Configuring IIS 4.0 Certificate Authentication

Use Certificate Server 1.0 to become a Certificate Authority

Wouldn't it be nice if you could give your trusted users transparent access to your secure Web site? Then, users wouldn't have to enter their username and password every time they enter the site. One way users can communicate to a secure portion of your Web site without having to enter a username and password is by using Internet Explorer (IE) on a Windows NT system, after you configure Internet Information Server (IIS) to require challenge/response authentication. But what do you do if your users don't run NT or IE? The answer: Use Microsoft Certificate Server, a component of the NT 4.0 Option Pack. Certificate Server lets you create and use digital certificates to authenticate users, and lets users access their NT user accounts without having to provide credentials each time they log on.

Digital certificates are crucial to Web security. A digital certificate is an electronic document that computer systems use to identify and authenticate users who are browsing the Web, using email, and transferring files. One way to obtain digital certificates is through a Certificate Authority (CA), a third-party provider that issues digital certificates to individuals or systems based on verification of a user's identity. Certificate Server lets you act as a CA for your enterprise, empowering you to protect employee confidentiality, reduce cost of ownership, and improve quality of service. (For background information about CAs and digital certificates, see Tao Zhou, "You Can Be a Web Certification Authority," October 1997.)

Unfortunately, finding useful documentation for configuring Certificate Server is difficult. You can find odd snippets of information on TechNet and the Microsoft Web site, but this sketchy data isn't enough to get you going in a reasonable amount of time. In this article, I'll take you through the step-by-step Certificate Server setup and configuration process I discovered. I'll show you how to install Certificate Server, start the Certificate Authority service, and issue client certificates.

Getting Started
To begin, you need to have installed IIS 4.0, the Microsoft Management Console (MMC), and Certificate Server 1.0, all of which Microsoft includes on the Microsoft Windows NT 4.0 Option Pack CD-ROM. Microsoft has posted on its Web site (http://www.microsoft.com) a hotfix for Certificate Server 1.0 to fix a problem that stops users without client certificates from accessing an area with both Certificate and Anonymous access enabled. As I have worked with Certificate Server, I've found that you don't need to install this hotfix because you can work around the problem when you configure permissions, a process I'll explain later. (However, I have stumbled across a few other bugs for which no hotfixes exist.)

Install Certificate Server from the Option Pack CD-ROM. If you've already installed Certificate Server and haven't been able to get it to work, I'll let you in on a secret. The Certificate Server installation prompts you to enter state details of the CA in the Microsoft Certificate Server Setup window, which Screen 1 shows. If you don't enter the CA name in the State field, the IIS metabase doesn't correctly register the CA. Consequently, Certificate Server doesn't accept client certificates this CA signs. If you experience this problem, you must reinstall Certificate Server. However, when you reinstall, you might receive one of two error messages--a Certificate Server Configuration Wizard error, or a Windows NT Setup error. All I have been able to discover regarding these error messages is that they signal that the csback.gif, csbull.gif, and cslogo.gif files didn't copy from the Certificate Server root directory (usually C:\winnt\system32\certsrv) into the CertEnroll subdirectory. If you receive either error message, copy the files over manually.

Start the Certificate Authority service in NT from Control Panel, Services. If the service doesn't start, the cause might be that the service can't locate the certmdb.mdb Microsoft Access database. For a reason I can't discover, the Certificate Server installation sets up the Open Database Connectivity (ODBC) system Data Source Name to point to the Certificate Server root directory; however, the global.asa file in the CertAdm subdirectory points to the C:\winnt\system32 directory. The Certificate Server installation places the certmdb.mdb file in the C:\winnt\system32 directory. Therefore, modify the CertSrv system Data Source Name (from Control Panel, ODBC) to point to the certmdb.mdb file, as Screen 2 shows. Your CA service will now be up and running.

Setting Up Your CA
Your Certificate Server installation will prompt you to create a Secure Sockets Layer (SSL) key for your server. The SSL server key lets a Web server and client browser negotiate secure encrypted sessions. Without the SSL key, certificate-based client authentication can't operate on IIS 4.0. You can generate and sign the SSL server key request in one step on your server by selecting Automatically send the request to an online authority in the Create New Key dialog box, as Screen 3 shows. If you choose to create a key request file, you can use Certificate Server's certreq.exe command-line utility to certify the file. (You can use key request files to request server-key signing from a third-party CA.) When you have a signed key, the Certificate Server installation is complete.

Now you must add the CA you just created to the list of trusted CAs on the server by installing the server key in your browser. To do so, launch IE 4.0 on the server and browse to http://server name/certsrv/certenroll/cacerts.htm. A Web page titled Certificate Authority Certificate List will display, listing the CA key you just created. Click the hyperlink and select Open this file from its current location. You will see a prompt to install a New Site Certificate, which Screen 4 shows. Click View Certificate, verify that the key details are as you entered them, and click OK. You will see another prompt asking you to accept adding the certificate to your root store. Click OK.

Select View, Internet Options, Content, Authorities to verify that IE 4.0 has successfully added the certificate to its list of trusted authorities. You will see the CA you created in IE 4.0's Certificate Authorities list, which Screen 5 shows.

Previous [1] 2 Next

I’m trying to deploy a secure extranet to a few hundred vendors, and I’ve been struggling with how to incorporate certificates and leverage the services Microsoft Internet Information Server (IIS) offers. I was ready to give up after spending so much time trying (unsuccessfully) to make heads or tails of Microsoft Certificate Server. Then, I read Ramon Ali’s “Configuring IIS 4.0 Certificate Authentication” (February). Finally, here’s an article with some insight and real application of Certificate Server! The other February articles about e-commerce and Microsoft Site Server are also worth their weight in gold. The February issue is Windows NT Magazine’s best issue yet. --Steve Katsirubas

Steve Katsirubas August 06, 1999

I rarely respond to the authors of any of the thousands of articles that I read each year, but I have to make an exception in this case. Ramon Ali’s “Configuring IIS 4.0 Certificate Authentication” (February) couldn’t have come at a better time for me. I was in the process of installing Microsoft Certificate Server 1.0, and Microsoft’s technical support representatives were already tired of me telling them that they needed to produce better documentation about the installation and configuration of the product and the known problems concerning the product’s operation. Ali’s article provided the explanation I needed to install the product and the confidence to research a problem I encountered.
Every time I tried to start the Certificate Server service, my system timed out with a message stating that the service wouldn’t respond to the control function. Ali’s article convinced me I hadn’t done anything wrong, so I went in search of some documentation to help with the problem. The Microsoft article “Certificate Server Fails to Start After Unattended Installation" (http://support.microsoft.com/support/kb/articles/q190/0/59.asp) addresses the problem and provides an easy fix for it. The article explains that the problem occurs only when you perform an unattended setup of Certificate Server, but my experience says otherwise. In the article, Microsoft details how to create a .reg file to enter the necessary Registry keys the OS doesn’t create during Certificate Server installation, but I entered the Registry values manually. In less than 2 minutes, I resolved the problem.
The Registry entries were crucial, but if I hadn’t read Ali’s article, I wouldn’t have made it even far enough to have this problem. Keep up the good work. 
--Kyle S. Hamilton 

The Registry settings that the Microsoft article describe seem to point to problems associated with database logging for Certificate Server. I’ve experienced similar problems during a reinstallation of Certificate Server, but I’ve managed to fix them simply by moving the certsrv.mdb file from wherever it is to C:\winnt\system32. 
--Ramon Ali

Kyle S. Hamilton August 09, 1999

I have to agree, this article was timed perfectly. I was struggling with issuing Client Certificates and finding that the server that issued them would not recognize them. Who would have thought to enter the CA Name in the State field. Thanks for the timely solution.

Sam Rener, MCSE April 07, 2000

I spent hours and hours working on this problem. The directions here are the ONLY ones that I have been able to get to work. Horrible documentation on Microsoft's part. THANK YOU for documenting this on the web or I would still be scratching my head.

Mike Mellskog - MCSE October 13, 2002

This article was FANTASTIC!!!

It was exactly what i was looking for and answered my question VERY well. Even though we're using IIS 5, this can easily be interpreted.

Thanks again!!

Robert Smith October 28, 2003

You must log on before posting a comment.

If you don't have a username & password, please register now.