IIS Client certificate not working. Returns 403 error -


i'm trying setup iis 8 (windows server 2012) accept client certificates secured webapi endpoint. following this post created self signed certificate , client certificate:

makecert.exe -r -n "cn=mycompany" -pe -sv mycompany.pvk -a sha1 -len 2048 -cy authority mycompany.cer  makecert.exe -iv mycompany.pvk -ic mycompany.cer -n "cn=my client" -pe -sv myclient.pvk -a sha1 -len 2048 -sky exchange myclient.cer -eku 1.3.6.1.5.5.7.3.2  pvk2pfx.exe -pvk myclient.pvk -spc myclient.cer -pfx myclient.pfx -po the_password

i installed root certificate mycompany.cer on iis server, on iis manager/ssl settings selected "accept" radio button allow website accept client certificates.

on client side have c# test console app loads client cert myclient.pfx file , calls webapi endpoint:

var certhandler = new webrequesthandler(); certhandler.clientcertificateoptions = clientcertificateoption.manual; certhandler.useproxy = false; var certificate = new x509certificate2(file.readallbytes(@"c:\myclient.pfx"), "the_password"); certhandler.clientcertificates.add(certificate); var client = new httpclient(certhandler); var result = client.getasync("https://myserver/api/myendpoint").result; string resultstr = result.content.readasstringasync().result; console.writeline(resultstr);

i'm getting 403 error:

403 - forbidden: access denied. not have permission view directory or page using credentials supplied.

i tried same setup on local iis (windows 7): imported mycompany.cer file, setup ssl in iis. time works fine , webapi endpoint can see client certificate no problem.

any ideas?

-- update 1

i enabled failed request tracing on iis , this:

<failedrequest url="https://myserver:443/"            siteid="35"            apppoolid="certtest"            processid="7248"            verb="get"            authenticationtype="not_available"               activityid="{00000000-0000-0000-b0aa-0280000000e0}"            failurereason="status_code"            statuscode="403.16"            triggerstatuscode="403.16"            timetaken="0"            xmlns:freb="http://schemas.microsoft.com/win/2006/06/iis/freb"            >

if understand right error 403.16. understand happens when certificate on server not imported trusted root certification authorities under local computer. double checked , that's not case.

check that

  • on iis machine have installed server's cert issuer certificate trusted root certification authorities under local computer
  • on iis machine have installed client's cert issuer certificate trusted root certification authorities under local computer
  • on client machine have installed server's cert issuer certificate trusted root certification authorities under windows user runs console app
  • on client machine have installed client's cert issuer certificate trusted root certification authorities under windows user runs console app. or can make sure include necessary certificate's chain pfx file
  • in code use x509certificate2's ctor version x509keystorageflags.userkeyset explicitly.

if won't help,

  1. try open url in ie (under same windows user account runs console app).
  2. open *.cer files double click on client machine under windows user account runs console app , see windows says validity.
  3. change iis ssl settings ignore client certificate see if it's server certificate. try both browser , console app.

Comments

Post a Comment

Popular posts from this blog

commonjs - How to write a typescript definition file for a node module that exports a function? -

consider, toml node module can use: // toml.d.ts declare module toml { export function parse(value:string):any; } declare module "toml" { export = toml; } then: /// <reference path="../../../../../defs/toml/toml.d.ts"/> import toml = require('toml'); toml.parse(...); however, node module export single function, such 'glob' ( https://github.com/isaacs/node-glob ). the node usage of module be: var glob = require("glob") glob("*.js", {}, callback(err, files) { ... }); you'd naively expect this: // glob.d.ts declare function globs(paths:string, options:any, callback:{(err:any, files:string[]):void; ...but because typescripts 'import' semantics bit strange, seems can use 'import .. = require()' statement alias modules . trying call: /// <reference path="../../../../../defs/glob/glob.d.ts"/> import blog = require('glob'); results in: error ts2072: mod...
Read more

openid - Okta: Failed to get authorization code through API call -

i'm integrating okta own idp server using okta's api. i'm implementing authorization code flow following steps below: in own server, use /api/v1/authn endpoint sessiontoken. use sessiontoken obtain authorization calling endpoint: /oauth2/v1/authorize?client_id=" + clientid + "&sessiontoken=" + sessiontoken + "&response_type=code&response_mode=query&scope=openid&redirect_uri=" + redirecturl + "&state=evanyang&nonce=" it's supposed return response status code 302 , location header containing redirect url code value. however, keep getting response status code 200 , without location header, html body saying "you using unsupported browser." , "javascript disabled on browser." according api documentation: http://developer.okta.com/docs/api/resources/oidc.html#authentication-request , sessiontoken parameter sufficient this: an okta one-time sessiontoken. allows api-based ...
Read more

ios - Change Storyboard View using Seague -

i have following code checks connection server, , depending on want change views if no connection found. nsstring *connect = [nsstring stringwithcontentsofurl:[nsurl urlwithstring:@"http://myserver.com"] encoding:nsutf8stringencoding error:nil]; if (connect == null) { [self performseguewithidentifier:@"network_failure" sender:self]; } else { // other code here } my problem not change views. have added storyboard segue between 2 views identifier of network_failure . not have navigation controller or that, problem? thanks help! no not problem. first of all, in objectivec exists nil object oriented null . must use that. so: if(connect == nil) or better: if(!connect) so due fact nil not same of null , probably code does't enter in if scope . you have been able discover breakpoint. anyway: be sure set trigger segue (line) 2 view controller , , name network_failure (that not best name. should instead view1toview2 ) as, m...
Read more