IIS6 does not accept client certificate ?

Hi,

I don't use CTL right now, I checked Trusted Root Certification Authorities
certificate
store on local iis6 server and there is "built in" certificate for Thawte
Server CA.
My client (second web server uses certificate issued by Thawte Server CA)
Below is a pice of iif 6.0 log

#Software: Microsoft Internet Information Services 6.0
#Version: 1.0
#Date: 2003-08-25 12:42:25
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port
cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status
2003-08-25 12:49:09 10.30.10.10 POST /payment/pcard.authorize.aspx - 443 -
193.109.115.28 libwww-perl/5.69 403 16 2148204816
2003-08-25 12:49:28 10.30.10.10 POST /payment/pcard.error.aspx - 443 -
10.20.10.74
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) 200 0
0

script pcard.authorize.aspx - requires client certificate and comunication
is rejected by iis60,
script pcard.error.aspx - does not require certificate and works fine.
Both scripts run over ssl

Thank you for your help
regards Artek

U¿ytkownik "Wei-Dong Xu [MSFT]" <v-wdxu DeleteThis @online.microsoft.com> napisa³ w
wiadomo¶ci news:XG0kxOuaDHA.1656@cpmsftngxa06.phx.gbl...
 > Hi Artek,
 >
 > In IIS 6.0, the root certification authority certificates must be
installed
 > in the local computer Trusted Root Certification Authorities certificate
 > store. With this change, IIS 6.0 verifies certificates based on the rules
 > that are specified in the crypto API. IIS6 provides the client with the
 > list of trusted CA from its trusted root store (CTL is subset of this
list).
 >
 > Based on my experience on this issue, you can also check the event viewer
 > to find any related error message about this issue. You can also enable
the
 > "Win32-status" from IIS log property. You can try to access the web site
 > and check the IIS log to see whether there is any win32 related error
 > message about this issue. It will be appreciated that you tell me any
error
 > messages about this issue.
 >
 > Does this answer your question? Thank you for using Microsoft NewsGroup!
 >
 > Wei-Dong Xu
 > Microsoft Product Support Services
<font color=purple> > Get Secure! - <a style='text-decoration: underline;' href="http://www.microsoft.com/security</font" target="_blank">www.microsoft.com/security</font</a>>
 > This posting is provided "AS IS" with no warranties, and confers no
rights.
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS6 does not accept client certificate ? 

Artek,

Lets do some troubleshooting to see if this is an issue with the
certificate trust chain. First make sure you have direct metabase edit
enabled in your master properties. Then on your IIS server go to a cmd
prompt and do the following:

cd\inetpub\adminscripts
cscript adsutil.vbs set w3svc/CertCheckMode 1

Now attempt to reproduce the problem. Do you still get a 403.16?

After you have tested this go back and reconfigure the setting:

cd\inetpub\adminscripts
cscript adsutil.vbs set w3svc/CertCheckMode 0

Please let us know your results.

Kind Regards,
Kenley Lamaute
Microsoft Product Support Services
 >> Stay informed about: IIS6 does not accept client certificate ? 

Try SSLDiag from the IIS6 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a...73-b628

Also, I'd like to note that you do NOT need to have Direct Metabase Edit
enabled for any of this.

--
//David
IIS
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Kenley Lamaute [MSFT]" <kenleyl RemoveThis @online.microsoft.com> wrote in message
news:cEspdK2aDHA.1928@cpmsftngxa06.phx.gbl...
Artek,

Lets do some troubleshooting to see if this is an issue with the
certificate trust chain. First make sure you have direct metabase edit
enabled in your master properties. Then on your IIS server go to a cmd
prompt and do the following:

cd\inetpub\adminscripts
cscript adsutil.vbs set w3svc/CertCheckMode 1

Now attempt to reproduce the problem. Do you still get a 403.16?

After you have tested this go back and reconfigure the setting:

cd\inetpub\adminscripts
cscript adsutil.vbs set w3svc/CertCheckMode 0

Please let us know your results.

Kind Regards,
Kenley Lamaute
Microsoft Product Support Services
 >> Stay informed about: IIS6 does not accept client certificate ? 

Hi
I set up CertCheckmode to 1 and I had the same problem.
After that I revoked CertCheckMode to 0 and installed sslDiag on the web
server.
I run sslmonitor and got following data:
Issuer: Thawte Server CA
Flags: 0x40000004
GetChain: 1
Verify :1
Error 0x800b0110

Error code suggest that certificate is used in wrong way ???
I checked Thawte Server CA properties on iis server and there are only two
purposes selected : Server Certificate and Code Sign.
I changed these settings by adding Client Authentication purpose, then I
restarted server and got the same error on ssl monitor.

SSL comunication is between two servers, and I require SSL client
certificate to find out if comunication takes place with good server.

Thanks in advance for help Artek




U¿ytkownik "David Wang [Msft]" <someone DeleteThis @online.microsoft.com> napisa³ w
wiadomo¶ci news:OzAEX74aDHA.2632@TK2MSFTNGP12.phx.gbl...
 > Try SSLDiag from the IIS6 Resource Kit Tools
 >
<a style='text-decoration: underline;' href="http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a-4c73-b628-ade629c89499&DisplayLang=en" target="_blank">http://www.microsoft.com/downloads/details.aspx?FamilyID=56fc92ee-a71a...73-b628</a>
 >
 > Also, I'd like to note that you do NOT need to have Direct Metabase Edit
 > enabled for any of this.
 >
 > --
 > //David
 > IIS
 > This posting is provided "AS IS" with no warranties, and confers no
rights.
 > //
 > "Kenley Lamaute [MSFT]" <kenleyl DeleteThis @online.microsoft.com> wrote in message
 > news:cEspdK2aDHA.1928@cpmsftngxa06.phx.gbl...
 > Artek,
 >
 > Lets do some troubleshooting to see if this is an issue with the
 > certificate trust chain. First make sure you have direct metabase edit
 > enabled in your master properties. Then on your IIS server go to a cmd
 > prompt and do the following:
 >
 > cd\inetpub\adminscripts
 > cscript adsutil.vbs set w3svc/CertCheckMode 1
 >
 > Now attempt to reproduce the problem. Do you still get a 403.16?
 >
 > After you have tested this go back and reconfigure the setting:
 >
 > cd\inetpub\adminscripts
 > cscript adsutil.vbs set w3svc/CertCheckMode 0
 >
 > Please let us know your results.
 >
 > Kind Regards,
 > Kenley Lamaute
 > Microsoft Product Support Services
 >
 >
 >
 ><!-- ~MESSAGE_AFTER~ -->
 >> Stay informed about: IIS6 does not accept client certificate ? 

Hi Artek,

Thank you for replying!

The Error 0x800b0110 means "The certificate is not valid for the requested
usage".

I'd suggest you can specify one CTL for your certificate.

Please feel free to let me know if you have any questions.

Wei-Dong Xu
Microsoft Product Support Services
Get Secure! - www.microsoft.com/security
This posting is provided "AS IS" with no warranties, and confers no rights.
 >> Stay informed about: IIS6 does not accept client certificate ?