0

I need your help on a IIS configuration issue.

My computer is running Windows 7 Pro edition and IIS version is 7.5. The server, and the issue, is local only.

I have an ASP.NET 2.0 website with a strongly secured folder. In this folder there is a page doing authentication with physical eletronic certificate.

I precise that I cannot modify the web.config file of the project as it is shared with several machines and different systems (but I am the first with Windows 7).

What I did:

  1. First I had to generate a self-signed certificate for my localhost server.
  2. Then I activated the SSL encryption for the secured folder of my website
  3. I also check the "accept client certificate"

When I access to this folder, i have a nice error HTTP 403.7 - Forbidden.

I know that it means my client (web-browser) is not sending a certificate to the server, or the server cannot validate the client certificate.

But my server and client are localhost, so they should share the same root certificates and revocations lists, didn't they?

I already updated all the revocation lists, root certificates and I exported the server generated certificate to add it to my local store.

I am running out of ideas, what did I miss? I was thinking of a user permission issues but I cannot figure how to see that.

Thanks for your help.

EDIT: here's a complete picture of the error (in french sorry, but there's not much information) http://uppix.net/4/9/d/3bcff253cfceb0b297fbb63205709.png

I don't have enough reputation to display these image in my post...

Valryon
  • 101
  • 1
  • 4
  • Can you provide a screenshot of your browser when attempting to access that site? – JohnThePro Feb 08 '12 at 16:10
  • Okay I'll add a screenshot tomorrow but it's similar to this one, if it can help : http://www.iprogrammable.com/files/2011/09/image10.png – Valryon Feb 08 '12 at 16:46

2 Answers2

0

IIS and browsers are both really finicky about certificates, because they expect CA-backed certificates. When using self-signed certificates, you run into all kinds of errors like this.

If you don't mind my asking, what is the purpose of client-side certificate authentication in this scenario?

Also, the bottom portion of the IIS screenshot is slightly more useful than the top. When you provide yours, please take a shot of the entire browser window (or multiple shots if necessary).

In short, for testing these kinds of solutions internally, its best to have a Certificate Authority running inside your organization.

If not possible for you to create this kind of infrastructure, take a look at this site:

http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/

It shows that W7 by default now trusts certificates generated by StartSSL. If you jump through a couple of hoops, you can actually generate trusted SSL certificates from them at little or no cost.

http://www.startssl.com/?app=0

I look forward to the screenshot and to further helping you!

JohnThePro
  • 2,595
  • 14
  • 23
  • Thanks a lot for you time and consideration. I just added a screenshot to my original post. The purpose is to have, in addition to a simple username/password authentication, a highly secured authentication using USB electronic certificate (that kind of things: http://www.reseaux-telecoms.net/images/actualite/000000004637.jpg). Where authenticated "strongly", a user can do some very sensitive operation that are usually not available, such as electronic signature. So what I guess that what I want is that USB certificate to be send by the browser. – Valryon Feb 09 '12 at 08:36
  • Okay I am still investigating. I followed some of the indication I found on StackOverflow (http://stackoverflow.com/questions/681695/what-do-i-need-to-do-to-get-internet-explorer-8-to-accept-a-self-signed-certific) The error displayed when I click on "certificate error" in the IE adress bar is "mismatched address". Seems logical, as I generated a self-signed certificate which is not linked to any URLs... but I don't know how to change that. – Valryon Feb 09 '12 at 14:31
  • The self-signed certificate track seems to be a dead-end. This tutorial: http://www.sslshopper.com/article-how-to-create-a-self-signed-certificate-in-iis-7.html was really usefull to get rid of all self-certificate trust issues. But the 403.7 error is still there. – Valryon Feb 09 '12 at 15:29
  • I found another great help article, and I'm sure it could help many people getting the same trouble: http://blogs.msdn.com/b/friis/archive/2011/11/15/troubleshooting-403-7-client-certificate-required-errors-amp-step-by-step-to-make-sure-your-client-certificate-is-displayed-and-selected.aspx So I have everything in order, but my IE8 won't still send a client certificate, so I still have the 403.7 error. – Valryon Feb 09 '12 at 16:01
  • On the error page in your browser, at the bottom, there's an additional information link that drops the page a little. What is in there? Does IE indicate at all that the server is requesting a client-side certificate? Have you tried performing an iisreset /force? – JohnThePro Feb 09 '12 at 18:52
  • The link goes to http://support.microsoft.com/kb/943891, a general help page for Http error codes. IE indicates nothing (no dialog or something). I'll try the /force option, and I am now looking with >ireshark if IE is sending certificates information to the server... – Valryon Feb 10 '12 at 08:56
  • Following another article (I becoming an expert... http://support.microsoft.com/kb/901183), I tried to grant access to the IIS user to my local ertificate store. `winhttpcertcfg.exe -g -c LOCAL_MACHINE\My -s certif -a "IUSR" Microsoft (R) WinHTTP Certificate Configuration Tool Copyright (C) Microsoft Corporation 2001. Matching certificate: (hidden details) OPERATION FAILED The Discretionary Access Control List (DACL) for this object is a NULL DACL. This implies everyone has full access to this object...` – Valryon Feb 10 '12 at 09:58
  • Alright, this post here kinda covers a lot of different things, but I'm thinking you should make your way through it. A lot of verifying certificate root presence and things like that. Go through it and see if anything in there helps. – JohnThePro Feb 10 '12 at 16:12
0

Ok my solution is kind of weird but I finally got rid of this issue.

As I am not sure if this is the only required step, here are the main steps I followed :

  1. Enable SSL on my local server with a self-signed certificate
  2. Control the certificate step following this other tutorial: http://blogs.msdn.com/b/friis/archive/2011/11/15/troubleshooting-403-7-client-certificate-required-errors-amp-step-by-step-to-make-sure-your-client-certificate-is-displayed-and-selected.aspx
  3. And the real trick: add a magic register value: http://support.microsoft.com/kb/933430

Maybe someone could explain me what was going on...

And thanks @JohnThePro for your help.

Valryon
  • 101
  • 1
  • 4