The U.S. government security standard, commonly called Fortezza, is supported in IIS 5.0. This standard satisfies the Defense Message System security architecture with a cryptographic mechanism that provides message confidentiality, integrity, authentication, and access control to messages, components, and systems. These features can be implemented both with server and browser software and with PCMCIA card hardware. Fortezza is a widely used mechanism within the U.S. government. For more information see the Fortezza Developer's Guide (run by the National Security Agency and the U.S. Department of Defense) at http://www.armadillo.huntsville.al.us/.
To implement Fortezza security in IIS, perform the following procedures. These steps will fully integrate your Fortezza schema into IIS, so that you can operate in accordance with the standards outlining Fortezza security.
A Fortezza card (a type of PCMCIA card, similar to those used in notebook computers and other small devices) contains a user certificate to authenticate the user of the card; this certificate works in much the same way that server and client certificates work in IIS. To make these Fortezza certificates available to IIS, you must copy them to a secure store on the computer:
The utility provides functions that can install, confirm, and delete that the card certificate and other associated information. To enable this feature, type the appropriate commands at the command line:
Action | Command | Parameters |
Add certificate | fortutil.exe /a |
Web site name; Card serial number; PIN; card personality |
Confirm certificate | fortutil.exe /q |
Web server name |
Delete certificate | fortutil.exe /r |
Web site name |
Help | fortutil.exe /? |
None |
Note Any Fortezza certificates copied to the server can be used as certificate in the Web Server Certificate Wizard, CTL Wizard, or the Windows certificate features.
Important If the card is removed from the reader while the Web service is running and then re-inserted, it might cause SSL connection errors. If these errors occur, the Web service needs to be restarted with the card in the reader.