|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Unable to set up client certificate, error 403.7I am trying to set up a simple test case, following verbatim MS's tutorial "How To Set Up Client Certificates". http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod31.asp Unfortunately I am not having success. My configuration is as follows; IIS is run on my Windows 2000 Professional (NOT server) developer machine, and the client is viewing the simple WebForm1.aspx which extracts the username and tests whether the request had a client certificate. The client is a Win2K box running IE6. Neither of these machines are in a domain. private void Page_Load(object sender, System.EventArgs e) { string username; username = User.Identity.Name; if (username.Length <= 0) username = "User.Identity.Name is blank"; lblMessage.Text = "Welcome " + username; HttpClientCertificate cert = Request.ClientCertificate; if (cert.IsPresent) certData.Text = "Client certificate retrieved"; else certData.Text = "No client certificate yet"; } The Client Certificate was requested from a Windows 2000 Server (different box than my box where IIS and the code above is run). This server is running Certificate Services as a Stand Alone CA. When IIS is configured to simply "Accept client certificates", the User.Identity.Name is blank and there is no client certificate. When IIS is changed to "Require client certificates", I receive an error HTTP 403.7 stateing that "the page requires a client certificate". This problem seems identical to that discussed ("Client certificate problem") and unresolved by Felix Planjer/Miha Pihler/brik on 2004.Dec.14 in this newsgroup. http://groups.google.ca/groups?selm=unwTLRc4EHA.3388%40TK2MSFTNGP15.phx.gbl Unfortunately their thread was never terminated with a resolution. Any help would be much appreciated. Best regards, David : When IIS is configured to simply "Accept client certificates", the Because it is optional for the client to send a certificate, and it (the : User.Identity.Name is blank and there is no client certificate. client) doesn't appear to be sending one. : When IIS is Because the client isn't sending a certificate: changed to "Require client certificates", I receive an error HTTP 403.7 : stateing that "the page requires a client certificate". I think you need to look at the client here... Cheers Ken "David Carr" <David_Carr@NoSpamCanada.Com> wrote in message http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod31.aspnews:OcxvzE3TFHA.752@TK2MSFTNGP10.phx.gbl... : Hi, : : I am trying to set up a simple test case, following verbatim MS's tutorial : "How To Set Up Client Certificates". : Show quoteHide quote : Unfortunately I am not having success. http://groups.google.ca/groups?selm=unwTLRc4EHA.3388%40TK2MSFTNGP15.phx.gbl: : My configuration is as follows; IIS is run on my Windows 2000 Professional : (NOT server) developer machine, and the client is viewing the simple : WebForm1.aspx which extracts the username and tests whether the request had : a client certificate. The client is a Win2K box running IE6. Neither of : these machines are in a domain. : : private void Page_Load(object sender, System.EventArgs e) : { : string username; : username = User.Identity.Name; : if (username.Length <= 0) : username = "User.Identity.Name is blank"; : lblMessage.Text = "Welcome " + username; : HttpClientCertificate cert = Request.ClientCertificate; : if (cert.IsPresent) : certData.Text = "Client certificate retrieved"; : else : certData.Text = "No client certificate yet"; : } : : The Client Certificate was requested from a Windows 2000 Server (different : box than my box where IIS and the code above is run). This server is : running Certificate Services as a Stand Alone CA. : : When IIS is configured to simply "Accept client certificates", the : User.Identity.Name is blank and there is no client certificate. When IIS is : changed to "Require client certificates", I receive an error HTTP 403.7 : stateing that "the page requires a client certificate". : : This problem seems identical to that discussed ("Client certificate : problem") and unresolved by Felix Planjer/Miha Pihler/brik on 2004.Dec.14 in : this newsgroup. : Show quoteHide quote : Unfortunately their thread was never terminated with a resolution. : : Any help would be much appreciated. Best regards, : David : : : Thanks for the reply Ken. Yes, from my posting and the 403.7 error message
one would conclude that the client is not sending a certificate. Further to this, when I hit this site https://idun.certifikat.tdc.dk/update/jsp/test.jsp a "Client Authentication" window pops up with nothing in it. This is despite the fact that I have installed the client certificate and it is visible through running mmc and adding the "Certificates" snap-in (listed under Personal\Certificates). The root CA certificate generated on the Win2K server is also visible under "Intermediate Certification Authorities\Certificates". Note that when I hit my C# ASP.NET page, no "Client Authentication" dialog appears. Does anyone have any ideas as to why the IE client wouldn't be sending a certificate? What C# mechanism to prompt for a certificate is equivalent to what is used on the link above using JSP? Any idea if there is a problem with this setup: 1. Client - Win2K Pro machine using IE6 2. Server - Win2K Pro machine running IIS and serving WebForm1.aspx. 3. CA - Stand alone Certificate Authority resides on another machine, namely a Win2K server. Specifically, if the CA has to be on the same machine as IIS? After another day at this, it is still unresolved. Any help appreciated. Cheers, David Show quoteHide quote "Ken Schaefer" <kenREM***@THISadOpenStatic.com> wrote in message http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secmod/html/secmod31.aspnews:O9BPrT5TFHA.1896@TK2MSFTNGP14.phx.gbl... > : When IIS is configured to simply "Accept client certificates", the > : User.Identity.Name is blank and there is no client certificate. > > Because it is optional for the client to send a certificate, and it (the > client) doesn't appear to be sending one. > > : When IIS is > : changed to "Require client certificates", I receive an error HTTP 403.7 > : stateing that "the page requires a client certificate". > > Because the client isn't sending a certificate > > I think you need to look at the client here... > > Cheers > Ken > > -- > Blog: www.adopenstatic.com/cs/blogs/ken/ > Web: www.adopenstatic.com > > > > "David Carr" <David_Carr@NoSpamCanada.Com> wrote in message > news:OcxvzE3TFHA.752@TK2MSFTNGP10.phx.gbl... > : Hi, > : > : I am trying to set up a simple test case, following verbatim MS's tutorial > : "How To Set Up Client Certificates". > : > Show quoteHide quote > : Unfortunately I am not having success. 2004.Dec.14> : > : My configuration is as follows; IIS is run on my Windows 2000 Professional > : (NOT server) developer machine, and the client is viewing the simple > : WebForm1.aspx which extracts the username and tests whether the request > had > : a client certificate. The client is a Win2K box running IE6. Neither of > : these machines are in a domain. > : > : private void Page_Load(object sender, System.EventArgs e) > : { > : string username; > : username = User.Identity.Name; > : if (username.Length <= 0) > : username = "User.Identity.Name is blank"; > : lblMessage.Text = "Welcome " + username; > : HttpClientCertificate cert = Request.ClientCertificate; > : if (cert.IsPresent) > : certData.Text = "Client certificate retrieved"; > : else > : certData.Text = "No client certificate yet"; > : } > : > : The Client Certificate was requested from a Windows 2000 Server (different > : box than my box where IIS and the code above is run). This server is > : running Certificate Services as a Stand Alone CA. > : > : When IIS is configured to simply "Accept client certificates", the > : User.Identity.Name is blank and there is no client certificate. When IIS > is > : changed to "Require client certificates", I receive an error HTTP 403.7 > : stateing that "the page requires a client certificate". > : > : This problem seems identical to that discussed ("Client certificate > : problem") and unresolved by Felix Planjer/Miha Pihler/brik on > in http://groups.google.ca/groups?selm=unwTLRc4EHA.3388%40TK2MSFTNGP15.phx.gbl> : this newsgroup. > : > Show quoteHide quote > : Unfortunately their thread was never terminated with a resolution. > : > : Any help would be much appreciated. Best regards, > : David > : > : > : > > Had similar issues. What works here:
Export the trusted root cert for the SERVER from the Cetificates - Local User (mmc snap-in) cert store, import into the local computer certificates (mmc snap-in) 
Other interesting topics
IIS6 ASP Crystal DLL
Digest access to UNC share IIS 5.0 - Create Server Certificate Wizard why request for cmd.exe had passed UrlScan.dll? Access Denied to share with anonymous access disabled Problem with Integrated Windows authentication on SSL connection - second times Guest book created through Frontpage Switching from Integrated Authentication to Anonymous exporting key 401 Error using HttpWebRequest in .NET |
|||||||||||||||||||||||
