简体繁体 English

Microsoft Azure中的Windows Server 2012 / IIS8上的客户端证书身份验证接收HTTP 403.16

[英]Client Certificate Authentication on Windows Server 2012/IIS8 in Microsoft Azure receives HTTP 403.16

原文 2014-04-17 20:44:16 0 1 iis/ azure/ asp.net-web-api/ windows-server-2012/ client-certificates

We are developing an ASP.NET WebAPI that is hosted in IIS and authenticates using client certificates with iisClientCertificateMappingAuthentication. 我们正在开发一个托管在IIS中的ASP.NET WebAPI，并使用带有iisClientCertificateMappingAuthentication的客户端证书进行身份验证。 In our on-premises development environment we have tested IIS 7-8 and Windows 7-8/Server 2012, all of which work fine. 在我们的本地开发环境中，我们测试了IIS 7-8和Windows 7-8 / Server 2012，所有这些都可以正常工作。

We have set up a demo environment in Azure with a VM running Windows Server 2012 R2 and IIS 8. Using this configuration we have yet to successfully pass through IIS client certificate validation, where we consistently receive an HTTP 403.16 error. 我们在Azure中使用运行Windows Server 2012 R2和IIS 8的VM设置了演示环境。使用此配置，我们尚未成功通过IIS客户端证书验证，我们始终收到HTTP 403.16错误。

The service is consumed by a custom iOS app that we have verified is sending the client certificate, which was expected since my understanding of the error implies IIS is unable to validate the certificate that it received. 该服务由我们已验证发送客户端证书的自定义iOS应用程序使用，这是预期的，因为我对错误的理解意味着IIS无法验证它收到的证书。

The Client Certificate Authority is installed in the Trusted Root Certification Authorities and the Client Authentication Issuers stores for the Local Computer. 客户端证书颁发机构安装在本地计算机的“受信任的根证书颁发机构”和“客户端身份验证发布者”存储中。

Pretty much all of the resources we can find on this issue propose the solution here: http://social.technet.microsoft.com/Forums/en-US/fae724e8-628e-45a5-bf39-6e812d8a1a70/40316-problem-in-iss8-on-mp-in-dmz?forum=configmanagerdeployment where it's suggested we add a registry setting for ClientAuthTrustMode. 几乎我们在这个问题上找到的所有资源都提出了解决方案： http ： //social.technet.microsoft.com/Forums/en-US/fae724e8-628e-45a5-bf39-6e812d8a1a70/40316-problem-in -iss8-on-mp-in-dmz？forum = configmanagerdeployment ，建议我们为ClientAuthTrustMode添加注册表设置。 This has not resolved the issue for us; 这并没有解决我们的问题; we also did not need to do it for any of our local testing which involved the exact same OS and IIS versions. 我们也不需要为涉及完全相同的操作系统和IIS版本的任何本地测试执行此操作。

We've spent days on this with no progress and were hoping someone may have some insight into this issue. 我们花了好几天没有进展，希望有人可以对这个问题有所了解。 Is there any default configuration that we have yet to come across to enable this form of authentication for VMs in Azure? 是否有任何默认配置我们尚未遇到为Azure中的VM启用此形式的身份验证？ It seems as though IIS on a VM in Azure is unable to actually validate against the CA in Trusted Root. 似乎Azure中的VM上的IIS无法实际验证受信任的根中的CA. One idea I had was that perhaps the certificate is being stripped from the request before it's routed to IIS, but again, that seems unlikely given my understanding of the error code. 我的一个想法是，在将请求路由到IIS之前，可能会从请求中删除证书，但同样，由于我对错误代码的理解，这似乎不太可能。

Has anyone gotten a setup like this to work? 有没有人得到这样的设置工作？