linux users, and enable character translation.

Add “Services for Network File System” under the “File Services” – “Add Role Services”.

clip_image004[1]

To create a new NFS share, right-click on the folder to share then click the “NFS Sharing” tab. Click the “Manage NFS Sharing” button.

clip_image006[1]

Click the “Share this folder” check box and enter a “Share Name”. Now click the “Permissions” button.

clip_image008[1]

Select the “Type of access” and press the “OK” button. When you are returned to the “NFS Advanced Sharing” window press the “OK” button, then press the “Close” button.

clip_image010[1]

Your NFS Share is indicated with two green icons.

clip_image012[1]

The next step is to enable and setup character translation. Create a text file and add the following text:

0x3a : 0x2d ; replace client : with – on server

clip_image014[1]

Save the text file. In this particular case the file is saved as “C:\trans.txt”, but you can use any name or location.

Open the “Registry Editor” (Start – Run – regedit) and add the path to the text file you created to the “CharacterTranslation” string at the following Key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Server For NFS\CurrentVersion\Mapping

clip_image016[1]

Character translation is now enabled for your NFS shares.

Instructions (Linux)

On the Linux operating systems we need to enable the NFS client and mount the NFS share hosted on the Windows Server.

Launch the “Synaptic Package Manager” and install the “nfs-common” package.

clip_image018[1]

We need to create a folder to serve as a mount point to the NFS share on the Windows Server. You can use any folder name you want. Open a terminal window and issue the following commands:

sudo su

mkdir /nfs

clip_image020[1]

Connecting to the NFS Share

To view all available shares on a server issue the following command:

showmount -e servername

clip_image022[1]

Replace servername with the name or IP address of your server. This will return a list of NFS shares. On the server at 192.168.75.129 there is a single NFS share called “data”. To mount this NFS share to the /nfs folder, issue the following command:

mount -o soft,intr,rsize=8192,wsize=8192 servername:/sharename /localfoldername

clip_image024[1]

Replace servername with the name or IP address of your server; sharename with the name of your NFS share; localfoldername with the name of the local folder you want to use as your mount point.

You can now access the share and copy files; even if the filenames contains charters that are invalid for Windows.

clip_image026[1]

On the Windows Server, the invalid characters have been translated (as per the character translation file). Notice that the files still retain their filename on the Linux side.

clip_image028[1]

Posted in Computers and Internet | Tagged , , , | 3 Comments