Certification dialog once again

From: Arek Lichwa (arek_lichwa_at_yahoo.com)
Date: 06/28/03 

Date: Sat, 28 Jun 2003 13:06:39 +0200

"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:O#LNZWKPDHA.3016@TK2MSFTNGP10.phx.gbl...
> have you configured the IIS server mapping?
> David B. Cross [MS]

if you mean >>enable client certificate mapping<< - the answer is no, what
the option can change ?
I guess it is important when user making logon to server, in my case the
user application making anonymous connection to port 443 with own
certificate signed by Thawte,
and
1) when setting "ignore client cert" is on then - server application (cgi)
checking the request but the cert data is empty (checked in cgi script),
2) when setting "accept client cert" is on - client gets http403.16 /no
valid or untrusted cert/, so here the www server blocking the request, no
possiblity to pass request data to cgi application,
3) when "require client cert" is on (this "require secure channel" option
ON) - the same situation like in point 2)

I've cleared all root cert ca repository, intermediate cert and all the
rest, imported/installed only ThawteServer CA, Certum CA (polish CA)
but no possitive results, the same answer from IIS = http403.
The warning (i mean: the server certificate for instance '72' does not chain
up to a trusted root certificate) now is a history.
It would be nice to have possibility get more debug information or what
happen during the connection/request from client application

Is it any possibility to setup secure channel with described situation ? How
to arrange the coworking dialog ?
btw, sorry for my english (-:

with kind regards Arek

>
> "Arek Lichwa" <arek_lichwa@yahoo.com> wrote in message
> news:uWy9VZJPDHA.3236@TK2MSFTNGP10.phx.gbl...
> > i've resolved the problem with the warning,
> > using mmc snapin for certificate moved the apropriate cert to trusted
root
> > certification authorities
> > but now nothing happens in event log and server still showing http403.16
> for
> > client, the client cert (issued by thawte for post.polcard.com.pl with
> valid
> > to : 2003-07-05) is also in root ca repository and the path is valid, i
> mean
> > certificate panel says the cert path is ok,
> > whats can be wrong with my server settings?
> >
> > "krish shenoy[MS]" <kshenoy@online.microsoft.com> wrote in message
> > news:uLj0hcAPDHA.3700@tk2msftngp13.phx.gbl...
> > > 1) The Server certificate should chain up to a trusted root on the
> client
> > > machine
> > > 2) The client certificate should chain up to a trusted root on the
> server
> > > machine
> > > The easiest way to verify this is to export the cert to a file and
copy
> it
> > > to the other machine and see if it chains correctly
> > > If you have added some trusted roots for the current user then make
sure
> > > that the same roots are also added to the local machine trusted root
> store
> > > since SSL will use the local machine context and not the current user
> > > context
> > >
> > >
> > > --
> > > This posting is provided "AS IS" with no warranties and confers no
> rights.
> > > Use of any included samples is subject to the terms specified at
> > > http://www.microsoft.com/info/copyright.htm"
> > > "Arek Lichwa" <arek_lichwa@yahoo.com> wrote in message
> > > news:ex5w6h#ODHA.1072@TK2MSFTNGP10.phx.gbl...
> > > > Hello!
> > > > I got a warning message in eventlog (win2000 server)
> > > > "the server certificate for instance '72' does not chain up to a
> trusted
> > > > root certificate"
> > > > It happens when client application with own certificate trying to
> > connect
> > > to
> > > > aspx application (the aspx script enforces SSL 128bit encyption and
> > > requires
> > > > client certificate) on server 72 instance and web server refuses
> > > connection
> > > > with http403 error (exactly refuses the client certificate)
> > > >

Relevant Pages

  • Re: Web Certificate for IIS Server on SBS Domain
    ... Before your reply, I actually ran across rapidssl myself, and have ordered and installed the free 30-day certificate on my site. ... I explained what you'd told me about putting my existing configuration at risk by installing Cert Services, and he said he didn't know that. ... Again, if you're just needing a cert to install on your web server to provide SSL connectivity for remote users, go with an external third-party provider. ... When you add Certificate Services on an internal network, lots of internal communications will start using pieces provided by the Cert Server instead of the defaults from Server 2003, and when things blow up, they can blow up gloriously. ...
    (microsoft.public.windows.server.sbs)
  • Re: Terminal Services over a VPN
    ... Create a certificate request and submit it to godaddy in order to obtain a public cert. ... You can use the wizard in IIS Manager for this by creating a new website that matches the above name (on your TS server), right-click and choose properties, directory security tab, server certificate button. ... After the install you can stop or delete the website created above since you don't need it for anything. ...
    (microsoft.public.windows.terminal_services)
  • Re: SBS 2003 Premium and Cert Services
    ... that philosphy got blown out of the equation when SBS included Exchange OWA ... "Small Business Server" which is MS claim as to why the risk of exposing the ... the Certificate Server on another server, ... >> Cert, or you could edit the properties of your Certification Authority to ...
    (microsoft.public.windows.server.sbs)
  • Re: Web Certificate for IIS Server on SBS Domain
    ... and installed the free 30-day certificate on my site. ... instructions to install Certificate Services. ... If I can find a way to issue my own cert without risking my SBS setup, ... > Server instead of the defaults from Server 2003, and when things blow up, ...
    (microsoft.public.windows.server.sbs)
  • Re: Cant disable "Trusted" for Certificates Issued by MS Certificate Server
    ... The certificate for the root CA (the one that is being used by the MS ... Certificate Server) was created when I installed MS Certificate Server. ... The next day, when I got the server cert back from the 3rd-party CA, I ...
    (microsoft.public.platformsdk.security)