locked
Custom detection script to retrieve machine certificates RRS feed

  • Question

  • It is possible to check the existence of computer certificates during the endpoint detection phase. This thread is to get some clues in how to do it.

    Thanks Dan :)

    // Raúl

    I love this game


    // Raúl I love this game
    Wednesday, June 17, 2009 2:21 PM

Answers

  • Hi Raul,
      Sorry it's taken me a bit to write this up and make sure I was explaing how this works clearly.  I hope this helps answer your question but please let me know if anything is not clear.

      The IAG Client components contain a variety of built in functions for safe access to client resources that can be used by the built in as well as custom detection scripts in order to obtain information about a client machine.  This information can then be used to create custom access policies for access to trunks, applications, etc.  This information cannot be used to make authentication decisions. 

      A common request is to be able to use machine certificates as part of the “certified endpoint” functionality.  The design of that feature and browser implementations do not allow machine certificates to be sent by the browser for client based certificate authentication, or validation.   The IAG client components have access to the various certificate stores but does not have the ability to  send these certificates to the server, they can only query the certificate locally and report back results to IAG as part of client detection.  Expanding this functionality to allow machine certificate “authentication” via the client components is planned for a future release.

     

      The current function, allows access to the certificate stores is described below along with a simple sample of it’s use.  Another thread http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/45533a48-02e4-44a3-843d-423c9223595f describes a more complex example that uses WMI to determine the machine name and then dynamically uses that name in the certificate lookup.  That example also provides the details on how to create all of the various files needed for the client detection to work properly.

     

    Detection Function:

     

    Whale.System.IsCertValid ( CertStore [input], StoreName [input], CertSubject [input], CertIssuer [input], CheckCRL [input], Valid [output] )

     

    Input Parameters:

    ·         CertStore - Certificate store type to search for the certificate in, there are 2 options and they are:

    1.       eCertSystemStore_CURRENT_USER

    2.       eCertSystemStore_LOCAL_MACHINE

    ·         StoreName - Certificate store name to search for the certificate in

    ·         CertSubject - Certificate Subject Name (SubjectCN or Subject Alternative Name “DNS Name”) to search for (Case Sensitive and String Literal)

    ·         CertIssuer – CA or Certificate Issuer name (SubjectCN) to search for (Case Sensitive and String Literal)

    ·         CheckCRL – Boolean value, if true, check certificate CRL, the check is done by the client machine to the CDPs listed in the cert, so one of the CDPs must be available on the internet or this will fail.

     

    Return Value:

    ·         Valid – Boolean value (true if certificate is found in the store and is valid), it will return true if the certificate is revoked but CheckCRL was not enabled.

     

    Sample Usage:

     

    For this sample

    We will be querying the Local Machine Certificate store

    The Machine Certificate name = client.contoso.com

    The CA name = Contoso CA

    CRL checking is not enabled

    The return Boolean value will be output to bRes

     

    Dim bRes
    Err.Clear
    b = Whale.System.IsCertValid ( eCertSystemStore_LOCAL_MACHINE,"My","client.contoso.com", "Contoso CA", False,  bRes )
    If  Err = 0 Then
            if bRes = true Then
                    Whale.DebugEcho "client.contoso.com machine test certificate exists and valid"
            else
                    Whale.DebugEcho " client.contoso.com machine test certificate is revoked "
            end if
    else
                    Whale.DebugEcho " client.contoso.com machine test certificate doesn't exist on client"
    End If

    *note* Prior to IAG 2007 Service Pack 2 Update 1 only the Certificate SubjectCN could be queried.  Starting in IAG 2007 Service Pack 2 Update 1 Subject Alternate name “DNS Name” will also be searched.  This change is documented in http://support.microsoft.com/kb/962861/, this functionality is not available in eGap 3.6 client components at this time.

    Dan Herzog
    Microsoft CSS IAG Support

    • Proposed as answer by djh-msft Monday, July 13, 2009 7:30 PM
    • Marked as answer by Erez Benari Tuesday, July 14, 2009 12:08 AM
    Monday, July 13, 2009 7:30 PM

All replies

  • Hi Raul,
      Sorry it's taken me a bit to write this up and make sure I was explaing how this works clearly.  I hope this helps answer your question but please let me know if anything is not clear.

      The IAG Client components contain a variety of built in functions for safe access to client resources that can be used by the built in as well as custom detection scripts in order to obtain information about a client machine.  This information can then be used to create custom access policies for access to trunks, applications, etc.  This information cannot be used to make authentication decisions. 

      A common request is to be able to use machine certificates as part of the “certified endpoint” functionality.  The design of that feature and browser implementations do not allow machine certificates to be sent by the browser for client based certificate authentication, or validation.   The IAG client components have access to the various certificate stores but does not have the ability to  send these certificates to the server, they can only query the certificate locally and report back results to IAG as part of client detection.  Expanding this functionality to allow machine certificate “authentication” via the client components is planned for a future release.

     

      The current function, allows access to the certificate stores is described below along with a simple sample of it’s use.  Another thread http://social.technet.microsoft.com/Forums/en-US/forefrontedgeiag/thread/45533a48-02e4-44a3-843d-423c9223595f describes a more complex example that uses WMI to determine the machine name and then dynamically uses that name in the certificate lookup.  That example also provides the details on how to create all of the various files needed for the client detection to work properly.

     

    Detection Function:

     

    Whale.System.IsCertValid ( CertStore [input], StoreName [input], CertSubject [input], CertIssuer [input], CheckCRL [input], Valid [output] )

     

    Input Parameters:

    ·         CertStore - Certificate store type to search for the certificate in, there are 2 options and they are:

    1.       eCertSystemStore_CURRENT_USER

    2.       eCertSystemStore_LOCAL_MACHINE

    ·         StoreName - Certificate store name to search for the certificate in

    ·         CertSubject - Certificate Subject Name (SubjectCN or Subject Alternative Name “DNS Name”) to search for (Case Sensitive and String Literal)

    ·         CertIssuer – CA or Certificate Issuer name (SubjectCN) to search for (Case Sensitive and String Literal)

    ·         CheckCRL – Boolean value, if true, check certificate CRL, the check is done by the client machine to the CDPs listed in the cert, so one of the CDPs must be available on the internet or this will fail.

     

    Return Value:

    ·         Valid – Boolean value (true if certificate is found in the store and is valid), it will return true if the certificate is revoked but CheckCRL was not enabled.

     

    Sample Usage:

     

    For this sample

    We will be querying the Local Machine Certificate store

    The Machine Certificate name = client.contoso.com

    The CA name = Contoso CA

    CRL checking is not enabled

    The return Boolean value will be output to bRes

     

    Dim bRes
    Err.Clear
    b = Whale.System.IsCertValid ( eCertSystemStore_LOCAL_MACHINE,"My","client.contoso.com", "Contoso CA", False,  bRes )
    If  Err = 0 Then
            if bRes = true Then
                    Whale.DebugEcho "client.contoso.com machine test certificate exists and valid"
            else
                    Whale.DebugEcho " client.contoso.com machine test certificate is revoked "
            end if
    else
                    Whale.DebugEcho " client.contoso.com machine test certificate doesn't exist on client"
    End If

    *note* Prior to IAG 2007 Service Pack 2 Update 1 only the Certificate SubjectCN could be queried.  Starting in IAG 2007 Service Pack 2 Update 1 Subject Alternate name “DNS Name” will also be searched.  This change is documented in http://support.microsoft.com/kb/962861/, this functionality is not available in eGap 3.6 client components at this time.

    Dan Herzog
    Microsoft CSS IAG Support

    • Proposed as answer by djh-msft Monday, July 13, 2009 7:30 PM
    • Marked as answer by Erez Benari Tuesday, July 14, 2009 12:08 AM
    Monday, July 13, 2009 7:30 PM
  • Thanks Dan. I have no questions at the moment as my brain is on holidays :)

    I will play with it when back at the office

    Thanks again and Best Regards
    // Raúl - I love this game
    Tuesday, July 14, 2009 9:30 AM