How do you map CA-issued certificates to a user account? Open the Internet Services Manager (ISM), access the Properties sheet for the Web site (i.e., the default Web site, another site, or a virtual directory), and select Directory Security. Next, in the Secure Communications section, click Edit. Select the Enable client certificate mapping check box. In the resulting Account Mappings dialog box, go to the Many-to-1 tab.
You're now ready to set up a rule that maps certificates that your CA issues to a valid user account. Before you start this process, choose the user account you want to use for the extranet. (I recommend that you set up this account before you start the mapping process.)
On the Many-to-1 tab, click Add, and the Rule Wizard will start walking you through the process of creating your rule. On the wizard's first page, enter a name for the rule. Give the rule a meaningful name (e.g., 32XEXTRANET) that suggests the rule's purpose. After you enter a name, click Next.
On the Rules page, set up a rule that matches your CA. To set up the rule, click New. In the resulting dialog box, select the certificate field that you want to match, then enter the matching text (e.g., name, city). From the Certificate Field drop-down list, select Issuer. Doing so sets the rule to match the field, specifying the issuer whose name is on the certificate.
Next, to determine which field to select in the Sub Field box (which appears automatically), examine the certificate. For example, if you have a system running IE 5.0 or later and have installed a certificate from your CA in the browser, you can check the certificate fields in IE. Open IE and select Internet Options from the Tools menu. On the Contents tab, click Certificates. Double-click the certificate you want to view to open it. Click Details, then click Issuer. The certificate's field names and their values appear in the bottom window. You can also select the text of the value you want to match and copy it to your clipboard. Then, you can go back to the Rule Wizard, select the field you want to match, and paste the clipboard contents into the Rule Wizard's Criteria field. Copying and pasting the value ensures that all capitalization and text are accurate.
Click OK to complete the rule, then click Next. Leave the default access setting at Accept this Certificate for Logon Authentication, then click Browse and select the user account to which you want to map the rule. Click Finish.
Users can now successfully access your site with a certificate that the CA issued. To control access settings for all these users, you can change the settings on the user account to which they map.
To control who can manage, request, and retrieve certificates, you can set security in Certificate Services. Open the Certification Authority snap-in, then right-click the CA's name and select Properties. On the Security tab, you'll see a display similar to the one that Figure 3, page 15, shows. You can add or remove users by clicking Add or Remove and selecting the appropriate permissions at the bottom of the dialog box.
You have another CA task to perform. Because a certificate backs each CA, and because each certificate has an expiration date, you must periodically renew that certificate. To renew a CA's certificate, open the Certification Authority snap-in and select the CA's name. Right-click the CA, select All Tasks, then click Renew CA Certificate. Click Yes to generate a new public and private key pair for the CA's certificate.
A final tip: If you plan to integrate Certificate Services with Microsoft Exchange Server, make sure the Certificate Services machine's server name contains fewer than 15 characters. (Exchange Server 5.5 doesn't support Certificate Services on servers with a server name longer than 15 characters.) Also, be sure to keep the CA server properly backed up.
Powerful but Problematic
Certificates are a useful but limited security technique. Keep in mind that users might find certificates clumsy and that the way they use certificates might leave your systems exposed. For example, if a user uses two or three systems, the user must have the certificate on each system to access your site. What if one or more of these systems are public browsers at trade shows or other public venues such as an Internet café? The user probably won't be able to install the certificates on all the systems that he or she uses. Even if the user can install all the necessary certificates, you risk having the user leave a certificate installed in a public browser that allows access to your site.
Remember that although certificates are powerful, they're not a panacea. Certificates are comparable to passwords: You assign a password to a user, and the user memorizes it—unless he or she writes it down. Like a written password, a user's certificate can be compromised if someone else has access to the system or any media that contain the installed certificate.
Certificates are a part of life today, and they're likely to become more prevalent over time. Certificate Services is a great tool for managing the request, creation, and issuance of certificates in most intranet and extranet scenarios. As with any type of security, of course, you must be aware of the caveats involved in using certificates—but you can work around many of the issues.
End of Article
Prev. page
1
[2]
next page -->
