There are many of very interesting articles and forum topics about a proper way to configure IIS for Client Certificate Mapping (oneToOne or manyToOne). None of them help me to troubleshoot my very own 403.7.
Legend : Some simple razor Pages site is deployed to IIS. This IIS is not a Production Server –it is rather a sandbox. So only one Site is hosted (backed by one application pool). I have added bindings to it. HTTP on 80, checked and worked. Then HTTPS on 443. For testing I’ve created CA-Root and 2 self-signed certificates signed with previous CA. CA-Root certificate placed in LM/trusted sore on both sides (Client and Server). Self-signed certificate for client authentication on server ((1.3.6.1.5.5.7.3.2)) was stored in LM/Personal Store on client PC and self-signed Certificate for Server Authentication ((1.3.6.1.5.5.7.3.1)) was placed in LM/Personal Store on server. Server certificate was properly bind to 443 within IIS. Anonymous authentication for this site is ON. MMC shows both certificates on server and client as trustworthy with PK.
Registryfix for emitting of certificates to client is applied HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList=1. I’m not sure about this but at least after this fix both browsers (chrome and edge) starts to ask for client certificate at connection initialisation.
IIS management console:
SSL-Settings: Required.
Client Certificate:
Test Iteration 1: Ignore (x), Accept (), Require () - Everything works fine. But there is no client mapping triggered
Test Iteration 2: Ignore (), Accept (x), Require () - Everything works fine. But there is no client mapping triggered
Test Iteration 3: Ignore (), Accept (), Require (x) – error 403.7
At this point error is very understandable because there was no mapping created. So some changes tosystem.webServer/security/authentication/iisClientCertificateMappingAuthentication, pulling a blob certificate and storing this with user credential inoneToOneMapping. Blob is right – checked many times manually. (Bad is IIS not proposing any validation / monitoring utility for client certificates. Neither inoneToOneMapping nor In manyToOneCertificateMaping.) oneToOneMappingEnabled = true;
Still 403.7 from any browser outside of this server. Server log – nothing particularly useful – just plain old 403.7.
I’m running out of ideas how to troubleshoot this.
Thank you in advance for any hints and forgive me please my weak English.