Client certificates and server certificates
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
You can use Secure Sockets Layer (SSL) security features for authentication. Certification is used in two ways, when a client requests an object from a server:
The server authenticates itself by sending a server certificate to the client.
The server requests that the client authenticate itself. In this case, the client must present an appropriate client certificate to the server.
SSL authenticates by checking the contents of an encrypted digital identification submitted by the user's Web browser during the logon process. (Users obtain client certificates from a mutually-trusted external organization.) Server certificates contain identifying information about the server. Client certificates usually contain identifying information about the user and the organization that issued the certificate.
If client certificate is the chosen authentication method, then Microsoft Internet Security and Acceleration (ISA) Server requests a client certificate from the client, before allowing the request.
The ISA Server computer receives the request and sends a certificate to the client. The ISA Server computer identifies itself as the SSL Web server. The client receives the certificate, and verifies that the certificate indeed belongs to the ISA server computer.
The client sends its request to the ISA Server computer. However, the ISA Server computer requires a certificate from the client which must have been previously issued. The ISA Server computer verifies that the certificate indeed belongs to a client that is allowed access.
The client certificate should be installed in the Microsoft Web Proxy Service certificate store on the ISA Server computer. The certificate should be mapped to the appropriate user account.
ISA Server can present client certificates only in SSL bridging scenarios.
For configuration instructions, see Configure authentication methods for Web requests.
When a client requests SSL objects from a server, it requests that the server authenticate itself. If ISA Server terminates an SSL connection, then the ISA Server will have to authenticate itself to the client. You must configure and specify a server-side certificate, to use when authenticating ISA Server to the client.
The server certificate should be installed in the Local Computer certificate store on the ISA Server computer. The certificate name should be identical to the name of the ISA Server (for outgoing Web requests) or to the name of the published Web servers (for incoming Web requests)
For configuration instructions, see Configure server certificates for Web requests.