Hi,
currently we are trying to implement a Client Authentication for our Business App to a web service hostet by our-self.
Therefore we tried to configure IIS8.5 to require Client Certificates.
Configuration:
SSL-Settings -> [x] Require SSL & Client certificate: require
Binding of web site only to 443 with wildcard certificate linked. The certificate is an office one signed from an official authority.
We changed the "Negotiate Client Certificate" property from "disabled" to "enable" due to an issue with nginx (linux proxy).
Via: netsh http add sslcert ...
Furthermore a have a VALID Client certificate from our local certificate authority => therefore a self-signed certificate.
For testing I just used the Defaut Web Site from the IIS installation.
Process:
Tested with google chrome, firefox and internet explorer (all latest versions). Inhouse WiFi, Mobile Network (iPad), WiFi at Home, corporate LAN.
Navigating to the web site -> Browser asks me to select a client certificate -> 403.16 error from IIS.
Problem:
Of course the 403.16 (forbidden -> invalid client cert) is the issue BUT the client certificate is in any way VALID.
The Web Server can reach the internet. It can reach the CRL of the of the Offical CA, our Sub CA and RootCA.
The Client Certificate is not revoked of over or under expiration.
Wireshark tells me, that the Handshake and Negotiation are successful and I can even see encrypted Application Data packages.
I have totally no more ideas where to go from here.
Kind Regards
Mario