Certificate-based Multi-Form

Factor Authentication for

Websites

2018

USING ACTIVE DIRECTORY USER CERTIFICATE AUTHENTICATION ON IIS WEB SERVER FOR SYNERGETIC BRADLEY PULLEY;STEPHEN BLOOMER

ST. PETER'S COLLEGE | Cranbourne, Victoria, Australia, 3977

P a g e | 1

Contents First Thing’s First… ............................................................................................................................................... 2

Setting up Group Policy for Users to obtain Certificates from the CA ..................................................................... 3

Creating the Certificate Template for Staff Laptops ............................................................................................... 5

Installing the IIS Web Server with AD Certificate Authentication feature ............................................................. 10

Setting up IIS Websites to ask for Client Certificates ............................................................................................ 13

Manual Enrolment for Certificates ...................................................................................................................... 17

Appendices ........................................................................................................................................................ 21

IMPORTANT! All of the set-up requirements in this document will require

Administrator credentials, or logged in to an Administrator rights account.

P a g e | 2

First Thing’s First…

Before starting this guide, there are a few prerequisites and preambles required to be able to get this working.

You will need a Certificate Authority (CA) server on your domain. This is set up using Active Directory

Certificate Services.

o There are plenty of Microsoft TechNet Articles available for you to use to set-up a CA server

First place you can look is here:

https://docs.microsoft.com/en-us/windows-server/networking/core-network-

guide/cncg/server-certs/install-the-certification-authority

This guide has been written during testing in a test environment including Windows Server 2016 and

Windows 10 machines. This has proven to also work in a Windows Server 2012 R2 environment with

Windows 8.1 and 10 clients.

So providing your domain environment has a Minimum OS of Windows Server 2012 R2 and Windows 8.1

clients, you’ll be fine!

This has NOT been tested in a Windows Server 2019 environment, but most, if not all, aspects of this guide

should work.

This guide is designed to work for domain-joined, staff laptops and desktop machines. This heightens

security by preventing ability to access the website from non-school provided machines.

P a g e | 3

Setting up Group Policy for Users to obtain Certificates from the CA On a Domain Controller, run gpmc.msc. (Group Policy Management)

Create a Group Policy, and navigate to this area (User Configuration -> Policies -> Windows Settings ->

Security Settings -> Public Key Policies)

Open Certificate Services Client – Certificate Enrollment Policy

Next to Configuration Model, select “Enabled” from the Drop-down box.

Ensure that “Active Directory Enrollment Policy” is enabled and selected, and then click Properties

Under Enrollment configuration,

Check the “Enable for automatic enrolment and renewal” checkbox.

Apply and OK those settings.

P a g e | 4

Open Certificate Services Client – Auto-Enrollment

Select “Enabled” from the Configuration Model drop-down box

Then check the following boxes

“Renew expired certificates, update pending certificates, and remove revoked certificates”

“Update certificates that use certificate templates”

Then Apply and OK.

In the Group Policy Management console, Link the appropriate Organisational Units (OUs) and or Security Groups to

the Group Policy Object.

P a g e | 5

Creating the Certificate Template for Staff Laptops On the Certification Authority Server, open the CA Server console (Run certsrv.msc)

WARNING: For Certificate enrolment to work successfully, User accounts must have an Email Address in the Email

Field in Active Directory Users and Computers.

Expand the Server node, and Right Click “Certificate Templates”, then click “Manage”.

This will open the Certificate Templates Console.

You will see a windows like the following open up. This is the Certificate Templates Console.

P a g e | 6

Find the “User” template in the list of templates

Right Click the “User” template, and select “Duplicate

Template”

Under the General Tab

o Set the Template Display Name and Template

Name, Validity Period, Renewal Period as you like

for the purposes of the certificate

o For Certificate Publishing:

Check “Publish certificate in

Active Directory”

Uncheck “Do not automatically

reenrol if a duplicate certificate

exists in Active Directory

Under the Compatibility Tab

o In Certification Authority Drop-down box, select

what the minimum CA operating system is for

your template (under the premise that it can be

exported). In our circumstances, our CA runs on

Windows Server 2012 R2

o In the Certificate Recipient drop-down box, select

the earliest compatible operating system that the

certificate will be deployed to.

P a g e | 7

Under the Extensions tab

Ensure that under “Application Policies”

o Only “Client Authentication” appears in the list of

Application Policies

o If other items appear, Click “Edit”; and remove

Secure Email

Encrypting File System

All other values in this tab are fine.

Under the Subject Name Tab

This is where the Certificate will get its assigned information.

Ensure “Build from this Active Directory information”

is selected

Subject Name format, we set that to “Common

name”

Check “Include e-mail name in subject name”

Also check “User principal name (UPN)”

under “alternate subject name”

P a g e | 8

Under the Security tab

Add the User and/or security groups that are applicable for

enrolment.

For each group or user

o For automatic enrolment (ie Teachers and Staff who typically

use ONE Machine),

Check “Autoenrol” & “Enrol” under “Allow”

o For manual enrolment (ie IT Staff who log on to multiple

machines),

Check “Enrol” only under “Allow”

Once this is done, you can “Apply” and “OK” the certificate

template.

You can change the values in this template again at any time.

Issuing Certificates for ability to be enrolled

Once the templates have been made, they need to be issued:

In the CA Window,

Right-Click Certificate Templates, then hover over “New”,

o Click “Certificate Templates to Issue”

o Then select your newly made template from the list in the window on the next page and Click OK.

P a g e | 9

P a g e | 10

Installing the IIS Web Server with AD Certificate Authentication feature We need to install the IIS Web Server role using Server Manager on the Webserver, including the “Active Directory

Client Certificate Mapping” feature.

Open “Server Manager” on

your Windows Server 2016 (or

2012 R2) machine

o Click “Manage” in the

top right corner, and

select “Add Roles and

Features”

Proceed through the Wizard, clicking the “Next >”

button to complete the first page.

On the “Installation Type” page, select “Role-

based or feature-based installation”, then click

“Next >”

On the “Server Selection” page, select a

server from the list. There should only be

one, since you should be currently

logged onto that Server with

administrator credentials. Click “Next >”

to continue.

P a g e | 11

On the “Server Roles” page, tick “Web Server (IIS)”

o There will be a sub-page that pops up, looking like this:

o Click “Add Features” to add the IIS Console to your

server.

o Then Click “Next >” to continue the installation

On the “Features” page, Click “Next >” to continue, unless

there’s additional Windows Features that you wish to install

You will then get the Web Server (IIS) Role brief. Click “Next >” to continue

On the “Role Services”

page, you will be

greeted with a list of

services that the Role

requires and can use.

o Scroll down the

list to the

“Security”

section, and tick

the “Client

Certificate

Mapping

Authentication”

o This is the

service that we

use for the

certificate based authentication.

o Click Next >

P a g e | 12

You will be greeted with a

summary of the role installation

changes to be made.

Click “Install” when you’re satisfied

with the summary. This will then

install the IIS Server role to the

Windows Server.

When complete, Server Manager

will tell you that installation was

successful.

It’s best to reboot the Windows

Server so changes can be assured.

P a g e | 13

Setting up IIS Websites to ask for Client Certificates Using an administrator account, open the Internet Information Services (IIS)

Manager. You can find the IIS Console by opening the Start Menu & searching

“inetmgr”.

Expand the Server tree in the left hand column, and then expand the Sites

folder.

Select the Server and you will see a window with the following options.

First up, in order to use SSL and browse using HTTPS, we need to add the Trusted Root certificate for web browsing

(from a certified certificate provider or, if hosted internally, a self-signed or AD CS deployed certificate).

To do this, we need to open the “Server Certificates” module in the IIS Manager.

You will then be greeted by a screen like this:

If you already have a certificate imported for SSL, good stuff! We’ll bind it later. If not, we need to import it!

In the Right-hand column, where Actions are;

If you are looking to use a certificate from an external “Trusted Root Certificate” provider, click Import

P a g e | 14

You will then be greeted with a

window to import a certificate

o In the first field, navigate to

your provided certificate that

you wish to import.

o If the certificate is password-

protected, you will need to

enter it into the second field.

o Thirdly, you MUST import the

certificate to the “Personal”

store. (Do not select “Web

Hosting” in the drop-down

box!)

o The checkbox for allowing the

certificate to be exported

must also be checked. (This

allows computer <-> server

certificate communication)

o Once all that is checked off and good, hit “OK” and your certificate will be imported.

Now we’re going to look at our Authentication methods.

In the Left hand

“Connections” bar,

Select the Server

Then double-click

“Authentication”

In the Authentication module;

Select “Active Directory

Client Certificate

Authentication” then click

“Enable” in the Actions pane on

the right

Select any other enabled authentication method that is not required, and click “Disable”

o If you have multiple web sites on your server, leave “Anonymous Authentication” enabled!

Note: In the settings for each site, you can enable and disable other authentication methods, but cannot change the

AD Certificate one at the site level, only the Server level.

P a g e | 15

Enabling SSL on our site

We use the following instructions for production, and for testing.

From the “Connections” pane, select your site, then select “SSL Settings” from the icons menu.

On this page

o Check “Require

SSL”

o Then under

“Client

Certificates”, for

our requirements,

we select

“Require”.

o Then Press “Apply” on the right hand side of that window to apply the changes.

There are explanations above for what each radio button option does when enabled.

The “Require” option is not able to be applied when “Require SSL” is unchecked.

NOTE: We use the “Accept” option (as above) to test our certificates with. The “Accept” option prompts for

certificates if available, but allows all HTTPS connections regardless. The “Accept” and “Ignore” functions will not

affect current staff access to the server while testing.

- Asks for Certificate if there’s one available, but allows all connections

- Asks for Certificate, but ONLY allows certificate authenticated connections

- Allows all connections, and DOES NOT prompt for certificates

P a g e | 16

Select your site from the “Connections” pane to return to the menu, then select

“Bindings” from the Actions Pane

This is where we tell IIS what address(es) and / or ports to assign our site to.

By default, your site will automatically be bound to http on port 80, but we want

https.

Press the “Add…” button to make a new binding

We will select the following:

o Type: https

o IP address: leave as

“All Unassigned”

o Port: 443 is default

o Host name:

If you have multiple sites

on your server, you can

set the DNS name that

you want your site to

appear at. Leaving this blank will use the server’s name and DNS by default.

o SSL certificate: Select the certificate that we imported earlier from the drop-down box.

If all is in order, then press “OK”. You should then have your HTTPS binding in the bindings list.

Give your IIS Site a soft reboot, using the “Restart” link in the Actions pane, under “Manage Website”.

You should then be free to give your site a test run. You will know if your SSL authentication is working if you get a

403: Forbidden error page.

P a g e | 17

Manual Enrolment for Certificates We may have set up Auto-enrolment, via Group Policy, but our IT staff won’t be getting the certificate!

All good, they just have to manually enrol for theirs.

Click the Start button on your client machine, then type and run

certmgr.msc

When you’re greeted with the Certificates Console for Current

User, click on the “Personal” store

Right Click the empty Personal store window, hover over “All Tasks” and Click “Request New Certificate…”

P a g e | 18

This will open the Certificate Enrollment

wizard. Hit Next

Make sure that the

“Active Directory

Enrollment Policy” is

selected, and hit Next.

Select the Certificate Template you

created earlier, by ticking the check

box, then Click Enroll.

P a g e | 19

Once enrolled, you’ll receive this

screen, giving you a green tick!

Click Finish.

Then you’ll get a certificate pop up

with the account name in the

Personal Store

Now we’re ready to try it out from a client.

Confirm that all your settings are correct, then open a web browser (Google Chrome or otherwise), and navigate to

your webserver that you configured.

When the computer finds your server, the browser will prompt for a certificate, similar to below

P a g e | 20

When you select your certificate and press OK, you should end up authenticated to your site correctly.

IF you disregard the

certificate, and hit cancel, or

don’t have certificate

enrolled, then you’ll more

than likely see a 403 error

appear

You can keep track of your

certificates in the CA

Server console, under

Issued Certificates

P a g e | 21

Appendices Appendix 1: Header Size

We had found that when users browsed the Synergetic Website, and performing student search queries, they were

presented with a “Request Entity too large” error. We have found that increasing the header sizes has helped rectify

this issue, as the certificate authentication is also sending via the header requests.

There are two locations on our actual IIS server configuration.

Firstly, Select your server

from the Connections pane,

and then double click on

“Configuration Editor”

From here, use the drop down box and select the

section “system.webServer/serverRuntime”, as shown

here

P a g e | 22

In this section, we need to change the

value of the “uploadReadAheadSize”

from its default, and upsize it.

The default value for

“uploadReadAheadSize” is “49152”, we

changed this to “200000”.

Now Click the drop-down box, and select

“system.web/httpRuntime”

In this module, we need to change the values for

“maxQueryStringLength” and “maxRequestLength”.

The default values are:

“maxQueryStringLength”: 2048

“maxRequestLength”: 4096

We updated those values to 81920 each.

P a g e | 23

Appendix 2: A recommended idea for student blocking

A very good idea, for student computer lab machines is to add a Windows Firewall rule on the student networks to

prevent access to your CA. You can set this up via Windows Firewall on Group Policy, by setting a block rule on the

CA’s IP Address on your network. This is a good practice, as if a student obtains a staff member’s username and

password, and logs on to the computer on the student network, they will not be able to acquire a certificate,

because it cannot communicate the CA.