Using Client Certificate Authentication with IIS 6.0 Web Sites
[LEFT][CODE]http://www.windowsecurity.com/articles/Client-Certificate-Authentication-IIS6.html[/CODE]
What methods do you use to control access to your secure Web sites? Do you require authentication? If so, what type of authentication? Are the users’ credentials passed in clear text? Do you secure data moving between the Web site and the client, or can anyone with a network sniffer read all the data moving between the Web client and the Web server?
The definition of [I]secure[/I] is a moving target. If you talk to the security wonks, they’ll tell your configuration is not secure, and that you’ll have to spend untold number of dollars and administrator hours to correct the security flaws in your network. Meanwhile, if you were to go to the security consultant’s home, you’ll find he has glass windows and clear glass panes on his doors which are easily breakable. Any run-in-the-mill burglar can make off with his stereo and laptop computer sitting on the desk inside.
When we put together a secure Web site (for employee access, not for e-commerce as e-commerce sites have an entire different set of requirements), we require [I]two factor[/I] authentication. Two factor authentication requires two methods be used when accessing content on the secure Web site. For example, one factor can be the username and password, and the second factor can be biometric input, such as a fingerprint. The two factor authentication methods typically depend on [I]what I know[/I] and [I]what I have[/I].
Most two-factor authentication schemes require very pricey third party devices that provide the [I]what[/I][I] I have[/I] component. The most popular two-factor authentication method is RSA SecurID. The SecurID token generates a one time password users use when they authenticate with a secure Web site. SecurID is a very powerful two-factor authentication scheme and I highly recommend it for organizations that can afford it.
Even if you don’t have hoards of excess cash, you can still benefit from two factor authentication. If you have a Windows 2000 or Windows Server 2003 Server (such as the domain controller in your Active Directory domain), then you can put together your own two-factor authentication scheme. You can install a Microsoft Certificate Server on the Windows Server machine and issue user certificates to your users. Then you can configure your Web site to require both username and password [I]and[/I] a user certificate. The user certificate is the [I]what[/I][I] I have[/I] piece of the two factor authentication scheme.
In this article we’ll go over procedures required to make this two-factor authentication method work. You’ll need to do the following:
[LIST][*] Install IIS 6.0 on the Windows Server 2003 computer[*] Create an offline certificate request file using the Web Site Certificate Wizard[*] Submit the offline certificate request to the Certificate Server using the Web Enrollment Site[*] Install the Web site certificate[*] Install the CA certificate[*] Configure the Web site to require a client certificate and use basic authentication[*] Request a User Certificate from the Web enrollment site[*] Make the connection to the Web site[/LIST]
Our sample network includes a Windows XP client machine, a Windows Server 2003 Web server and a Windows Server 2003 domain controller that has an enterprise CA installed on it. The enterprise CA must be installed on a machine that is a member of an Active Directory domain. We will use the Web enrollment site on the enterprise CA to obtain certificates. Note that you can also use a standalone CA, which does not require an Active Directory domain. The user interface on the standalone CA differs a bit from the enterprise CA’s Web enrollment site, but the same principles apply.
[B]Install IIS 6.0 on the Windows Server 2003 Computer[/B]
We will use an IIS 6.0 Web server in our example. You can also use IIS 5.0 and the procedures are essentially the same, although the Web Site Certificate Request Wizard looks a little different, the basic functionality and procedures are the same.
The first step is to install the IIS WWW service on the Web server computer. We need to do this because unlike Windows 2000 where the WWW is installed by default, it is not installed by default on a Windows Server 2003 server.
Perform the following steps to install the IIS 6.0 WWW service on the Windows Server 2003 machine that will act as the Web server:
1.[FONT=Times New Roman] [/FONT]Click [B]Start[/B] and point to [B]Control Panel[/B]. Click the [B]Add or Remove Programs[/B] link.
2.[FONT=Times New Roman] [/FONT]In the [B]Add or Remove Programs[/B] window, click the [B]Add/Remove Windows Components[/B] button.
3.[FONT=Times New Roman] [/FONT]In the [B]Windows Components[/B] window, click the [B]Application Server[/B] entry in the [B]Components[/B] list and then click [B]Details[/B].
4.[FONT=Times New Roman] [/FONT]In the [B]Application Server[/B] dialog box, put a checkmark in the [B]Internet Information Services (IIS)[/B] checkbox. Click [B]OK[/B].
5.[FONT=Times New Roman] [/FONT]Click [B]Next[/B] on the [B]Windows Components[/B] page.
6.[FONT=Times New Roman] [/FONT]Click [B]OK[/B] on the [B]Insert Disk[/B] dialog box. In the [B]Files Needed[/B] dialog box, enter the path to the [B]i386[/B] folder on the Windows Server 2003 CD in the [B]Copy files from[/B] text box. Click [B]OK[/B].
7.[FONT=Times New Roman] [/FONT]Click [B]Finish[/B] when the Wizard is completed.
[B]Create an Offline Certificate Request File using the Web Site Certificate Wizard[/B]
Now that the Web site is installed, we can create an offline request to obtain a Web site certificate.
There are two ways you can make a request for a certificate from a Microsoft Certificate Server: via an offline request and via the Certificates MMC. The Web site machine must be a member of the same domain as the Certificate Server if you want to use the Certificates MMC. In our example, the Web server is not a member of the domain, so we must first generate an offline certificate request file and then submit this file to the Certificate Server using the Certificate Server’s Web enrollment site.
Perform the following steps on the Web server to generate the certificate request file:
1.[FONT=Times New Roman] [/FONT]Click [B]Start[/B] and then point to [B]Administrative Tools[/B]. Click the [B]Internet Information Services (IIS) Manager[/B] link.
2.[FONT=Times New Roman] [/FONT]In the [B]Internet Information Services (IIS) Manager[/B] console, expand the [B]Web Sites[/B] node and click on the [B]Default Web Site[/B] node. Right click on the [B]Default Web Site[/B] node and click [B]Properties[/B].
3.[FONT=Times New Roman] [/FONT]On the [B]Default Web Site Properties[/B] dialog box, click the [B]Directory Security[/B] tab.
4.[FONT=Times New Roman] [/FONT]On the [B]Directory Security[/B] tab, click the [B]Server Certificate[/B] button in the [B]Secure Communications[/B] frame.
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0021088087609739.jpg[/IMG][/INDENT]5.[FONT=Times New Roman] [/FONT]Click [B]Next[/B] on the [B]Welcome to the Web Server Certificate Wizard[/B] page.
6.[FONT=Times New Roman] [/FONT]On the [B]Server Certificate[/B] page, select the [B]Create a new certificate[/B] option and click [B]Next[/B].
7.[FONT=Times New Roman] [/FONT]On the [B]Delayed or Immediate Request[/B] page, note that the only option available to you is the [B]Prepare the request now, but send it later[/B]. The reason for this is that the Web server is not a member of a domain that has an enterprise CA. Accept the default option and click [B]Next[/B].
8.[FONT=Times New Roman] [/FONT]On the [B]Name and Security Settings[/B] page, accept the default values and click [B]Next[/B].
9.[FONT=Times New Roman] [/FONT]On the [B]Organization Information[/B] page, enter the name of your organization in the [B]Organization[/B] text box and enter the name of your organizational unit in the [B]Organizational Unit[/B] text box. Click [B]Next[/B].
10.[FONT=Times New Roman] [/FONT]On the [B]Your Site’s Common Name[/B] page, enter the name of the Web site in the [B]Common name[/B] text box. This is an extremely important entry. The name you put into this text box must be exactly the same as the name the users use to access the Web site. In this example, we will enter [B][url]www.msfirewall.org[/url][/B] into the text box. When users access this site, they will enter into their browsers [B][url]http://www.msfirewall.org[/url][/B]. Click [B]Next[/B].
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0041088087682286.jpg[/IMG][/INDENT]11.[FONT=Times New Roman] [/FONT]On the [B]Geographical Information[/B] page, enter your [B]State/Province[/B] and [B]City/locality[/B] in the text boxes and click [B]Next[/B].
12.[FONT=Times New Roman] [/FONT]On the [B]Certificate Request File Name[/B] page, accept the default location for the [B]certreq.txt[/B] file and click [B]Next[/B]. (Note that the file is located in the root of the C:\ drive; we’ll retrieve that file later when we make our certificate request to the Certificate Server).
13.[FONT=Times New Roman] [/FONT]Review the information on the [B]Request File Summary[/B] page and click [B]Next[/B].
14.[FONT=Times New Roman] [/FONT]Click [B]Finish[/B] on the [B]Completing the Web Server Certificate Wizard[/B] page.
15.[FONT=Times New Roman] [/FONT]Click [B]OK[/B] on the [B]Default Web Site Properties[/B] dialog box.
[B]Submit the Offline Certificate Request to the Certificate Server using the Web Enrollment Site[/B]
We can use the certificate request file created by the Web Site Certificate Wizard to request a Web site certificate from the enterprise CA we installed on our domain controller. To accomplish this task, we will open the Certificate Server’s Web enrollment site and send the request.
Perform the following steps to send the Web site certificate request to the enterprise CA:
1.[FONT=Times New Roman] [/FONT]Open [B]Internet Explorer[/B] on the Web server machine and enter [B][url]http://10.0.0.2/certsrv[/url] [/B]in the address bar, where [B]10.0.0.2[/B] is the IP address of the Certificate Server. Press ENTER.
2.[FONT=Times New Roman] [/FONT]Enter domain administrator credentials in the authentication dialog box and click [B]OK[/B].
3.[FONT=Times New Roman] [/FONT]On the [B]Welcome[/B] page of the Web enrollment site, click the [B]Request a certificate[/B] link at the bottom of the page.
4.[FONT=Times New Roman] [/FONT]On the [B]Request a Certificate[/B] page, click the [B]advanced certificate request[/B] link.
5.[FONT=Times New Roman] [/FONT]On the [B]Advanced Certificate Request[/B] page, click the [B]Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file [/B]link.
6.[FONT=Times New Roman] [/FONT]On the [B]Submit a Certificate Request or Renewal Request[/B] page, copy the contents of the [B]certreq.txt[/B] file into the [B]Saved Request[/B] text box. Open the [B]certreq.txt[/B] file and then press [B]CTRL+A[/B] to select all the text. Then press [B]CTRL+C[/B] to copy all the text to the clipboard. Go to the Web browser windows and click in the [B]Saved Request[/B] text box and press [B]CTRL+V[/B] to paste the contents of the [B]certreq.txt[/B] file into the text box. Select the [B]Web Server[/B] template from the [B]Certificate Template [/B]list. Click the [B]Submit[/B] button.
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0061088087972195.jpg[/IMG][/INDENT]7.[FONT=Times New Roman] [/FONT]On the [B]Certificate Issued[/B] page, click the [B]Download certificate[/B] link.
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0081088088063657.jpg[/IMG][/INDENT]8.[FONT=Times New Roman] [/FONT]In the [B]File Download[/B] dialog box, click the [B]Save[/B] button. Save the file to the Desktop. Click the [B]Close[/B] button.
9.[FONT=Times New Roman] [/FONT]On the [B]Certificate Issued[/B] page, click the [B]Download certificate chain[/B] link.
10.[FONT=Times New Roman] [/FONT]In the [B]File Download[/B] dialog box, click the [B]Save[/B] button. Save the file to the Desktop. Click the [B]Close[/B] button.
11.[FONT=Times New Roman] [/FONT]Close [B]Internet Explorer[/B].
[B]Install the Web Site Certificate[/B]
We’ve downloaded the Web site certificate and CA certificate files from the Web enrollment site. The next step is install these certificates on the Web server. We’ll begin by installing the Web site certificate and then we’ll install the CA certificate.
Perform the following steps to install the Web site certificate on the Web server:
1.[FONT=Times New Roman] [/FONT]At the Web server machine, click [B]Start[/B] and point to [B]Administrative Tools[/B]. Click the [B]Internet Information Services (IIS) Manager[/B] link.
2.[FONT=Times New Roman] [/FONT]Expand the [B]Web Sites[/B] node in the left pane of the console and then click on the [B]Default Web Site[/B]. Right click on the [B]Default Web Site[/B] and click [B]Properties[/B].
3.[FONT=Times New Roman] [/FONT]In the [B]Default Web Site Properties[/B] dialog box, click the [B]Directory Security[/B] tab.
4.[FONT=Times New Roman] [/FONT]On the [B]Directory Security [/B]tab, click the [B]Server Certificate[/B] button.
5.[FONT=Times New Roman] [/FONT]Click [B]Next[/B] on the [B]Welcome to the Web Server Certificate Wizard[/B] page.
6.[FONT=Times New Roman] [/FONT]On the [B]Pending Certificate Request[/B] page, select the [B]Process the pending request and install the certificate[/B] option and click [B]Next[/B].
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0101088088134772.jpg[/IMG][/INDENT]7.[FONT=Times New Roman] [/FONT]On the [B]Process a Pending Request [/B]page, click the [B]Browse [/B]button and locate the [B].cer[/B] file for the Web site certificate. [INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0121088088176297.jpg[/IMG][/INDENT]8.[FONT=Times New Roman] [/FONT]On the [B]SSL Port[/B] page, accept the default SSL port, which is [B]443[/B]. Click [B]Next[/B].
9.[FONT=Times New Roman] [/FONT]On the [B]Certificate Summary[/B] page, review your settings and click [B]Next[/B].
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0141088088220172.jpg[/IMG][/INDENT]10.[FONT=Times New Roman] [/FONT]Click [B]Finish[/B] on the [B]Completing the Web Server Certificate Wizard[/B] page.
11.[FONT=Times New Roman] [/FONT]On the [B]Directory Security [/B]tab, click the [B]View Certificate[/B] button.
12.[FONT=Times New Roman] [/FONT]In the [B]Certificate[/B] dialog box, click the [B]General[/B] tab. Note that the [B]Issued to[/B] name is [B][url]www.msfirewall.org[/url][/B]. This is the common name on the certificate. Notice that there is a red “X” on the certificate at the top of the dialog box.
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0161088088258063.jpg[/IMG][/INDENT]13.[FONT=Times New Roman] [/FONT]Click on the [B]Certification Path[/B] tab. Notice that there is a red “X” on the root CA. This indicates that the CA certificate of the root CA is not in the [B]Trusted Root Certification Authorities[/B] list on the Web server. We will fix this problem in the next procedure.
14.[FONT=Times New Roman] [/FONT]Click [B]OK[/B] in the [B]Certificate[/B] dialog box.
15.[FONT=Times New Roman] [/FONT]Click [B]OK[/B] in the [B]Default Web Site Properties[/B] dialog box.
[B]Install the CA Certificate[/B]
We need to install the Root CA certificate in the [B]Trusted Root Certification Authorities[/B] store on the Web server machine. This allows the Web server to trust the Web site certificate installed on the IIS Web site.
Perform the following steps to install the root CA certificate into the machine’s certificate store:
1.[FONT=Times New Roman] [/FONT]Click [B]Start[/B] and then click the [B]Run[/B] command.
2.[FONT=Times New Roman] [/FONT]In the [B]Run[/B] dialog box, enter [B]mmc[/B] in the [B]Open[/B] text box and click [B]OK[/B].
3.[FONT=Times New Roman] [/FONT]In the [B]Console1[/B] window, click the [B]File[/B] menu and click the [B]Add/Remove Snap-in[/B] command.
4.[FONT=Times New Roman] [/FONT]In the [B]Add/Remove Snap-in[/B] dialog box, click the [B]Add[/B] button.
5.[FONT=Times New Roman] [/FONT]In the [B]Add Standalone Snap-in[/B] dialog box, select the [B]Certificates [/B]entry in the [B]Available Standalone Snap-ins[/B] dialog box and click [B]Add[/B].
6.[FONT=Times New Roman] [/FONT]On the [B]Certificates snap-in[/B] page, select the [B]Computer account[/B] option and click [B]Next[/B].
7.[FONT=Times New Roman] [/FONT]On the [B]Select Computer[/B] page, select the [B]Local computer [/B]option and click [B]Finish[/B].
8.[FONT=Times New Roman] [/FONT]Click [B]Close[/B] in the [B]Add Standalone Snap-in[/B] dialog box.
9.[FONT=Times New Roman] [/FONT]Click [B]OK[/B] in the [B]Add/Remove Snap-in[/B] dialog box.
10.[FONT=Times New Roman] [/FONT]Expand the [B]Certificates[/B] node and then expand the [B]Trusted Root Certification Authorities[/B] node and click on the [B]Certificates[/B] node. Right click on the [B]Certificates[/B] node, point to [B]All Tasks[/B] and click [B]Import[/B].
11.[FONT=Times New Roman] [/FONT]Click [B]Next[/B] on the [B]Welcome to the Certificate Import Wizard[/B] page.
12.[FONT=Times New Roman] [/FONT]On the [B]File to Import[/B] page, click the [B]Browse [/B]button and locate the [B]certnew.p7b[/B] file you downloaded from the Web enrollment site. Click [B]Next[/B].
13.[FONT=Times New Roman] [/FONT]On the [B]Certificate Store[/B] page, accept the default setting, [B]Place all certificates in the following store[/B] and click [B]Next[/B].
14.[FONT=Times New Roman] [/FONT]Click [B]Finish[/B] on the [B]Completing the Certificate Import[/B] page.
15.[FONT=Times New Roman] [/FONT]Click [B]OK[/B] in the [B]Certificate Import Wizard[/B] dialog box informing you that the import was successful.
[B]Configure the Web Site to Require a Client Certificate and use Basic Authentication[/B]
Now that our certificates are in place, we can configure the Web server’s authentication and SSL settings. Since we want a secure Web server, we’ll force users to use SSL when connecting to the site. SSL will encrypt the user credentials and data moving between the Web client and the Web server. We will also force Integrated authentication, which is more secure than basic authentication. However, the type of authentication used is not so important in this scenario, since the user credentials are protected by SSL. Finally we will configure the Web site to require a user certificate.
Perform the following steps to configure the security settings on the Web site:
1.[FONT=Times New Roman] [/FONT]Click [B]Start[/B] and point to [B]Administrative Tools[/B]. Click [B]Internet Information Services (IIS) Manager[/B].
2.[FONT=Times New Roman] [/FONT]In the [B]Internet Information Services (IIS) Manager[/B] console, expand the server name and expand the [B]Web Sites[/B] node. Click on [B]Default Web Site[/B] and right click on it. Click [B]Properties[/B].
3.[FONT=Times New Roman] [/FONT]In the [B]Default Web Site Properties[/B] dialog box, click the [B]Directory Security[/B] tab.
4.[FONT=Times New Roman] [/FONT]On the [B]Directory Security[/B] tab, click the [B]Edit[/B] button in the [B]Authentication and access control[/B] frame.
5.[FONT=Times New Roman] [/FONT]In the [B]Authentication Methods[/B] dialog box, remove the checkmark from the [B]Enable anonymous access [/B]checkbox. The only checkbox that should be selected is the [B]Integrated Windows authentication[/B] checkbox. Click [B]OK[/B].
6.[FONT=Times New Roman] [/FONT]On the [B]Directory Security [/B]tab, click the [B]Edit[/B] button in the [B]Secure[/B][B] communications[/B] frame.
7.[FONT=Times New Roman] [/FONT]Place a checkmark in the [B]Require[/B][B] secure channel (SSL)[/B] checkbox and put a checkmark in the [B]Require 128-bit encryption[/B] checkbox. Select the [B]Require[/B][B] client certificates[/B] option in the [B]Client certificates[/B] frame. Click [B]OK[/B] in the [B]Secure Communications[/B] dialog box.
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0181088088358704.jpg[/IMG][/INDENT]8.[FONT=Times New Roman] [/FONT]Click [B]Apply[/B] and then click [B]OK[/B] in the [B]Default Web Site Properties[/B] dialog box.
[B]Request a User Certificate from the Web Enrollment Site[/B]
The client computer must present a user certificate to the Web server before the Web server will accept the user’s credentials. Users can log on to the Web enrollment site and request a user certificate. The user does [I]not[/I] need to be an administrator in the domain or on the Certificate Server computer. The user only needs to have legitimate user credentials that the enterprise CA recognizes.
Perform the following steps on the client computer to obtain the user certificate”
1.[FONT=Times New Roman] [/FONT]On the Web client computer, open Internet Explorer and enter [B][url]http://10.0.0.2/certsrv[/url][/B] in the address bar, where [B]10.0.0.2[/B] is the IP address of the Certificate Server. Press ENTER.
2.[FONT=Times New Roman] [/FONT]In the log on dialog box, enter the credentials of a non-administrator user. This will demonstrate that a non-admin can obtain a user certificate. Click [B]OK[/B].
3.[FONT=Times New Roman] [/FONT]On the [B]Welcome[/B] page of the Web enrollment site, click the [B]Request a certificate[/B] link.
4.[FONT=Times New Roman] [/FONT]On the [B]Request a Certificate [/B]page, click the [B]User Certificate[/B] link.
5.[FONT=Times New Roman] [/FONT]On the [B]User Certificate – Identifying Information[/B] page, click [B]Submit[/B].
6.[FONT=Times New Roman] [/FONT]Click [B]Yes[/B] on the [B]Potential Scripting Violation[/B] dialog box informing you that the Web site is requesting a certificate on your behalf.
7.[FONT=Times New Roman] [/FONT]On the [B]Certificate Issued[/B] page, click the [B]Install this certificate[/B] link.
8.[FONT=Times New Roman] [/FONT]Click [B]Yes[/B] on the [B]Potential Scripting Violation[/B] page informing you that the Web site is adding a certificate to the machine.
9.[FONT=Times New Roman] [/FONT]Close [B]Internet Explorer[/B] after you see the [B]Certificate Installed[/B] page.
[B]Make the Connection to the Web Site[/B]
Now we’re ready to see if our settings actually work! Perform the following steps to connect to the secure Web site:
1.[FONT=Times New Roman] [/FONT]Open [B]Internet Explorer[/B] and enter [B][url]https://www.msfirewall.org[/url][/B] [B] [/B] into the Address bar, where [B][url]www.msfirewall.org[/url][/B] resolves to the IP address of the Web server.
2.[FONT=Times New Roman] [/FONT]A [B]Client Authentication[/B] dialog box appears and shows a [B]Users[/B] certificate in the list. Click the [B]View Certificate[/B] button.
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0201088088424540.jpg[/IMG][/INDENT]3.[FONT=Times New Roman] [/FONT]In the [B]Certificate[/B] dialog box you can see the [B]Issued to[/B] name is the name of the user who requested the certificate. Click [B]OK[/B].
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0221088088470107.jpg[/IMG][/INDENT]4.[FONT=Times New Roman] [/FONT]Click [B]OK[/B] on the [B]Client Authentication[/B] dialog box.
5.[FONT=Times New Roman] [/FONT]Enter valid user credentials in the authentication dialog box. These credentials must be valid on the Web server computer. Click [B]OK[/B].
6.[FONT=Times New Roman] [/FONT]You can see the default page on the Web site. I haven’t added anything to this Web site, so we see the [B]Under Construction[/B] page. Notice the lock icon in the status bar indicating the we have a secure connection to the Web site.
[INDENT] [IMG]http://www.windowsecurity.com/img/upl/image0241088088506870.jpg[/IMG][/INDENT]In this example we connected to the secure Web site by first providing a user certificate. Only after the user certificate was submitted were we offered the opportunity to present user credentials. It’s important to realize in this example that the user certificate is not mapped to a particular user account. The only requirement for the user certificate is that it comes from a Certificate Authority that the Web server trusts. Trust is based on the CA certificate entries in the Web server’s [B]Trusted Root Certification Authorities[/B] [I]machine[/I] certificate store.
You do have the option to map user certificates to user accounts. This provides an even stronger level of security, because not only must the user submit a user certificate from a trusted Certificate Authority, the user certificate must be mapped to a user account that has permission to access the Web site. If you’re interested in user certificate mapping and how to make it work with your IIS Web server, send me a note at [EMAIL="tshinder@isaserver.org"]tshinder@isaserver.org[/EMAIL].
[B]Summary[/B]
In this article we went over the procedures required to secure a Web site using SSL encryption, user certificate authentication and user credentials. The only requirements are that you have a Windows IIS 5 or 6 Web server, a Microsoft Certificate Server and a browser client that supports user certificates. In future articles we may cover how you can map user certificates to user accounts so that you can further enhance the level of security provided by two-factor authentication using user certificates
[/LEFT]