1

I'm in the process of moving some sites from an IIS 7.5 web server (2008 R2) to an IIS 8.5 server (2012 R2) and one in particular is giving me a fit.

The site uses client certs for authentication. User info is stored in a DB and the app is not connected to AD at all.

I have the SSL set to Require SSL and Client certificates is set to Require as well. The root CA cert is in the Local Computer's Trusted Root CAs, the site has a valid SSL cert and correctly prompts the user for their client cert. However, I receive a 403.16 response complaining that the server does not trust the client certificate.

I have made sure all non-self-signed certs were moved from Trusted Root CAs to Intermediate CAs, have compared the site configurations between the two servers and have tried setting SendTrustedIssuerList = 0 in the registry. None of these seems to do the trick.

James Mazikowski
  • 11
  • 2
  • What is the client side certificate ? sha-1 was depriciated in certificate use – yagmoth555 Oct 03 '17 at 17:44
  • When client certificates are required in IIS, it attempts to authenticate the client before the data reaches web application. IIS attempts to authenticate the user against either AD or local SAM. It doesn't work the way you are describing. – Crypt32 Oct 04 '17 at 09:12
  • @Crypt32 The application running on this site doesn't use cert mapping against AD. It actually just checks the cert's thumbprint against a value in the user's profile in the user database. – James Mazikowski Oct 04 '17 at 13:25
  • IIS can't check the thumbprint against your database. Client certificate authentication in IIS occurs before the data reaches web site. That is, you can do your own authentication within web application only when client is successfully authenticated in IIS. – Crypt32 Oct 04 '17 at 17:49
  • @yagmoth555 It's a sha-1 certificate – James Mazikowski Oct 05 '17 at 18:26
  • @Crypt32 I see what you're saying now. I'm still at a loss as to why the server would be responding that it does not trust the cert, though. The root and intermediate CA certs for the client are installed on the server in their correct locations. – James Mazikowski Oct 05 '17 at 18:26
  • sha1 is depreciated, please redo a certificate to retest – yagmoth555 Oct 05 '17 at 19:43
  • @yagmoth555 Unfortunately I have absolutely no control over the certificates and have to make do with what I'm given. – James Mazikowski Oct 08 '17 at 01:50
  • Test with a old firefox portable, the sha1 error is enforced client-side – yagmoth555 Oct 08 '17 at 02:54
  • @yagmoth555 I'm not getting a sha1 error from the browser, I'm getting an error back from IIS that it doesn't trust the issuing CA. – James Mazikowski Oct 10 '17 at 13:41

0 Answers0