IIS 7 Error “A specified logon session does not exist. It may already have been terminated.” when using https

asp.netclient-certificatesiisssl

I am trying to create Client Certificates Authentication for my asp.net Website.

In order to create client certificates, I need to create a Certificate Authority first:

makecert.exe -r -n “CN=My Personal CA” -pe -sv MyPersonalCA.pvk -a
sha1 -len 2048 -b 01/01/2013 -e 01/01/2023 -cy authority
MyPersonalCA.cer

Then, I have to import it to IIS 7, but since it accepts the .pfx format, i convert it first

pvk2pfx.exe -pvk MyPersonalCA.pvk -spc MyPersonalCA.cer -pfx MyPersonalCA.pfx

After importing MyPersonalCA.pfx, I try to add the https site binding to my Web Site and choose the above as SSL Certificate, but I get the following error:

enter image description here

Any suggestions?

Best Answer

I ran across this same issue, but fixed it a different way. I believe the account I was using changed from the time I initially attempted to set up the certificate to the time where I returned to finish the work, thus creating the issue. What the issue is, I don't know, but I suspect it has to do with some sort of hash from the current user and that is inconsistent in some scenarios as the user is modified or recreated, etc.

To fix it, I ripped out of both IIS and the Certificates snap-in (for Current User and Local Computer) all references of the certificate in question:

IIS certificates

mmc.exe --> add/remove snap-ins, choose certificates then local computer or current user

Next, I imported the *.pfx file into the certs snap-in in MMC, placing it in the Local Computer\Personal node:

Right-click the Certificates node under Personal (under Local Computer as the root)
All Tasks -> Import
Go through the Wizard to import your *.pfx

From that point, I was able to return to IIS and find it in the Server Certificates. Finally, I went to my site, edited the bindings and selected the correct certificate. It worked because the user was consistent throughout the process.

To the point mentioned in another answer, you shouldn't have to resort to marking it as exportable as that's a major security issue. You're effectively allowing anyone who can get to the box with a similar set of permissions to take your cert with them and import it anywhere else. Obviously that's not optimal.

Related Solutions

Make IIS require SSL client certificate during initial handshake

Here's how I did this, on IIS 7.5:

Run the following in an admin command prompt: netsh http show sslcert

Save the output in a text file. Will look something like this:

IP:port                 : 0.0.0.0:443
Certificate Hash        : [a hash value]
Application ID          : {[a GUID]}
Certificate Store Name  : MY
Verify Client Certificate Revocation    : Enabled
Verify Revocation Using Cached Client Certificate Only    : Disabled
Usage Check    : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout   : 0
Ctl Identifier          : (null)
Ctl Store Name          : (null)
DS Mapper Usage    : Disabled
Negotiate Client Certificate    : Disabled

Create a batch file using that info:

netsh http show sslcert
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=[your cert hash from above] appid={[your GUID from above]} certstorename=MY verifyclientcertrevocation=enable VerifyRevocationWithCachedClientCertOnly=disable UsageCheck=Enable clientcertnegotiation=enable
netsh http show sslcert

(Yes, you have to delete and re-add; you can't just alter clientcertnegotiation in-place. That's why it's important to save the hash and GUID, so it knows what to re-add.)

Run that batch file, check for any errors, done.

Keep in mind that this setting is applied per-certificate, not per-server. So if you use multiple certs, or change/update your cert, you will have to do this again.

Cannot use self issued client certificate

To use client certificate authentication you need both:

server certificate (your testclient.pfx that you've added to IIS Server Certificates)
client certificate (available to browser) - you missed that point.

Server certificate provides secure SSL connection. To make server trusted to browsers you've added DevCA (that was used to sign testclient certificate for your server). If you configure your IIS to ignore client certificates then you've got ordinary secure communication scenario - connection is secured, but client isn't authenticated (no prompt for user certificate in browser).

Next step - ensure setting your IIS to accept client certificates. Browser will prompt user to choose certificate if it's available but will allow user to cancel request of certificate and continue browsing - that is your case. Request.ClientCertificate is empty.

To authenticate client (user) with certificate you should issue a separate certificate (one certificate per user). You can use same DevCA to sign new client certificate (see this article).

makecert -sk MyKeyName1 -iv DevCA.pvk -n "CN=Client1AuthCert" -ic DevCA.cer -sr currentuser -ss my -sky signature -pe

User installs that certificate on his/her computer to Personal Certification Store and also installs Issuer Cert (DevCA) to trusted root certificate authorities. When user opens browser with your web app, certificate prompt will be shown:

user certificate prompt

When user chooses certificate, it will be available in Request.ClientCertificate property on a server. User certificate is used as a credential in this case (instead of user/password, etc).

If you don't want user access your web app without having client certificate at all, you can set SSL settings to require client certificate.

Best Answer

Related Solutions

Make IIS require SSL client certificate during initial handshake

Cannot use self issued client certificate

Related Topic