Re: IIS not recognising client certificates



I tried to report this issue to Microsoft a few weeks ago. They told me I
could pay for a support call and if the technician decided it was truly an
IIS bug they would refund my money. I thought that was nuts and instead
posted it to the IIS general discussion group. Getting no hits since
February 1 I've now posted a bug report to this group as well.

"gsimpson" <gsimpson@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5611EF09-AECA-4A30-9CD9-1ABC1066F79D@xxxxxxxxxxxxxxxx
I've managed to fix this issue. It seems that the list of Trusted Root CA
Certs in WS2k3 is now too large for IE (including v7) to handle. Clearing
out
some of the ones we'll never use miraculously brought my server back to
life.

My worry now is what happens when the next Root CA update comes from
MS...?
Looks like we'll be adopting a 'no Root CA updates' policy going forward!

Great resource though, this newsgroup, and thanks in particular to
'Steven'
who posted in the inetserver.iis group on this issue (look for Certificate
Trust List). It was his post which helped after 10days or so of tearing my
hair out. Cheers!

"gsimpson" wrote:

I'm having a really wierd problem with client certificates on IIS. I
can't
see what might have changed, other than I applied a couple of MSXML
patches
to the box, but overnight, one of my webservers has stopped recognising
client certificates from our CA. Stopped as in this worked fine one day
and
not the next, so I know something must have changed somehow...

I've checked and re-checked everything I can think of: the CA's Root
certificate is installed in the Local Computer>Trusted Root Certification
Authorities store, I've created a CTL containing the CA's Root, and the
target virtual directories are configured to use SSL, 128-bit encryption
and
'require' client certificates - but the certificate list shown at client
browsers is empty...

I'm going quietly cuckoo trying to fix this one, so I really hope someone
can help!


.



Relevant Pages

  • Re: Acceptability Of Self-Sign SSL And Client Certificates
    ... They have no need of our root certificate. ... Client certificates would be issued using a manual process and not ... No more than what prevents you from doing the same to Microsoft, Verisign, ...
    (microsoft.public.security)
  • Re: Client Authentication in IE
    ... I have setup Microsoft Certificate Server on Windows 2000 server. ... server that is tied up with the root CA. ... >> have to do to make the client certificates come up in the list so that I ...
    (microsoft.public.security)
  • Re: Signtool doesnt add entire chain when signing files
    ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ...
    (microsoft.public.platformsdk.security)
  • Error
    ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
    (microsoft.public.security)
  • Certutil error
    ... After I ran cmd as an administrator it published the CRL and CRT file in the AD without error. ... I have your WS 2008 PKI and Certificate Security book. ... These surfaced when trying to publish my root ... CertUtil: A referral was returned from the server. ...
    (microsoft.public.security)