Help me come to grips with SSL and WebDAV on IIS 8
February 7, 2014 8:10 PM Subscribe
I could use some help finding how-tos and walkthroughs for generating and installing self-signed SSL server certificates, managing SSL client certificates, and setting up external WebDAV over SSL access on Windows Server 2012 + IIS 8 to a large existing Windows Server 2003 file server currently reachable only via the LAN, keeping existing user access rules.
posted by flabdablet to Computers & Internet (9 answers total) 1 user marked this as a favorite
- A hole in the corporate firewall allowing me to accept incoming connections on ports 80 and 443
- One approved domain name for external web access
- An onsite Windows Server 2003 domain controller also configured as a Windows file server, relying heavily on NTFS permissions for access control
- An onsite Windows Server 2012 box with IIS 8 installed, not joined to the Windows Server 2003's domain, currently running a 3rd party web app that uses plain text logins; app currently appears at http://our.domain.address/appfolder from outside so it's all kinds of insecure
- Virtually no IIS administration experience
- A theoretical understanding of but no practical experience at all with SSL certs
- Easily enough scripting expertise to glue all my requirements together
- Plenty of time
I want to be able to:
- Restrict access to the 3rd party web app to SSL only, with client cert required. Users should still authenticate against the web app with existing usernames and passwords, so no client cert mapping; client cert's purpose is to authenticate the user's machine, not the user.
- Make the two main shares on our file server externally available via https://our.domain.address/webdav
- Give each of my users a USB memory stick containing
- a self-signed SSL server cert for our IIS 8 box
- a unique-per-stick SSL client cert that our IIS 8 box will require on connection
- a one-click script they can use to install both certs into IE, Firefox and Chrome
- a script to prompt for a username and password, then map two WebDAV URLs to Windows drive letters. Again, I want IIS to map neither the client cert nor the client's current Windows credentials to Windows server logon credentials; I want my remote users to have to type the same username and password they'd use for Windows logon to an onsite domain-joined workstation, and have IIS pass those credentials along to the file server.
- Generate a client cert for each such USB stick by entering an arbitrary ID into a one-dialog script on the IIS 8 box
- Revoke any such client cert by entering the ID used to issue it into another one-dialog script on the IIS 8 box
Could some kind soul either direct me to walkthroughs for
- Creating a self-signed SSL server cert and configuring IIS 8 for SSL-only operation using that
- Scripting the creation of SSL client certs
- Configuring IIS 8 to require client certs for SSL connections (in PowerShell, JScript, VBS, cmd or any mixture) without cert->userid mapping
- Scripting revocation/cancellation/deregistration of SSL client certs on IIS 8
- Setting up WebDAV on IIS 8 with plain text auth over SSL, and passing that auth along to a LAN-accessible but otherwise unrelated file server
- Scripting installation of one self-signed server cert and one client cert into IE/Winhttp, Gecko-based browsers, and Webkit-based browsers
or tell me I'm going about this in a boneheaded way because there's something nifty already built into Windows that will do everything I want with two clicks and why don't I just use that? Thanks, all.