Configure Security for Web Enrollment Support Pages (Optional)

  • Article

The folders CertSrv, CertEnroll, and CertControl are added as virtual directories to the Default Web Site for Internet Information Services. For enterprise CAs, CertSrv and CertControl are configured for authenticated access with basic authentication and integrated Windows authentication enabled. Authenticated access authenticates users and grants access to Web resources on the basis of the users' Windows 2000 user accounts. Authenticated access is required because enterprise CAs must process certificate requests according to the information that is contained in the requestor's Windows 2000 user account. For stand-alone CAs, CertSrv and CertControl are configured for anonymous access to provide all users with access to the Enrollment Support pages. For enterprise CAs, anonymous authentication is turned off by default; otherwise the Web Enrollment Support pages do not work for enterprise CAs.

Integrated Windows authentication grants access to Web pages on the basis of the logon credentials of the users of Internet Explorer. Users are granted access to the Web pages when their logon credentials match a valid Windows 2000 user account. Integrated Windows authentication is not a part of the HTTP standard and is supported only by Microsoft® Internet Explorer version 2.0 or later and Internet Explorer 5. Integrated Windows authentication does not work across proxy servers or other firewall applications.

If integrated Windows authentication fails because of a firewall or another problem, the browser prompts the user to enter his or her user name and password for basic authentication. Users of third-party browsers also are prompted to enter their user names and passwords for basic authentication.

Basic authentication is a part of the HTTP version 1.0 standard, so most browsers support this authentication method. It grants access to Web pages after users have transmitted their Windows 2000 user names and passwords. However, a user must enter the correct user name and password before access is granted. User passwords are transmitted in plaintext so they can be intercepted easily by someone who "sniffs" communications between the Web browser and the Web server. For enterprise Web Enrollment Support pages, basic authentication is enabled to ensure that all browsers have access to the Web pages. Because sending passwords as plaintext presents a security risk, you might want to turn off basic authentication or turn on digest authentication.

If you need to support only Internet Explorer, you can use the Internet Information Services console (an MMC snap-in) to configure security for CertSrv and CertControl, which turn basic authentication off and prevent passwords from being transmitted as plaintext. If you need to support other browsers, you can configure security for CertSrv and CertControl to require secure channels with the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. With secure channels, passwords that are sent for basic authentication are encrypted. However, the performance of the Web Enrollment Support pages might be reduced because of the extra load of encryption that is required for secure channels.

Internet Information Services also supports digest authentication, which is a new feature of HTTP version 1.1. With digest authentication, passwords are sent in a secure manner as message digests (hashes) that can be deciphered only by the Windows 2000 Key Distribution Center (KDC) service for Kerberos authentication. If browsers support HTTP version 1.1 (recent version of browsers usually support HTTP version 1.1), you can use the Internet Information Services console (an MMC snap-in) to configure security for CertSrv and CertControl to turn off basic authentication and to turn on digest authentication. If you turn on both basic authentication and digest authentication, digest authentication is used if it is supported by the browser; otherwise basic authentication is used.

If you turn on integrated Windows authentication, basic authentication, and digest authentication, authentication is done in the following order of priority:

  1. Integrated Windows authentication

  2. Digest authentication

  3. Basic authentication

The highest-ranked authentication method that is supported by browsers is used to authenticate users. If anonymous access is turned on, authenticated access is used only when NTFS file protection security has been configured to control access for Web site resources.

To ensure that the Web Enrollment Support pages work correctly with new security configurations, test the Web pages with all versions of the browsers that you intend to support.

For more information about security for Internet Information Services Web sites, see "Choosing Security Solutions That Use Public Key Technology" in this book. For information about how to use the Internet Information Services console to configure security and authenticated access for Web site resources, see Internet Information Services Help.