we have a website running on IIS 7, which requires a client certificate which is then mapped to a windows user.
I've used the same certificate in FF, IE, Opera and Safari and it worked just fine.
Only Chrome is behaving differently: When i navigate to the website, the certificate selection prompt pops up. When I select the certificate (I only have one in the windows certificate store, so it must be the same as IE uses) I get a 403 response.
Does anyone have any suggestions, what the problem might be or how i can figure it out?
It is possible there is a problem with the certificate chain. Try checking the certificate chain. Here is a link to SSL Checker which will do this for you: http://www.sslshopper.com/ssl-checker.html
If there are any issue with root or intermediate certificates, it will show up there.
A little strange that the issue only occur with 1 browser. That being said, 403 error is a little vague. I would suggest as a starting point to narrow down the issue at first to find what the substatus of the 403 error is. Then we can understand the problem
more.
This can be done by either checking the IIS logs for the 403 and substatus code, making the request locally from the server machine itself, or turning on detailed error messages for report requests within IIS Manager for the site.
Based on the 403 substatus it may give us a further hint on the issue.
The below website is a nice quick resource which explains the different 403 errors with their substatus and the meaning.
I'm also not very familiar with Chrome and their logic behind which client certificates are presented to the user to be selected. Have you completely confirmed this is the same certificate thats being sent by the working browsers?
according to the IIS-log the substatus is 7 (client certificate required) and the sc-win32-status is 5 (access denied).
So that means chrome is simply not sending the selected certificate, right?
I mean that's the behaviour I would expect when no client certificate is present and also the behaviour I see with all other browsers when no cert is present. However, in Chrome when no certificate is selected I recieve 500 (status) 0 (substatus) 64 (win-32-status).
Matthew Reid
I'm also not very familiar with Chrome and their logic behind which client certificates are presented to the user to be selected. Have you completely confirmed this is the same certificate thats being sent by the working browsers?
Yes, Chrome defenitly uses the windows certificate store and therefore the same certificate as IE
Any idea what the root cause of the problem might be?
MrTompkins
6 Posts
403 with chrome
Feb 28, 2013 11:45 AM|LINK
Hi,
we have a website running on IIS 7, which requires a client certificate which is then mapped to a windows user.
I've used the same certificate in FF, IE, Opera and Safari and it worked just fine.
Only Chrome is behaving differently: When i navigate to the website, the certificate selection prompt pops up. When I select the certificate (I only have one in the windows certificate store, so it must be the same as IE uses) I get a 403 response.
Does anyone have any suggestions, what the problem might be or how i can figure it out?
Cheers, Tobi
mark.newnam
15 Posts
Re: 403 with chrome
Feb 28, 2013 05:03 PM|LINK
Hi Tobi,
It is possible there is a problem with the certificate chain. Try checking the certificate chain. Here is a link to SSL Checker which will do this for you: http://www.sslshopper.com/ssl-checker.html
If there are any issue with root or intermediate certificates, it will show up there.
Please 'Mark as Answer' if this post helps you.
OrcsWeb: Managed Windows Hosting Solutions
"Remarkable Service. Remarkable Support."
MrTompkins
6 Posts
Re: 403 with chrome
Mar 01, 2013 09:15 AM|LINK
Hi Mark,
thanks for your reply.
The ssl-checker says: "The certificate should be trusted by all major web browsers"
I don't understand why it works with every browser but chrome...
Matthew Reid
1 Post
Re: 403 with chrome
Mar 05, 2013 03:54 AM|LINK
A little strange that the issue only occur with 1 browser. That being said, 403 error is a little vague. I would suggest as a starting point to narrow down the issue at first to find what the substatus of the 403 error is. Then we can understand the problem more.
This can be done by either checking the IIS logs for the 403 and substatus code, making the request locally from the server machine itself, or turning on detailed error messages for report requests within IIS Manager for the site.
Based on the 403 substatus it may give us a further hint on the issue.
The below website is a nice quick resource which explains the different 403 errors with their substatus and the meaning.
http://www.iis-aid.com/articles/iis_aid_news/iis_7_http_status_codes
I'm also not very familiar with Chrome and their logic behind which client certificates are presented to the user to be selected. Have you completely confirmed this is the same certificate thats being sent by the working browsers?
MrTompkins
6 Posts
Re: 403 with chrome
Mar 05, 2013 08:54 AM|LINK
Hi Mathew,
according to the IIS-log the substatus is 7 (client certificate required) and the sc-win32-status is 5 (access denied).
So that means chrome is simply not sending the selected certificate, right?
I mean that's the behaviour I would expect when no client certificate is present and also the behaviour I see with all other browsers when no cert is present. However, in Chrome when no certificate is selected I recieve 500 (status) 0 (substatus) 64 (win-32-status).
Yes, Chrome defenitly uses the windows certificate store and therefore the same certificate as IE
Any idea what the root cause of the problem might be?