Re: Getting 403 Forbidden error. Client Cert didn't sent



Hi there,

I believe the CA is trusted on both client and server.

To be 100% sure, the following is how I setup the certificate:

Server side
-------------
1) Purchased an official SSL Web Server certificate issued by Thawte Premium
Server CA.
2) Installed SSL Web Server certificate on a back up server, which has
BizTalk on it.
3) Test the certificate by posting a document to an external web site (https
posting) through a BizTalk channel by attaching the SSL Web Server
certificate. It passed the test so I am 100% sure the certificate is
installed correctly.
4) Export the SSL Web Server certificate without a private key. (I tried
with private key before. I don’t see any difference. Just to make it simple
without a private key)

Client side
-------------
1) Go to a XP client machine | MMC | Certificate and install the exported
certificate into Certificate (Local Computer) | Personal | Certificate.
2) Double click on the certificate and it shows: This certificate is
intended for the following purpose(s): Ensures the identity of a remote
computer. Proves your identify to a remote computer. All other information
is correct including expiration date.
3) Go to Certificate (Local Computer) | Trusted Root Certification
Authorities | Certificates. Select Thawte Premium Server CA. Right mouse
click Properties and go to the General tab.
4) Check the Client Authentication check box.
5) Go back to Certificate (Local Computer) | Personal | Certificate.
Select the installed certificate. Right mouse click Properties and go to the
General tab.
6) Verified that both Server Authentication and Client Authentication check
boxes are checked.
7) Bring up an IE and try to hit the same external web site as described in
Server Side Step 3) above. (I don’t have BizTalk installed on my client
machine.). A “Choose a digital certificate” window pops up but no
certificate is available from the list. Click OK and I got 403 error.
8) Run the sample application that I posted in my first message. I got 403
error also.

I just don’t know where I mess up the setup process. I follow all standard
procedures but … Could you please help me again?

Thanks a lot.

Abel


"Dominick Baier [DevelopMentor]" wrote:

> Hello Abel,
>
> is the CA trusted on both client and server?
>
>
> ---------------------------------------
> Dominick Baier - DevelopMentor
> http://www.leastprivilege.com
>
> > Hi Dominick,
> >
> > Thanks to your prompt response. I really appreciate it.
> >
> > I took the suggestion stated at
> > http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
> >
> > and enabled the Client Authentication under Thawte Premium Server CA.
> > Now if I look at the offical Thawte client cer property, I can see
> > both Server and Client Authentication are checked.
> >
> > However, I am still getting the same 403 error when I ran the code.
> > If I bring up my IE, I still can't see my client cert as an available
> > option. Did I miss a step?
> >
> > Thanks.
> >
> > Abel
> >
> > "Dominick Baier [DevelopMentor]" wrote:
> >
> >> Hello Abel,
> >>
> >> maybe this helps:
> >> http://www.leastprivilege.com/IIS6AndClientCertificates.aspx
> >> ---------------------------------------
> >> Dominick Baier - DevelopMentor
> >> http://www.leastprivilege.com

.



Relevant Pages

  • Re: [opensuse] Apache 2.4.6 on OpenSuse 13.1: ssl_error_rx_record_too_long and ERR_SSL_PROTOCOL_ERRO
    ... to the server's key and certificate, as well as to my rootCA ... The web server DOES start, ... virtual host that is supposed to be using SSL, ... # List the ciphers that the client is permitted to negotiate. ...
    (SuSE)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)