Using Fortezza Security in IIS

Fortezza Background

The U.S. government security standard, commonly called Fortezza, is supported in IIS 5.0. This standard satisfies the Defense Message System security architecture with a cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and systems. These features can be implemented both with server and browser software and with PCMCIA card hardware. Fortezza is a widely used mechanism within the U.S. government. For more information see the Fortezza Developer's Guide (run by the National Security Agency and the U.S. Department of Defense) at http://www.armadillo.huntsville.al.us/.

Using Fortezza

To implement Fortezza security in IIS, perform the following procedures. These steps will fully integrate your Fortezza schema into IIS, so that you can operate in accordance with the standards outlining Fortezza security.

To Use Fortezza Certificates

A Fortezza card (a type of PCMCIA card, similar to those used in notebook computers and other small devices) contains a user certificate to authenticate the user of the card; this certificate works in much the same way that server and client certificates work in IIS. To make these Fortezza certificates available to IIS, you must copy them to a secure store on the computer:

  1. Obtain a non-export copy of Schannel.dll from the Microsoft Web site at http://www.microsoft.com/security/.
  2. Install the card reading equipment and its drivers. For information, see the card reader documentation.
  3. Install the Cryptographic Service Provider (CSP) provided by the equipment supplier. For information, see the card reader documentation.
  4. Run the command–line utility Fortutil.exe.

The utility provides functions that can install, confirm, and delete that the card certificate and other associated information. To enable this feature, type the appropriate commands at the command line:

Action Command Parameters
Add certificate fortutil.exe /a Web site name; Card serial number; PIN; card personality
Confirm certificate fortutil.exe /q Web server name
Delete certificate fortutil.exe /r Web site name
Help fortutil.exe /? None

Note   Any Fortezza certificates copied to the server can be used as certificate in the Web Server Certificate Wizard, CTL Wizard, or the Windows certificate features.

Important   If the card is removed from the reader while the Web service is running and then re-inserted, it might cause SSL connection errors. If these errors occur, the Web service needs to be restarted with the card in the reader.


© 1997-1999 Microsoft Corporation. All rights reserved.