Accessing an external CRL through a proxy

nunos — Fri, 12 Mar 2004 18:28:00 GMT

One of the good ways to safely authenticate users in a web application is using client certificates. When accessing the web application, IIS will ask the client for a certificate installed on the local machine, check if it's valid or not and then allows you to read the certificate and grant rights to the user.

When checking the certificate, one of the steps performed is accessing a CRL, or a Certificate Revocation List, that contains all certificates issued by a particular entity that have been revoked. One thing that everyone must understand is that if the CRL cannot be reached, than the certificate will be assumed revoked for security reasons. In that case, IIS will return an HTTP error 403.13 (see http://support.microsoft.com/?id=294305).

In the problem we were facing none of the proposed solutions worked. If we opened a browser on the web server and tried accessing the CRL with it's URL that would work. So, it had to do with proxy settings on the server.

After some investigation I found the following KB articles:

819961 How to Configure Client Proxy Server Settings by Using a Registry File
http://support.microsoft.com/?id=819961

218970 Proxy Settings Can Be Set Only on a Per-User Basis
http://support.microsoft.com/?id=218970

The first article tells us how to force proxy settings for users. Because proxy settings are set in a per-user basis these values will not be read when accessing the CRL because the Local System account is used to run the IIS Admin and the W3SVC services. That's why opening a browser and accessing the CRL works. In this case we are running in the context of a real user and using the proxy settings defined through IE. You can actually try to change the account running IIS Admin and W3SVC to a user account. This will work but at the end of the day you'll create a lot more problems and it is not a supported configuration.

The second article tells us about a registry value called "ProxySettingsPerUser". If we force it to 0, we tell the machine to read proxy settings from HKLM instead of HKCU thus forcing a general proxy setting for all users (by the way, the article mentions an hotfix but in Windows 2000 it isn't needed).

So, I tried adding the following registry information:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigProxy"="wininet.dll"
"ProxyEnable"=dword:00000001
"ProxyOverride"=""
"MigrateProxy"=dword:00000001
"ProxyServer"="x.x.x.x:8080"

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxySettingsPerUser"=dword:00000000

And it worked. I must point out again that we do not fully support this configuration. If a web server needs to contact a CRL, there shouldn't be any proxy or firewall restricting its access. However, this workaround does work rather nicely :D

Hope it helps

This posting is provided "AS IS" with no warranties, and confers no rights.

nunos's Blog : IIS

Accessing an external CRL through a proxy