IIS and Client Certificates on 2003 x64
Posted 16 May 2008 - 11:05 AM
We're required to have all of our restricted web sites use SSL and enable the 'Require client certificates' option. I've done this without any problems in the past but I'm setting up a new server and this is first time I'm trying to set it up on Server 2003 x64. The problem I'm having is that when I try to browse to any of the sites on the box they immediately return a 403.7 error stating the client certicates are required instead of prompting for the certificates. If I attempt to browse to the site on the server itself it prompts for certs, but the cert list is empty (it works going to any other site that requires client certs).
The server sits in a "DMZ" outside of the normal network, but has another firewall in front of it (so basically it sits between two firewalls). We've verified that all traffic that needs to talk is talking the way it should. Since the problem is happening locally on the server itself then I don't believe that the firewalls are the problem.
Posted 17 May 2008 - 10:43 AM
I've tried both on the server itself. All clients that will be accessing the site are 32-bit Windows (mostly XP with IE7 but there are some scattered Vista machines). We tested with several different 32-bit XP machines. It's not a client-end issue though because every other site configured this way works properly.
I don't believe that the problem is with whether or not it trusts the CA. There should be a prompt for client certificate regardless of certificate trusts (it has to ask for the certificate before it can determine whether or not it trusts that certificate ).
Posted 17 May 2008 - 08:58 PM
Posted 19 May 2008 - 09:11 AM
2008-05-19 14:43:40 W3SVCXXXXX xxx.xxx.xxx.xxx GET / - 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2;+MS-RTC+LM+8) 403 7 5 2008-05-19 14:44:58 W3SVCXXXXX xxx.xxx.xxx.xxx GET / - 443 - xxx.xxx.xxx.xxx Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2;+MS-RTC+LM+8) 403 7 64
The sc-win32-status code 5 is "Access is denied", ERROR_ACCESS_DENIED and 64 is "The specified network name is no longer available", ERROR_NETNAME_DELETED (link). I get the "403 7 5" error if I try to access the site from the server itself. I get both accessing it from another machine. I just can't figure out why either is happening.
This post has been edited by nmX.Memnoch: 19 May 2008 - 09:11 AM
Posted 19 May 2008 - 10:08 AM
I'm not exactly sure what's going on with that though since the server doesn't have anymore CA's than any of our other servers do.