403.12 when using client certificate mapping

I’m trying setting up a IIS site to use client certificate mapping, but am having deficulties using many to one mapping on a specific issuer.

I downloaded a test certificate from this CA:

https://www.certifikat.dk/export/sites/dk.certifikat.oc/da/developer/eksempler/oces_II_eksempler/oces_II_certifikater/tu-foces-gyldig.pkcs12

And installed the corresponding CA root certificate in Trusted root certificates:

https://www.certifikat.dk/export/sites/dk.certifikat.oc/da/developer/eksempler/oces_II_eksempler/oces_II_certifikater/system_vii.cer

Finally I set up the site to require client certificate.

Accessing a static text file on the site in IE now works. I’m prompted for a certificate, allowed to select the installed test certificate, and granted access to the file. So the server is able to recognize and validate the certificate.

Now I want to limit access to this specific issuer, using this configuration….

<system.webServer><security><authentication><iisClientCertificateMappingAuthentication enabled="true" defaultLogonDomain="Omitted"><oneToOneMappings><clear /></oneToOneMappings><manyToOneMappings><clear /><add name="Test" description="Allow" permissionMode="Allow" userName="Omitted" password="Omitted"><rules><add certificateField="Issuer" certificateSubField="C" matchCriteria="DK" /><add certificateField="Issuer" certificateSubField="O" matchCriteria="TRUST2408" /><add certificateField="Issuer" certificateSubField="CN" matchCriteria="TRUST2408 Systemtest VIII CA" /></rules></add><add name="Deny" description="Deny" permissionMode="Deny" userName="Omitted" password="Omitted"><rules></rules></add></manyToOneMappings></iisClientCertificateMappingAuthentication></authentication></security></system.webServer>

The client certificate I use have the following Issuer field, when I open it in the certificate store.

CN = TRUST2408 Systemtest VIII CA
O = TRUST2408
C = DK

Trying to access the staic file with the same certificate now fails. From the IIS logs i can see that the server responds with a 403.12.

 I also tried enabeling failed request tracing, but the only message I got was this…

The strange part is, that if I leave out 2 of the rules, the authentication works..

<system.webServer><security><authentication><iisClientCertificateMappingAuthentication enabled="true" defaultLogonDomain="Omitted"><oneToOneMappings><clear /></oneToOneMappings><manyToOneMappings><clear /><add name="Test" description="Allow" permissionMode="Allow" userName="Omitted" password="Omitted"><rules><add certificateField="Issuer" certificateSubField="C" matchCriteria="DK" /></rules></add><add name="Deny" description="Deny" permissionMode="Deny" userName="Omitted" password="Omitted"><rules>                </rules></add></manyToOneMappings></iisClientCertificateMappingAuthentication></authentication></security></system.webServer>

So my conclusion is, that there must be a problem with the mapping itself?

Any ideas as to why this fails would be much appreciated.