SSL enabled webpage does not prompt for client certificate

Summary: We have two different Windows Server + II6 environments that are SSL enabled. Where one behaves the way we want and the other does not.

Server Configurations:

• Windows Server 2003 SP2
• IIS 6
• Pages are configured for SSL client authentication.

Details: We have a production VM that is configured to host an IIS 6 Website with a few pages requiring SSL Client Authentication to enable CAC. On this production VM the page presents the server certificate and then dies before prompting for the client certificate. In order to test the configuration of the server we created a "Hello World" page with the same configuration as these CAC pages, and we saw the same results. We then took this page and placed it on a known working VM with the same OS/IIS versions and configured the page the same way. The page behaves properly by prompting for the Client Certificate and then loading the page.

Steps we have taken to resolve this issue:

• Checked the integrity of the Certificate Path on both machines
• Diffed the IIS metabases between the two VMs to check for inconsistencies
• Created and installed a new Server Certificate on the broken VM
• Changed the option to "Require Client Certificates" instead of "Accept Client Certificates"
• Checked IIS log for errors. All accesses are coming back as 200.

We have found an option that fixes our issue, but creates new issues. There is an option to negotiate client certificates for all pages, which causes the certificate prompt to appear, but that causes every page to do this, which defeats the purpose of the SSL session.

Also important: This broken VM has been STIGged as per gov't's specification. We suspect this may be the underlying cause. However, possibility of unSTIGging is not within our control. Therefore, we have to work with our current limitations.