Hi
Main technologies used:
- Windows Server 2012
- IIS 8.5
- Internet Explorer 11 - tried other browsers such as chrome but this is our target.
- SHA1 RSA certs with Client and Server authentication usage
We're working on a pki scenario in which users must present a client certificate in order to access a website. I've read extensively on how to to set this up, on the server:
- Server certificate with trusted chain is in place
- SSL settings are set to require client certificates
- iisOneToOneClientCertificateMapping is enabled, iisClientCertificateMappingModule is present
- client certs are mapped to valid Active Directory accounts via the iisOneToOneClientCertificateMapping collection (in web.config)
- All users allowed. All anonymous users denied. Anonymous Authentication disabled.
- mappings in iisOneToOneClientCertifcate mappings map to real, active user accounts with a co-located Active Directory
- Currently, the app pool id is set to LocalSystem, so I can rule out permissions issues.
Additionally, some articles say you need to explictly enable client cert negotiation. I've played the final line in this configuration, toggling between 'enabled' and 'disabled':
IP:port : 0.0.0.0:443
Certificate Hash : b4d5ab7748ebf4e2178fc7e851abf338dd6ac89b
Application ID : {214124cd-d05b-4309-9af9-9caa44b2b74a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : EnabledOn the client, which is also a Windows Server 2012 machine running IE 11, additionally I have a valid client certificate with the trust chain in place, which has the same trusted root CA as the server. This client cert is in the current user's cert store, and the private key is in place as well.
I connect to this website easily with client certificate requirement removed (note: allowing anonymous users in that case).
So, the problem is, with the client cert requirement in place, Internet explorer correctly prompts me for my client certificate, but no access is granted to the site. Nothing appears to happen, the spinner just goes forever. Chrome will eventually report 'The site can't be reached with code ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED.
Looking in my IIS logs, I see the attempted connection getting logged, but with
sc-status 0, sc-substatus 0 sc-win32-status 64.
FailedRequestTracing isn't picking up on these. Not surprising since 0 is not a real status code. The question is, why am I getting it? How can I find more information on what's going on?
I've wiresharked this situation to death, and I just don't know enough about the handshake to tell what's going on. I can see the client and server agreeing on a cipher suite, and the certificates being passed back and forth. But in every case, it ends with the server never responding after this point.
I've messed with registry, group policy settings, and pretty much anything you can find in a thread on these forums, serverfault, and stackoverflow. Nothing has got me any further. Moreover, no one seems to be seeing the 0 0 64 in the logs like I do.
I've been scouring the event viewer as well, but I can't find any relevant info.
Any direction would be appreciated, and I'd be happy to give a curious reader any more info needed.