We have an IIS 7 hosted site that requires client certificates (two-way ssl). Unfortunately, I don't have access to the trusted certificate store on the host machines, and so I was forced to write a custom http module to verify the certificates. My module never gets a chance to do the authentication, however, because IIS doesn't recognize the certificates and responds with a 403.7 error. How do I turn off client certificate validation, while still requiring clients to provide them?
Iis – Disable integrated client certificate validation in IIS7
certificateiisiis-7ssl-certificate
Related Topic
- What causes automatic install of trusted root certificate authorities into local machine’s certificate store
- Ssl – Setup IIS to require client certificate and to use anonymous authentication
- Client Certificates not working with IIS7
- Iis – Configuring IIS ARR for backend client certificate authentication
- Ssl – Client certificate authentication with no access to private keys
Best Answer
If you don't have access to the cert store, does that mean that you don't have admin access to IIS either?
If you do happen to have admin access, can you move your module up in the priority order? The order that the modules run is important.