Certificates? Need guidance...

From: Larry David (MysteriousAilment_at_HealthyChoice.org)
Date: 02/08/05 

Date: Mon, 7 Feb 2005 16:08:37 -0800

Hi,

    This is one of those posts where not only do I not know the answer, I
don't fully understand the *question* that I should be asking... but I'll
try my best:

    I've designed a web site which authenticates users via a login page. The
users can then access their account information. The types of reports that
the user can run depend upon the user's access level. I'm currently storing
all usernames, passwords, and access levels in a SQL Server database. I've
been told that the web site needs to be made more "secure" in two ways:

    1) ALL web requests/responses need to be encrypted via SSL.
    2) A certain class of users, those with the highest access level, need
to authenticated in a manner that is more sophisticated than a simple
username/password.

    Now #1 was pretty straight-forward. I purchased a digital certificate
from Thawte. I bound it to the ISA listener interface. All SSL connections
are now terminated at the firewall and forwarded to the internal web server
as plain HTTP. Great!

    I'm stumped on #2 though. I've done some research and have learned that
there are at least two ways to add EXTRA security to web sites. I can a)
require client certificates and/or b) require the use of a smart card. Can
anyone point me in the right direction on either of these options? Does ISA
need to be configured in a particular way to allow certificate and/or smart
card information to pass through? When ISA "bridges" the connection from SSL
to plain HTTP, will this information be lost in transit? Is my ASP.NET web
site supposed to ask the user to "swipe your smart card now?" If so, since
this action is taking place on the client side, how will my ASP.NET page
know when the swipe has taken place? How is the data transmitted? I'm
utterly confused.

Mr. David

Relevant Pages

  • Certificates? Need guidance...
    ... been told that the web site needs to be made more "secure" in two ways: ... A certain class of users, those with the highest access level, need ... I bound it to the ISA listener interface. ... require client certificates and/or b) require the use of a smart card. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Certificates? Need guidance...
    ... been told that the web site needs to be made more "secure" in two ways: ... A certain class of users, those with the highest access level, need ... I bound it to the ISA listener interface. ... require client certificates and/or b) require the use of a smart card. ...
    (microsoft.public.dotnet.framework.aspnet)
  • RE: Website Not loading
    ... Is the web site: http://xyz.com is your default web site? ... what you input as the web server certificate? ... please help me gather the ISA Web Proxy and Firewall ... PLEASE NOTE the newsgroup SECURE CODE and PASSWORD will be updated at 9:00 ...
    (microsoft.public.windows.server.sbs)
  • RE: CEICW KEEPS GIVING ERRORS
    ... For you have installed ISA 2004 on ... the SBS server box, the default web site should listen on the internal IP ... This newsgroup only focuses on SBS technical issues. ...
    (microsoft.public.windows.server.sbs)
  • RE: The server denied the (URL). (12202)
    ... please let me know the web site is a SBS built-in web site or it is ... does not match any one of the ISA Server 2000 destination sets. ... run the Configure E-mail and Internet Connection ...
    (microsoft.public.windows.server.sbs)