question

GaneshChandrasekaran-8643 avatar image
0 Votes"
GaneshChandrasekaran-8643 asked BruceZhang-MSFT commented

IIS Filter Client Certificate by Issuer or Keyword

Hey guys,

I am working on a local web application in which I have set sslFlags to SslRequireCert in the IIS config file, which asks for the client certificates for authentication.

The web browser shows a list of available certificates (refer to the attached image). Is there a way where I can filter the certificate based on the issuer or identity keyword?
The problem statement is that I do not want the website to list all the certificates but limit it to only the relevant certificates which the user can select.

Please help me out!



200545-cert-issue-1.jpg


windows-server-iisdotnet-aspnet-core-general
cert-issue-1.jpg (31.2 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BruceZhang-MSFT avatar image BruceZhang-MSFT ·

Hi @GaneshChandrasekaran-8643 ,

First, IIS(include any other server machine) cannot restrict the client to choose a certificate. For example, my server needs cert A and client has Cert A, Cert B, Cert C(those certs have same issuer). Only client can decide which certificate to use.
Typically each certificate will have a server-side and client-side version. During the request handshake phase, the server and client determine which certificate to use. Only when the handshake phase cannot determine which certificate to use, all certificates available are listed in the browser for the user to choose. The issuer of all available certificates matches the current request domain and the public key can encrypt and decrypt requests.

Second, the certificate you show is MS-Organization-Access certificate. It is issued by Azure AD Device Registration Service during the device registration process. These certificates are issued to all join types supported on Windows - Azure AD joined, hybrid Azure AD joined and Azure AD registered devices. Once issued, they are used as part of the authentication process from the device to request a Primary Refresh Token (PRT). The certificate is generated when someone uses Azure AD or other federated service (such as Office 365) via ADFS to log in to computer or web site.

0 Votes 0 ·

0 Answers