IIS 7.5 Client certificate authentication

6
votes

I have asp.net site on my local machine.

IIS configuration: binding: https binding with self-signed certificate, ssl settings: Require SSL and Require client certificates

I have installed next certificates on my machine: CA certificate (call it 'CA Center') in Trusted Root Certification Authorities store. Client certificate issued by 'CA Center' in Personal store

I go to site and accept server certificate. But next i get error:

HTTP Error 403.7 - Forbidden. The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

That means browser (IE) doesn't send applicable client certificates to server.

What's wrong? Should I configure something else?

3
asp.netcertificateiis-7.5ssl-certificate
I've run into the same issue and re-installing like I said in my answer did the trick. If not, try another browser and tell us what happens. You could also try putting both certificates in the TR and P stores, just for testing purposes.DanM7

3 Answers

3
votes

I had exactly this problem, and it took me an age to figure out the cause. Turned out it was because my computer was part of a domain, and there was some sort of group policy for that domain was restricting the trusted root certificates that IIS would be willing to accept. I don't know exactly what the setting was or how to alter it, but I found I could work around it by choosing to install my certificate into the enterprise physical store using the certutil command:

certutil -addstore -v -enterprise root CertificateAuthority.cer
2
votes

It sounds like the browser never prompted you to select a client certificate to send which means something is incorrect with the SSL Handshake. Try testing this with OpenSSL.

Additionally, a very common problem is having too many certificates in the Trusted Root CA folder. When the server sends the list of CAs, there is a limit to how large the list can be so if it exceeds the limit, it will truncate the remaining CA certificates. Make sure the Trusted Root CA folder doesn't have too many certificates. One way to check this is temporarily modifying the SCHANNEL in the registry editor to not send the CA List, and then re-try.

Start > Run > 'regedit' > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL > right-click > New > DWORD > 'SendTrustedIssuerList' > Value:0

0
votes

Re-install the certificates and check their effective dates. From Microsoft Support:

  • Download the root server certificate in a browser on the server computer. Run the Iisca.exe command line utility that is located in the Inetsrv directory.

  • Check the effective date on the client certificate and make sure that the date and time has arrived.

  • Check the expiration date and make sure that the certificate has not expired. Contact your certificate authority to see if your certificate has expired.