nmX.Memnoch Posted May 16, 2008 Posted May 16, 2008 I'm having a problem that hopefully someone else has worked through...We're required to have all of our restricted web sites use SSL and enable the 'Require client certificates' option. I've done this without any problems in the past but I'm setting up a new server and this is first time I'm trying to set it up on Server 2003 x64. The problem I'm having is that when I try to browse to any of the sites on the box they immediately return a 403.7 error stating the client certicates are required instead of prompting for the certificates. If I attempt to browse to the site on the server itself it prompts for certs, but the cert list is empty (it works going to any other site that requires client certs).The server sits in a "DMZ" outside of the normal network, but has another firewall in front of it (so basically it sits between two firewalls). We've verified that all traffic that needs to talk is talking the way it should. Since the problem is happening locally on the server itself then I don't believe that the firewalls are the problem.
cluberti Posted May 16, 2008 Posted May 16, 2008 One question - are you using iexplore.exe*32 (32bit), or the 64bit iexplore.exe?
adamt Posted May 16, 2008 Posted May 16, 2008 Does the server trust the CA that issued the certificate?Any errors in the event logs of either client or server?
nmX.Memnoch Posted May 17, 2008 Author Posted May 17, 2008 One question - are you using iexplore.exe*32 (32bit), or the 64bit iexplore.exe?I've tried both on the server itself. All clients that will be accessing the site are 32-bit Windows (mostly XP with IE7 but there are some scattered Vista machines). We tested with several different 32-bit XP machines. It's not a client-end issue though because every other site configured this way works properly.Does the server trust the CA that issued the certificate?Yes.Any errors in the event logs of either client or server?Unfortunately, no. We also use Tumbleweed's Desktop and Server Validator products but it's not throwing anything in it's event log either (I've disabled Tumbleweed on the server side and the issue still persists).I don't believe that the problem is with whether or not it trusts the CA. There should be a prompt for client certificate regardless of certificate trusts (it has to ask for the certificate before it can determine whether or not it trusts that certificate ).
cluberti Posted May 18, 2008 Posted May 18, 2008 Certificates are not in the realm of IE or IIS, technically, they're handled by security.dll and the schannel.dll crypto APIs of the OS itself. You might want to get some schannel logging going on the server AND the client to see what is actually happening under the 403.7...
nmX.Memnoch Posted May 19, 2008 Author Posted May 19, 2008 (edited) Ok, I've got some more information. When I try to access one of the sites the following gets written into the IIS log for that web instance:2008-05-19 14:43:40 W3SVCXXXXX xxx.xxx.xxx.xxx GET / - 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2;+MS-RTC+LM+8) 403 7 52008-05-19 14:44:58 W3SVCXXXXX xxx.xxx.xxx.xxx GET / - 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2;+MS-RTC+LM+8) 403 7 64 The sc-win32-status code 5 is "Access is denied", ERROR_ACCESS_DENIED and 64 is "The specified network name is no longer available", ERROR_NETNAME_DELETED (link). I get the "403 7 5" error if I try to access the site from the server itself. I get both accessing it from another machine. I just can't figure out why either is happening. Edited May 19, 2008 by nmX.Memnoch
cluberti Posted May 19, 2008 Posted May 19, 2008 schannel logging is your best bet. It almost seems as if the cert problem happened during the install to the x64 server's cert store.
nmX.Memnoch Posted May 19, 2008 Author Posted May 19, 2008 Actually, I just rebooted the server and noticed an Schannel event ID 36885 in the Event Viewer. The Description is:When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.I'm not exactly sure what's going on with that though since the server doesn't have anymore CA's than any of our other servers do.
nmX.Memnoch Posted May 19, 2008 Author Posted May 19, 2008 I did some more searching and found KB933430. I used method 3 and it's now working. Thanks for the assists!!!
cluberti Posted May 19, 2008 Posted May 19, 2008 Schannel log would probably have showed you the way - good job on the find .
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now