• 7

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

IIS 8.5 403.16 Untrusted Client Certificate

I'm in the process of moving some sites from an IIS 7.5 web server (2008 R2) to an IIS 8.5 server (2012 R2) and one in particular is giving me a fit.

The site uses client certs for authentication. User info is stored in a DB and the app is not connected to AD at all.

I have the SSL set to Require SSL and Client certificates is set to Require as well. The root CA cert is in the Local Computer's Trusted Root CAs, the site has a valid SSL cert and correctly prompts the user for their client cert. However, I receive a 403.16 response complaining that the server does not trust the client certificate.

I have made sure all non-self-signed certs were moved from Trusted Root CAs to Intermediate CAs, have compared the site configurations between the two servers and have tried setting SendTrustedIssuerList = 0 in the registry. None of these seems to do the trick.

      • 2
    • When client certificates are required in IIS, it attempts to authenticate the client before the data reaches web application. IIS attempts to authenticate the user against either AD or local SAM. It doesn't work the way you are describing.
      • 1
    • @Crypt32 The application running on this site doesn't use cert mapping against AD. It actually just checks the cert's thumbprint against a value in the user's profile in the user database.
    • IIS can't check the thumbprint against your database. Client certificate authentication in IIS occurs before the data reaches web site. That is, you can do your own authentication within web application only when client is successfully authenticated in IIS.

Trending Tags