I need your help on a IIS configuration issue.
My computer is running Windows 7 Pro edition and IIS version is 7.5. The server, and the issue, is local only.
I have an ASP.NET 2.0 website with a strongly secured folder. In this folder there is a page doing authentication with physical eletronic certificate.
I precise that I cannot modify the web.config file of the project as it is shared with several machines and different systems (but I am the first with Windows 7).
What I did:
- First I had to generate a self-signed certificate for my localhost server.
- Then I activated the SSL encryption for the secured folder of my website
- I also check the "accept client certificate"
When I access to this folder, i have a nice error HTTP 403.7 – Forbidden.
I know that it means my client (web-browser) is not sending a certificate to the server, or the server cannot validate the client certificate.
But my server and client are localhost, so they should share the same root certificates and revocations lists, didn't they?
I already updated all the revocation lists, root certificates and I exported the server generated certificate to add it to my local store.
I am running out of ideas, what did I miss? I was thinking of a user permission issues but I cannot figure how to see that.
Thanks for your help.
EDIT: here's a complete picture of the error (in french sorry, but there's not much information)
http://uppix.net/4/9/d/3bcff253cfceb0b297fbb63205709.png
I don't have enough reputation to display these image in my post…
Best Answer
IIS and browsers are both really finicky about certificates, because they expect CA-backed certificates. When using self-signed certificates, you run into all kinds of errors like this.
If you don't mind my asking, what is the purpose of client-side certificate authentication in this scenario?
Also, the bottom portion of the IIS screenshot is slightly more useful than the top. When you provide yours, please take a shot of the entire browser window (or multiple shots if necessary).
In short, for testing these kinds of solutions internally, its best to have a Certificate Authority running inside your organization.
If not possible for you to create this kind of infrastructure, take a look at this site:
http://www.istartedsomething.com/20091010/microsoft-free-root-certificate-authority-windows/
It shows that W7 by default now trusts certificates generated by StartSSL. If you jump through a couple of hoops, you can actually generate trusted SSL certificates from them at little or no cost.
http://www.startssl.com/?app=0
I look forward to the screenshot and to further helping you!