Help me come to grips with SSL and WebDAV on IIS 8
February 7, 2014 8:10 PM   Subscribe

I could use some help finding how-tos and walkthroughs for generating and installing self-signed SSL server certificates, managing SSL client certificates, and setting up external WebDAV over SSL access on Windows Server 2012 + IIS 8 to a large existing Windows Server 2003 file server currently reachable only via the LAN, keeping existing user access rules.

I have:
  • A hole in the corporate firewall allowing me to accept incoming connections on ports 80 and 443
  • One approved domain name for external web access
  • An onsite Windows Server 2003 domain controller also configured as a Windows file server, relying heavily on NTFS permissions for access control
  • An onsite Windows Server 2012 box with IIS 8 installed, not joined to the Windows Server 2003's domain, currently running a 3rd party web app that uses plain text logins; app currently appears at http://our.domain.address/appfolder from outside so it's all kinds of insecure
  • Virtually no IIS administration experience
  • A theoretical understanding of but no practical experience at all with SSL certs
  • Easily enough scripting expertise to glue all my requirements together
  • Plenty of time
I want to be able to:
  • Restrict access to the 3rd party web app to SSL only, with client cert required. Users should still authenticate against the web app with existing usernames and passwords, so no client cert mapping; client cert's purpose is to authenticate the user's machine, not the user.
  • Make the two main shares on our file server externally available via https://our.domain.address/webdav
  • Give each of my users a USB memory stick containing
    • a self-signed SSL server cert for our IIS 8 box
    • a unique-per-stick SSL client cert that our IIS 8 box will require on connection
    • a one-click script they can use to install both certs into IE, Firefox and Chrome
    • a script to prompt for a username and password, then map two WebDAV URLs to Windows drive letters. Again, I want IIS to map neither the client cert nor the client's current Windows credentials to Windows server logon credentials; I want my remote users to have to type the same username and password they'd use for Windows logon to an onsite domain-joined workstation, and have IIS pass those credentials along to the file server.
  • Generate a client cert for each such USB stick by entering an arbitrary ID into a one-dialog script on the IIS 8 box
  • Revoke any such client cert by entering the ID used to issue it into another one-dialog script on the IIS 8 box
Could some kind soul either direct me to walkthroughs for
  • Creating a self-signed SSL server cert and configuring IIS 8 for SSL-only operation using that
  • Scripting the creation of SSL client certs
  • Configuring IIS 8 to require client certs for SSL connections (in PowerShell, JScript, VBS, cmd or any mixture) without cert->userid mapping
  • Scripting revocation/cancellation/deregistration of SSL client certs on IIS 8
  • Setting up WebDAV on IIS 8 with plain text auth over SSL, and passing that auth along to a LAN-accessible but otherwise unrelated file server
  • Scripting installation of one self-signed server cert and one client cert into IE/Winhttp, Gecko-based browsers, and Webkit-based browsers
or tell me I'm going about this in a boneheaded way because there's something nifty already built into Windows that will do everything I want with two clicks and why don't I just use that? Thanks, all.
posted by flabdablet to Computers & Internet (9 answers total) 1 user marked this as a favorite
Best answer: I can't address all of it, but when looking into client certs for my own app (still not finished) I found this guide:

creating client side ssl certificates

The process is definitely something you could run from a script.
posted by idiopath at 8:21 PM on February 7, 2014

I'm not entirely sure I follow what your ultimate goal is, here. But from what you've described wanting to do it sounds like all sorts of convoluted bad idea.

It's certainly possible to map AD user accounts to certificates (2008+ does this quite well) but the non-domain iis/proxy thing you're trying to do is likely to get in the way fairly significantly.

You may find it's a lot easier, simpler, and quicker to setup a VPN and have your users connect to that and then map their drives normally. This is a quicker, simpler, easier, built-in option.
posted by coriolisdave at 8:47 PM on February 7, 2014

Response by poster: It's certainly possible to map AD user accounts to certificates

Just to clarify, that's exactly what I want not to happen. I want my users to need to type their customary usernames and passwords with their customary fingers, but only be given the opportunity to do that if in possession of a valid SSL client cert.

My ultimate goal is to be able to give any of our not at all technically savvy primary school teachers a USB stick and instructions saying "take this home, plug it in, click Connect, and you get the same O: and P: drives as you do at work, and the usual desktop shortcuts pointing to your usual folders on those." I also want to lock down our currently hopelessly insecure web app enough that the idea of putting a link to it on the school web page doesn't make me feel ill.

I have considered doing the file server part with OpenVPN. There is already a process in place upstream for providing remote access to the school's existing VPN, but it's ridiculously bureaucratic because it allows access to far more things that I want to open up, Windows-only on the client side, and honestly would need far more of my time to administer and train staff for than a more restricted solution I set up locally and admin myself. WebDAV is an attractive option because I already have an externally-accessible server box in place that can do it, and it will also come in useful for file server access on the iPads that have recently started to worm their way into the curriculum.

Our internal staff passwords are sufficiently kid-resistant, but far too squishy-soft for general protection against a hostile Internet. That's why I want to lock external access to our web server down to machines controlled by people I've physically handed a USB stick to, and why I want to be able to revoke those sticks individually and easily. I don't want my client certs automatically mapping to user IDs because most of our teachers are going to be using home machines that don't have separate Windows accounts set up on them, and I want at least some minimal technical measure in place against entire families being given instant no-effort access to staff-only school resources.
posted by flabdablet at 9:24 PM on February 7, 2014

Response by poster: By the way, I had remote file access working beautifully a few years back, using SMB/CIFS over ssh port forwarding, but that really only worked well for our Mac and Linux clients; Windows service packs kept breaking it. WebDAV for remote file access is well supported on all the client platforms I care about with virtually zero setup, so if I can just get the SSL stuff under control and learn how to admin an IIS 8 WebDAV server, I'm golden.
posted by flabdablet at 9:33 PM on February 7, 2014

Pretty sure you can require an AD client cert AND user/pass - reason I'm rcommending this route is the revocation is easy and can be done by a helpdesk guy disabling their AD account.

Also doesn't require the client PC to be a domain member - you'd have to physically give them their certificate, and the cert chain.
posted by coriolisdave at 9:50 PM on February 7, 2014

It's certainly possible to map AD user accounts to certificates

Just to clarify, that's exactly what I want not to happen. I want my users to need to type their customary usernames and passwords with their customary fingers, but only be given the opportunity to do that if in possession of a valid SSL client cert.

I think this *is* what you want to do.

A) You control cert issuance, which ought to be User:Cert :: 1:1
B) You control AD accounts
C) If you do (A) and (B) right, AD: Cert :: 1:1
D) You control the Certificate Revocation List, for bad Users

I suppose you *could* layer ASPNet forms authentication over that.

That said, VPN is the absolutely right answer, and you can do VPN over SSL w/ a cert.
posted by j_curiouser at 11:15 PM on February 7, 2014

Response by poster: Just for further clarification, I am the "help desk guy" as well as the domain admin, and I want to be able to revoke a remote access client cert without also disabling on-campus AD login.

Also, the most common thing that will end up happening to my client certs is that they get installed on a home PC shared by the teacher's whole family, and this is not something I'm willing to treat as "bad behaviour" as long as they don't also tell their own kids their staff username and password.

Would appreciate being given the benefit of an assumption that I have in fact carefully considered the balance between technical feasibility, user aptitude and organizational politics.

I understand completely that a VPN would easily allow for a wider range of remote capabilities than the proposed SMB/CIFS to WebDAV proxy, but please believe me that it's not going to happen that way, mostly for political and user aptitude reasons. Also not interested in solutions that ultimately involve TCP inside a TCP tunnel; been there, done that, didn't work well.

Will now stop threadsitting except to respond to specific requests for clarification.
posted by flabdablet at 12:30 AM on February 8, 2014

I want to be able to revoke a remote access client cert without also disabling on-campus AD login.

no prob - you use IIS Certificate mapping, not AD Certificate Mapping. Here's an intro.
posted by j_curiouser at 1:47 AM on February 8, 2014

yep - just noticed that's an old article - sorry. concepts are exactly the same, but google around for the IIS 7 one for the mechanics.
posted by j_curiouser at 1:54 AM on February 8, 2014

« Older Basements and Attics in North America   |   Treadmill suggestions Newer »
This thread is closed to new comments.