Jump to content

Welcome to MSFN Forum
Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message will be removed once you have signed in.
Login to Account Create an Account


Photo

IIS and Client Certificates on 2003 x64

- - - - -

  • Please log in to reply
9 replies to this topic

#1
nmX.Memnoch

nmX.Memnoch

    MSFN Master

  • Patrons
  • 2,086 posts
  • OS:Windows 7 x64
  • Country: Country Flag
I'm having a problem that hopefully someone else has worked through...

We're required to have all of our restricted web sites use SSL and enable the 'Require client certificates' option. I've done this without any problems in the past but I'm setting up a new server and this is first time I'm trying to set it up on Server 2003 x64. The problem I'm having is that when I try to browse to any of the sites on the box they immediately return a 403.7 error stating the client certicates are required instead of prompting for the certificates. If I attempt to browse to the site on the server itself it prompts for certs, but the cert list is empty (it works going to any other site that requires client certs).

The server sits in a "DMZ" outside of the normal network, but has another firewall in front of it (so basically it sits between two firewalls). We've verified that all traffic that needs to talk is talking the way it should. Since the problem is happening locally on the server itself then I don't believe that the firewalls are the problem.


How to remove advertisement from MSFN

#2
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag
One question - are you using iexplore.exe*32 (32bit), or the 64bit iexplore.exe?
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#3
adamt

adamt

    Kwisatz Haderach

  • Member
  • PipPip
  • 137 posts
  • OS:Windows 7 x64
Does the server trust the CA that issued the certificate?

Any errors in the event logs of either client or server?

#4
nmX.Memnoch

nmX.Memnoch

    MSFN Master

  • Patrons
  • 2,086 posts
  • OS:Windows 7 x64
  • Country: Country Flag

One question - are you using iexplore.exe*32 (32bit), or the 64bit iexplore.exe?

I've tried both on the server itself. All clients that will be accessing the site are 32-bit Windows (mostly XP with IE7 but there are some scattered Vista machines). We tested with several different 32-bit XP machines. It's not a client-end issue though because every other site configured this way works properly.


Does the server trust the CA that issued the certificate?

Yes.

Any errors in the event logs of either client or server?

Unfortunately, no. We also use Tumbleweed's Desktop and Server Validator products but it's not throwing anything in it's event log either (I've disabled Tumbleweed on the server side and the issue still persists).

I don't believe that the problem is with whether or not it trusts the CA. There should be a prompt for client certificate regardless of certificate trusts (it has to ask for the certificate before it can determine whether or not it trusts that certificate :)).

#5
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag
Certificates are not in the realm of IE or IIS, technically, they're handled by security.dll and the schannel.dll crypto APIs of the OS itself. You might want to get some schannel logging going on the server AND the client to see what is actually happening under the 403.7...
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#6
nmX.Memnoch

nmX.Memnoch

    MSFN Master

  • Patrons
  • 2,086 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Ok, I've got some more information. When I try to access one of the sites the following gets written into the IIS log for that web instance:

2008-05-19 14:43:40 W3SVCXXXXX xxx.xxx.xxx.xxx GET / - 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2;+MS-RTC+LM+8) 403 7 52008-05-19 14:44:58 W3SVCXXXXX xxx.xxx.xxx.xxx GET / - 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2;+MS-RTC+LM+8) 403 7 64


The sc-win32-status code 5 is "Access is denied", ERROR_ACCESS_DENIED and 64 is "The specified network name is no longer available", ERROR_NETNAME_DELETED (link). I get the "403 7 5" error if I try to access the site from the server itself. I get both accessing it from another machine. I just can't figure out why either is happening.

Edited by nmX.Memnoch, 19 May 2008 - 09:11 AM.


#7
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag
schannel logging is your best bet. It almost seems as if the cert problem happened during the install to the x64 server's cert store.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!

#8
nmX.Memnoch

nmX.Memnoch

    MSFN Master

  • Patrons
  • 2,086 posts
  • OS:Windows 7 x64
  • Country: Country Flag
Actually, I just rebooted the server and noticed an Schannel event ID 36885 in the Event Viewer. The Description is:

When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted.


I'm not exactly sure what's going on with that though since the server doesn't have anymore CA's than any of our other servers do.

#9
nmX.Memnoch

nmX.Memnoch

    MSFN Master

  • Patrons
  • 2,086 posts
  • OS:Windows 7 x64
  • Country: Country Flag
I did some more searching and found KB933430. I used method 3 and it's now working. :)

Thanks for the assists!!! :D

#10
cluberti

cluberti

    Gustatus similis pullus

  • Supervisor
  • 11,252 posts
  • OS:Windows 8.1 x64
  • Country: Country Flag
Schannel log would probably have showed you the way :) - good job on the find :yes:.
MCTS Windows Internals, MCITP Server 2008 EA, MCTS MDT/BDD, MCSE/MCSA Server 2003, Server 2012, Windows 8
--------------------
Please read the rules before posting!
Please consider donating to MSFN to keep it up and running!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users



How to remove advertisement from MSFN