27

Background:

I am updating an internal application to a two-step authentication process. I want to add a client certificate authentication process (via a smart card) on top of a traditional username/password form. The application is written in C#, hosted on IIS7, and targeting Chrome and IE8.

Problem:

I am having issues with getting the application to prompt the user for a client certificate. I have been debugging the application with the help of Fiddler. When I have a test client certificate saved in Fiddler's user's directory (C:\Documents and Settings\USER\My Documents\Fiddler2), the application works as expected. I am prompted for a PIN number protecting the smart card, and, when entered correctly, takes me to the login form. When I close Fiddler, the application throws a 403 Forbidden error instead (since Fiddler is no longer running and pointing to its certificate). What I haven't been able to figure out is why the application won't prompt for a certificate normally.

Current Server Setup:

  • Self Signed Certificate was created
  • 443 Binding is pointing at Self Signed Certificate
  • Anonymous Authentication is Enabled
  • The Self Signed Certificate was added to both the Trusted Root CA and Intermediate CA (I read that another person had it in both rather than just the Trusted Root CA and that solved their issue, though neither set up has worked for us).
  • I cleared out the rest of the certificates in the Trusted Root CA that I didn't need (I read elsewhere that having too many certificates would cause SSL to choke).

I am out of ideas to try other than starting from scratch on another server. Does anyone know what the issue might be? This seems like it should be fairly straight forward and that I'm missing something minor. Any ideas are welcomed.

Update:

After spending more time with this issue today, I strongly believe it has to do with IIS7 not being configured correctly (I did not set up it originally). I think this because I enabled Failed Request Tracing, looked at the subsequent .xml files being generated, and saw that a 500 error was being thrown.

Chrome is throwing a "Access to the webpage was denied" message rather than a "403 - Forbidden: Access is denied". I don't know if this helps. I do know that when I do not make certificates required, the site will work as intended. Requiring a certificate is where it fails.

The Application Pool is set to .Net 4.0 | Classic | Network Service.

LNendza
  • 1,350
  • 1
  • 12
  • 21
  • Not sure I can help but have a couple questions: 1) did you try IE or FF, too? 2) Might want to duplicate the results on another server. I've seen too many issues helped/resolved this way - it would also give you the opportunity to get nitty-gritty on how your IIS7 site set up; 3) is there more client and/or server logging you can try to gain more insight - likely more on the IIS7 side, it seems. – Lizz Mar 01 '13 at 21:47

8 Answers8

13

Your problem is that the browser doesn't either get the request to provide client certificate or there is a security related option to block it from happening. IE offers certificate only if the web site is in correct zone (intranet or trusted sites). Please check this before everything.

If that doesn't help then see this answer for next step. The netsh documentation says:

clientcertnegotiation
Optional. Specifies whether the negotiation of certificate is enabled or disabled. Default is disabled.

Enable that and even the dumbest browser should notice that it is supposed to offer certificate for authentication. To diagnose your problem further you can use WireShark to see the negotiation in action.

Community
  • 1
  • 1
user918176
  • 1,770
  • 13
  • 34
  • I can't upvote this enough. After days of troubleshooting it turns out that our the customer hasn't put our site in the Trusted Zone. Thanks for explaining this and saving me several more days. – Emil Stenström Feb 19 '16 at 11:52
13

In every browser I've seen, the browser will not prompt you to select a certificate if it does not have any certificates signed by a CA the server trusts. So make sure your server is configured with the correct CAs. As Boklucius suggested, you can use openssl to examine the list of trusted CAs your server is sending to clients and see whether the CA you have signed your client certificates with is among them.

pimlottc
  • 3,066
  • 2
  • 29
  • 24
12

Try openssl s_client -connect yourip:443 -prexit And see if the CA (your self signed cert) is send to the client in the Acceptable client certificate CA names.

you need to install openssl first if you don't have it

Boklucius
  • 1,896
  • 17
  • 19
  • I am having the similar issue so I tried `openssl s_client -connect yourip:443 -prexit` and am seeing some error msg `CONNECTED(00000104) write:errno=10054 --- no peer certificate available` even though I have configured the valid SSL cert to *:443 on IIS. – OTUser Jan 21 '16 at 15:45
  • 3
    @RanPaul I know this is very late, but if you're on a Windows machine, do note that OpenSSL doesn't recognize the Windows Certificate Store. So you need to provide a `-CApath` or `-CAfile`. Either download [Mozilla's .PEM file](https://curl.haxx.se/docs/caextract.html) or create your own from the chain that's needed. Make sure to install the [latest version of OpenSSL](https://slproweb.com/products/Win32OpenSSL.html) as well. – Aske B. Feb 27 '18 at 08:47
4

I'll throw in a "try restarting the browser" suggestion, particularly if you installed the certificate while the browser was running.

mwfearnley
  • 3,303
  • 2
  • 34
  • 35
3

To add a rather painful lesson to the mix: Make sure you quit Skype (or any other application) that eats port 443.

So the idea here is if you are running a dev environment on the same machine (both client and IIS), and your team uses Skype or some other app to communicate.

Watch the hours go by as you try and debug this problem, seemingly doing everything "right", netsh http sslcerts and such, even rebooting but to no avail. Well, turns out Skype will eat 443 so turn it off and "poof" there goes your certificate prompt.

Then feel free to throw things at the wall, shout obscenities or just "Rage, rage against the dying of the light".

rism
  • 11,932
  • 16
  • 76
  • 116
1

Also, make sure Fiddler isn't getting in the way. If you have it decrypting the SSL, it'll corrupt the message back to IE, and it doesn't have the certificate installed, so it can't offer it. Turn off fiddler, and voila, the certificate prompt appears.

Michael Blackburn
  • 3,161
  • 1
  • 25
  • 18
1

In Firefox, if you press 'Cancel' the first time you're prompted for a certificate, and you left the sneaky 'Remember this decision' box checked, then Firefox will remember that and never offer it again.

You can view and delete your previous remembered decisions in Firefox Preferences -> Privacy & Security (about:preferences#privacy), View Certificates, and check the Authentication Decisions tab.

mwfearnley
  • 3,303
  • 2
  • 34
  • 35
  • 1
    Thank you so much for thir information, you made a customer happy and my work easier, this helped me a lot and resolved an issue – Annemarie Rinyu Apr 27 '22 at 13:02
0

Just connecting to my VPN and trying showed me the certificate prompt. Needs to be done only the first time.

Safraz
  • 33
  • 4