IIS Server Security, Require Client Certificates Fail with ASP Code

microsoft.public.inetserver.iis.security - About IIS Web Server Security Issues


IIS Server Security >> Require Client Certificates Fail with ASP Code

by TmllbWFu » Thu, 23 Dec 2004 01:31:08 GMT

Problem:
Web site has anonymous portion that links to a PKI-Enabled portion that is
setup to "require client certificates", mapping used is One-to-Many. When the
link to the pki portion is a ASP page, the certificate is mapped and the
event log shows the mapped account logs on but the user receives a 401.3
error. If the page is html the certificate is mapped and everything works
fine. The ASP page does work with ignore client certificates enabled and the
anonymous account allowed.
Any Ideas???

Top
Similar Threads

1. Access denied when IIS set to require client certificate - Asp.Net Web Service

2. SOAP access denied when IIS set to required client certificate 

I'm building a .NET web service which requires client certificate for strong
security.  I set IIS to require SSL and client certificate (under site
properties in IIS admin, Directory Security tab, Secure Communication,
Edit... button. then check Require Secure Channel and Require Client
Certificates).  Then in my client side code, I add my client certificate to
the property HttpWebClientProtocol.Certificates.  However, I keep getting a
"Access Forbidden" error (System.Net.WebException) when I run the client,
which is a .NET Windows application.

I know the client certificate is good, because when I access the site from
IE, it prompts me for a client certificate, and it goes through ok after I
select the certificate.  Also I know the cleint certificate is valid and
seems to be sent over to the server, as I created another web service to
only take signed SOAP message using the client certificate (with WSE 1.0),
and it correctly recognize the signiture.  Seems to me the .NET part works
fine, but for whatever reason IIS can't seem to recognize the client
certificate sent over.  As soon as I uncheck "Require Client Certificate" in
IIS, the call goes through (so the server SSL is good too).

I have exhausted everything I can think of.  Can anyone give me some
suggestions?

Thanks a lot
Bob

3. IIS ERROR 403 7 5 Forbidden because a client certificate is required

4. Require and map client certificates: IIS dir security & ISA 

Hi - we first installed and configured SBS2003 Premium without installing 
ISA2004 from the Premium CD, got things working like we wanted and expected, 
then a couple of weeks in, added ISA2004 from the Premium CD and reran CEICW. 
 External users can no longer connect to OWA using the Directory Security 
settings that we had in place for /Exchange in IIS ("require client 
certificates" and "map client certificates to user accounts.")

The cable modem connects directly to NIC1 (External), NIC2 (Internal) 
connects to an 8 port switch into which our four workstation computers 
connect. 

SBS handles DHCP and DNS for the four internal workstations. IIS 6 has the 
standard SBS sites, default and sharepoint and the configuration sites, all 
of which work fine locally.

Only OWA has been made deliberately accessible to the outside world, using 
CEICW, with client certificates required and mapped to user accounts via the 
Directory Security tab in IIS for "/exchange."  Before adding ISA2004 from 
the SBS2003 Premium cd, this worked just as expected. 

After intalling SBS's ISA2004, when outside users used the same url that 
worked pre-ISA, they got "The page requires a client certificate" error.

ISA 2004 was set up via CEICW and the ISA defaults were kept (initially) for 
the OWA publishing rule that was created.  Since that didn't work, we've 
since tweaked the publishing rule to require 128 bit encryption, the listener 
authenticates via certificate, and port 80 is deselected.

We also changed equire client certificateto ccept client certificate
and left ap to user accountselected in the directory security properties 
of IIS for /exchange.  Remote clients can again connect to OWA as expected: 
they are prompted for a user certificate to use, then they do so and are then 
forwarded to the FBA logon page for OWA and are able to log on.

So: since the ISA publishing rule requires SSL, the listener authenticates 
via certificate, and this works with client cert mapping enabled in IIS so 
long as client certs are set to "accept" instead of "require" in IIS, is all 
this by design?  Has ISA 2004 taken over the role of requiring the client 
certificate for IIS, and once provided, passes the user on to IIS?

Or is there a way to still require client certificates in the Directory 
Security tab in IIS for "/exchange" with ISA's publishing rule?

Thank you,
Keith

5. Requiring Client Certificate - IIS Server Security

6. IIS6 / W2K3 / Client Certificate - Urgent help required! 

Hi there, 

Can anyone give me a quick tutorial on creating a self-signed client
certificate in win2K3 / IIS6, please?  I have just been handed a
project with a dealine of uesterday that requires client certificate
authentication.  Any help is greatfully accepted.

TIA
Marc.

7. Requiring matching client certificate and password? - IIS Server Security

8. Require Client Certificates and blank page 

Hi all

I have big problems with the Option "Require Client Certificates" in IIS. We 
have enabled SSL and user client certificates with this option.

The problem: Often, when a User initiate a postback in an ASP.NET 1.1 
Application, the page returns immediately with a blank page. But sometimes 
the Postback works perfectly. This happens on different client machines all 
with IE 6.

When we configure IIS with Option "Ignore client Certificate" it works 
perfectly!

Any ideas?

Thanks
Daniel