Hi all
I'm having an issue with one-to-one certificate mappings which I have seen other threads discuss with a similar issue to mine however the answers they have provided dont seem to be working for me. Whenever I try and browse to the webservice I get a 403 error.
Here is what I have:
- An internal web service which is protected by an IIS web server in the DMZ which isnot joined to the corporate domain. From this point on I will be referring to only this web server in the DMZ as I know the internal server is working fine.
- The web server in the DMZ is configured with a public URL and has a publically trusted cert installed and configured within a binding to https on port 443
- The SSL Settings on the site are set to "Require SSL -> Require"
- From the internal root CA I have issued a certificate for my PC (client cert where the name of the cert is just my PC name). The client cert was requested as "Microsoft Enhanced Cryptographic Provider v1.0" with a 1024 key length. Both the web server and PC have the internal CA root certificate installed in the "Local computer" personal store
- I have installed the client certificate into the personal store of both "Local computer" as well as "current user" on my PC
- On the web server -> (web site) -> Configuration editor, onetoOneCertificateMappingEnabled is set to True. I then configured the client certificate details in the onetoonemappings section.
- The username and password is a locally defined account on the web server. For testing purposes this account has been given admin priviledges over the server.
- the certificate is the contents of the client certificate when exported to a .der file (without the starting and ending "------")
- On my workstation browser I have set "Dont prompt for client certificate selection when only one certificate exists" to Disabled. I have done this for Trusted sites to which I have added the external URL.
Now when I try to browse to the URL I get a message saying "the website declined to show this webpage", " This website requires you to log in" after a bit of a delay. The only way I can seem to get it to work is if I set the SSL settings to "Accept" within the web site, in which case the web service XML content shows absolutely fine. This however is no good as I need to ensure that users connecting to the site have a certificate issued from the internal CA just to them.
I have tried to steps outlined in the following however do not seemed to have helped.
http://support.microsoft.com/kb/332077/en-us
The IIS logs are showing the following:
2014-05-05 08:03:23 159.x.x.x GET /services/DolaToAgentWS/DolaToAgentWS WSDL 443 - 10.0.0.1 HTTP/1.1 Mozilla/5.0+(compatible;+MSIE+10.0;+Windows+NT+6.1;+WOW64;+Trident/6.0) - 403 7 5 165 15
(I have changed the IP details above for security)
Is anyone able to provide some help on this one?
Cheers
Brady