IIS 7.5 Client certificate authentication

Question

I have asp.net site on my local machine.

IIS configuration: binding: https binding with self-signed certificate, ssl settings: Require SSL and Require client certificates

I have installed next certificates on my machine: CA certificate (call it 'CA Center') in Trusted Root Certification Authorities store. Client certificate issued by 'CA Center' in Personal store

I go to site and accept server certificate. But next i get error:

HTTP Error 403.7 - Forbidden. The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

That means browser (IE) doesn't send applicable client certificates to server.

What's wrong? Should I configure something else?

Answer 1

I had exactly this problem, and it took me an age to figure out the cause. Turned out it was because my computer was part of a domain, and there was some sort of group policy for that domain was restricting the trusted root certificates that IIS would be willing to accept. I don't know exactly what the setting was or how to alter it, but I found I could work around it by choosing to install my certificate into the enterprise physical store using the certutil command:

certutil -addstore -v -enterprise root CertificateAuthority.cer

Answer 2

It sounds like the browser never prompted you to select a client certificate to send which means something is incorrect with the SSL Handshake. Try testing this with OpenSSL.

Additionally, a very common problem is having too many certificates in the Trusted Root CA folder. When the server sends the list of CAs, there is a limit to how large the list can be so if it exceeds the limit, it will truncate the remaining CA certificates. Make sure the Trusted Root CA folder doesn't have too many certificates. One way to check this is temporarily modifying the SCHANNEL in the registry editor to not send the CA List, and then re-try.

Start > Run > 'regedit' > HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\SCHANNEL > right-click > New > DWORD > 'SendTrustedIssuerList' > Value:0

Answer 3

I think I had this same issue getting internet explorer to actually create the prompt for my installed cert when testing a WCF client/server setup with self signed certs.

If I recall correctly it was a setting in internet explorer, possibly this one...

Tools > Internet Options > Advanced tab > security section

Then clear the check boxes for:

'Check for publisher's certificate revocation' and 'Check for server certificate revocation'

Answer 4

Re-install the certificates and check their effective dates. From Microsoft Support :

• Download the root server certificate in a browser on the server computer. Run the Iisca.exe command line utility that is located in the Inetsrv directory.

• Check the effective date on the client certificate and make sure that the date and time has arrived.

• Check the expiration date and make sure that the certificate has not expired. Contact your certificate authority to see if your certificate has expired.