|
Home > Archive > IIS Server Security > May 2005 > Unable to set up client certificate, error 403.7
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Unable to set up client certificate, error 403.7
|
|
| David Carr 2005-05-02, 8:51 pm |
| Hi,
I am trying to set up a simple test case, following verbatim MS's tutorial
"How To Set Up Client Certificates".
http://msdn.microsoft.com/library/d...ml/secmod31.asp
Unfortunately I am not having success.
My configuration is as follows; IIS is run on my Windows 2000 Professional
(NOT server) developer machine, and the client is viewing the simple
WebForm1.aspx which extracts the username and tests whether the request had
a client certificate. The client is a Win2K box running IE6. Neither of
these machines are in a domain.
private void Page_Load(object sender, System.EventArgs e)
{
string username;
username = User.Identity.Name;
if (username.Length <= 0)
username = "User.Identity.Name is blank";
lblMessage.Text = "Welcome " + username;
HttpClientCertificate cert = Request.ClientCertificate;
if (cert.IsPresent)
certData.Text = "Client certificate retrieved";
else
certData.Text = "No client certificate yet";
}
The Client Certificate was requested from a Windows 2000 Server (different
box than my box where IIS and the code above is run). This server is
running Certificate Services as a Stand Alone CA.
When IIS is configured to simply "Accept client certificates", the
User.Identity.Name is blank and there is no client certificate. When IIS is
changed to "Require client certificates", I receive an error HTTP 403.7
stateing that "the page requires a client certificate".
This problem seems identical to that discussed ("Client certificate
problem") and unresolved by Felix Planjer/Miha Pihler/brik on 2004.Dec.14 in
this newsgroup.
http://groups.google.ca/groups?selm...FTNGP15.phx.gbl
Unfortunately their thread was never terminated with a resolution.
Any help would be much appreciated. Best regards,
David
| |
| Ken Schaefer 2005-05-03, 2:49 am |
| : When IIS is configured to simply "Accept client certificates", the
: User.Identity.Name is blank and there is no client certificate.
Because it is optional for the client to send a certificate, and it (the
client) doesn't appear to be sending one.
: When IIS is
: changed to "Require client certificates", I receive an error HTTP 403.7
: stateing that "the page requires a client certificate".
Because the client isn't sending a certificate
I think you need to look at the client here...
Cheers
Ken
--
Blog: www.adopenstatic.com/cs/blogs/ken/
Web: www.adopenstatic.com
"David Carr" <David_Carr@NoSpamCanada.Com> wrote in message
news:OcxvzE3TFHA.752@TK2MSFTNGP10.phx.gbl...
: Hi,
:
: I am trying to set up a simple test case, following verbatim MS's tutorial
: "How To Set Up Client Certificates".
:
http://msdn.microsoft.com/library/d...ml/secmod31.asp
: Unfortunately I am not having success.
:
: My configuration is as follows; IIS is run on my Windows 2000 Professional
: (NOT server) developer machine, and the client is viewing the simple
: WebForm1.aspx which extracts the username and tests whether the request
had
: a client certificate. The client is a Win2K box running IE6. Neither of
: these machines are in a domain.
:
: private void Page_Load(object sender, System.EventArgs e)
: {
: string username;
: username = User.Identity.Name;
: if (username.Length <= 0)
: username = "User.Identity.Name is blank";
: lblMessage.Text = "Welcome " + username;
: HttpClientCertificate cert = Request.ClientCertificate;
: if (cert.IsPresent)
: certData.Text = "Client certificate retrieved";
: else
: certData.Text = "No client certificate yet";
: }
:
: The Client Certificate was requested from a Windows 2000 Server (different
: box than my box where IIS and the code above is run). This server is
: running Certificate Services as a Stand Alone CA.
:
: When IIS is configured to simply "Accept client certificates", the
: User.Identity.Name is blank and there is no client certificate. When IIS
is
: changed to "Require client certificates", I receive an error HTTP 403.7
: stateing that "the page requires a client certificate".
:
: This problem seems identical to that discussed ("Client certificate
: problem") and unresolved by Felix Planjer/Miha Pihler/brik on 2004.Dec.14
in
: this newsgroup.
:
http://groups.google.ca/groups?selm...FTNGP15.phx.gbl
: Unfortunately their thread was never terminated with a resolution.
:
: Any help would be much appreciated. Best regards,
: David
:
:
:
| |
| David Carr 2005-05-03, 5:55 pm |
| Thanks for the reply Ken. Yes, from my posting and the 403.7 error message
one would conclude that the client is not sending a certificate. Further to
this, when I hit this site
https://idun.certifikat.tdc.dk/update/jsp/test.jsp
a "Client Authentication" window pops up with nothing in it. This is
despite the fact that I have installed the client certificate and it is
visible through running mmc and adding the "Certificates" snap-in (listed
under Personal\Certificates). The root CA certificate generated on the
Win2K server is also visible under "Intermediate Certification
Authorities\Certificates". Note that when I hit my C# ASP.NET page, no
"Client Authentication" dialog appears.
Does anyone have any ideas as to why the IE client wouldn't be sending a
certificate? What C# mechanism to prompt for a certificate is equivalent to
what is used on the link above using JSP?
Any idea if there is a problem with this setup:
1. Client - Win2K Pro machine using IE6
2. Server - Win2K Pro machine running IIS and serving WebForm1.aspx.
3. CA - Stand alone Certificate Authority resides on another machine, namely
a Win2K server.
Specifically, if the CA has to be on the same machine as IIS?
After another day at this, it is still unresolved. Any help appreciated.
Cheers,
David
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:O9BPrT5TFHA.1896@TK2MSFTNGP14.phx.gbl...
> : When IIS is configured to simply "Accept client certificates", the
> : User.Identity.Name is blank and there is no client certificate.
>
> Because it is optional for the client to send a certificate, and it (the
> client) doesn't appear to be sending one.
>
> : When IIS is
> : changed to "Require client certificates", I receive an error HTTP 403.7
> : stateing that "the page requires a client certificate".
>
> Because the client isn't sending a certificate
>
> I think you need to look at the client here...
>
> Cheers
> Ken
>
> --
> Blog: www.adopenstatic.com/cs/blogs/ken/
> Web: www.adopenstatic.com
>
>
>
> "David Carr" <David_Carr@NoSpamCanada.Com> wrote in message
> news:OcxvzE3TFHA.752@TK2MSFTNGP10.phx.gbl...
> : Hi,
> :
> : I am trying to set up a simple test case, following verbatim MS's
tutorial
> : "How To Set Up Client Certificates".
> :
>
http://msdn.microsoft.com/library/d...ml/secmod31.asp
> : Unfortunately I am not having success.
> :
> : My configuration is as follows; IIS is run on my Windows 2000
Professional
> : (NOT server) developer machine, and the client is viewing the simple
> : WebForm1.aspx which extracts the username and tests whether the request
> had
> : a client certificate. The client is a Win2K box running IE6. Neither
of
> : these machines are in a domain.
> :
> : private void Page_Load(object sender, System.EventArgs e)
> : {
> : string username;
> : username = User.Identity.Name;
> : if (username.Length <= 0)
> : username = "User.Identity.Name is blank";
> : lblMessage.Text = "Welcome " + username;
> : HttpClientCertificate cert = Request.ClientCertificate;
> : if (cert.IsPresent)
> : certData.Text = "Client certificate retrieved";
> : else
> : certData.Text = "No client certificate yet";
> : }
> :
> : The Client Certificate was requested from a Windows 2000 Server
(different
> : box than my box where IIS and the code above is run). This server is
> : running Certificate Services as a Stand Alone CA.
> :
> : When IIS is configured to simply "Accept client certificates", the
> : User.Identity.Name is blank and there is no client certificate. When
IIS
> is
> : changed to "Require client certificates", I receive an error HTTP 403.7
> : stateing that "the page requires a client certificate".
> :
> : This problem seems identical to that discussed ("Client certificate
> : problem") and unresolved by Felix Planjer/Miha Pihler/brik on
2004.Dec.14
> in
> : this newsgroup.
> :
>
http://groups.google.ca/groups?selm...FTNGP15.phx.gbl
> : Unfortunately their thread was never terminated with a resolution.
> :
> : Any help would be much appreciated. Best regards,
> : David
> :
> :
> :
>
>
| |
| jwmason1@gmail.com 2005-05-05, 6:03 pm |
| Had similar issues. What works here:
Export the trusted root cert for the SERVER from the Cetificates -
Local User (mmc snap-in) cert store, import into the local computer
certificates (mmc snap-in)
|
|
|
|
|