« Previous Next »

• 07-07-2009, 4:50 PM

  corolar Joined on 07-07-2009, 4:32 PM Posts 2

  IIS7 on W2008 with standalone CA on W2003 Reply Contact Hi all, I am going crazy with an authentication issue. I will describe the configuration I have first. 1. Windows Server 2008 x64 with IIS7 (let's call this MachineIIS) 2. Windows Server 2003 x64 with standalone subordinate CA (let's call this MachineCA) I have set the following (on Machine IIS): - requested a web server certificate from MachineCA, - installed the cert in IIS - configured the iis client certificates mapping (many to one option) - configured a web service to require certificates and to use the cert mapping described above - the windows authentication is enabled - any other type of authentication is disabled - issue a client certificate on MachineIIS from MachineCA   Issues: 1. use the certificate to connect to the web service (from MachineIIS) is giving me the follwoing error: (HTTP error 403.13 - Forbidden, your client certificate was revoked, or the revocation status could not be determined) I have tried the url for the CRL and it's available. 2. using the client certificate from a different machine is giving me the follwoing error: 401 unauthorized: access is denied due to invalid credentials.   All this is driving me crazy. Any help it is much appreciated.  Thank you.

• 07-13-2009, 9:17 AM

  In reply to

  Leo Tang - MSFT Joined on 12-11-2008, 9:47 PM Posts 918

  Re: IIS7 on W2008 with standalone CA on W2003 Reply Contact Hi You need to  enable IIS Client Certificate Mapping Authentication, and you can disable the windows authentication. IIS Client Certificate Mapping Authentication <iisClientCertificateMappingAuthentication> http://www.iis.net/ConfigReference/system.webServer/security/authentication/iisClientCertificateMappingAuthentication 1)Since you can successfully download the CRL, make sure the client certificate is valid. 2)You can check the "cs-username" field of the relevant IIS log entries. If the user was not the mapped user, there should be some incorrect client authentication settings. If the user was the mapped user, please make sure the user name and  password are correct. Leo Tang Microsoft Online Community Support Please remember to mark the replies as answers if they help and unmark them if they provide no help.

• 07-13-2009, 10:10 AM

  In reply to

  corolar Joined on 07-07-2009, 4:32 PM Posts 2	Re: IIS7 on W2008 with standalone CA on W2003 Reply Contact Hi, I have found the problem: using certutil I saw that the client certificate was not valid because of the CRL that was expired. The internet explorer was telling me that the certificate is valid so that's why it did lead me on the wrong path.  All the best.