Jump to content

IIS and Client Certificates on 2003 x64


Recommended Posts

I'm having a problem that hopefully someone else has worked through...

We're required to have all of our restricted web sites use SSL and enable the 'Require client certificates' option. I've done this without any problems in the past but I'm setting up a new server and this is first time I'm trying to set it up on Server 2003 x64. The problem I'm having is that when I try to browse to any of the sites on the box they immediately return a 403.7 error stating the client certicates are required instead of prompting for the certificates. If I attempt to browse to the site on the server itself it prompts for certs, but the cert list is empty (it works going to any other site that requires client certs).

The server sits in a "DMZ" outside of the normal network, but has another firewall in front of it (so basically it sits between two firewalls). We've verified that all traffic that needs to talk is talking the way it should. Since the problem is happening locally on the server itself then I don't believe that the firewalls are the problem.

Link to comment
Share on other sites


One question - are you using iexplore.exe*32 (32bit), or the 64bit iexplore.exe?

I've tried both on the server itself. All clients that will be accessing the site are 32-bit Windows (mostly XP with IE7 but there are some scattered Vista machines). We tested with several different 32-bit XP machines. It's not a client-end issue though because every other site configured this way works properly.

Does the server trust the CA that issued the certificate?

Yes.

Any errors in the event logs of either client or server?
Unfortunately, no. We also use Tumbleweed's Desktop and Server Validator products but it's not throwing anything in it's event log either (I've disabled Tumbleweed on the server side and the issue still persists).

I don't believe that the problem is with whether or not it trusts the CA. There should be a prompt for client certificate regardless of certificate trusts (it has to ask for the certificate before it can determine whether or not it trusts that certificate :)).

Link to comment
Share on other sites

Certificates are not in the realm of IE or IIS, technically, they're handled by security.dll and the schannel.dll crypto APIs of the OS itself. You might want to get some schannel logging going on the server AND the client to see what is actually happening under the 403.7...

Link to comment
Share on other sites

Ok, I've got some more information. When I try to access one of the sites the following gets written into the IIS log for that web instance:

2008-05-19 14:43:40 W3SVCXXXXX xxx.xxx.xxx.xxx GET / - 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2;+MS-RTC+LM+8) 403 7 5
2008-05-19 14:44:58 W3SVCXXXXX xxx.xxx.xxx.xxx GET / - 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2;+MS-RTC+LM+8) 403 7 64

The sc-win32-status code 5 is "Access is denied", ERROR_ACCESS_DENIED and 64 is "The specified network name is no longer available", ERROR_NETNAME_DELETED (link). I get the "403 7 5" error if I try to access the site from the server itself. I get both accessing it from another machine. I just can't figure out why either is happening.

Edited by nmX.Memnoch
Link to comment
Share on other sites

Actually, I just rebooted the server and noticed an Schannel event ID 36885 in the Event Viewer. The Description is:

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.

I'm not exactly sure what's going on with that though since the server doesn't have anymore CA's than any of our other servers do.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...