Setting Up IIS Express to Accept Client CertificatesRSS

6 replies

Last post Sep 22, 2017 06:26 PM by dotnetftw

  • Setting Up IIS Express to Accept Client Certificates

    Feb 03, 2014 04:01 PM|joeller|LINK

    I read the blog run by Jason R. Shaver a few months ago on how to set up IIS Express to accept Client Certificates. http://www.jasonrshaver.com/post/2011/09/28/WP7-Client-Certificates-Part-2-(Client-Certs-on-the-Browser).aspx

    I did the following:

    1. Changed Project properties to use IIS Express instead of VS Development Server.
    2. Enabled SSL on Project
    3. Established Virtual Directory in Project Properties.
    4. Opened the IIS Express Applicationhost.config file.
    5. Verified the Site configuration included a binding with a protocol of https.
    6. Changed iisClientCertificateMappingAuthentication to enabled = true
    7. Uncommented access sslFlags="SslNegotiateCert"

    Since I only wanted the web app to view the certs on my CAC card I did not proceed any further.  For months this worked exactly as I wanted it populating the server Variables with the Cert_Subject, when my app was then programmed to retrieve and read.

    Then I moved to a different machine.  I had to move my projects and databases to the new machine.  I worked with things as they were for a while.  I ran the the particular app I had set up to use ssl and was only mindly surprised when the app did not request my client certificate.  Then today I tried to repeat the set up on this new machine that I had on the old machine.  The project settings were still the same although I had to click the  "create virtual directory" again.

    I opened the aplicationhost.config file.

    1. I was not surprised to find the web site had a binding with a protocol of "https".
    2. I was very surprised to find that the "iisClientCertificateMappingAuthentication" was already set to true.
    3. I was even more surprised to find that access sslFlags="SslNegotiateCert" was already uncommented. (I never did this.)
    4. Finally I was shocked to find with all of these settings correct, the browser still never requested my client certs when hitting this site.

    I do not understand why this is happening on this machine and not on the other machine.  Does anyone have any ideas?

     p.s.  I inadvertantly created this in the wrong sub-forum.  I would appreciate a moderator moving it to the correct forum.

     

    E.R. Joell
  • Re: Setting Up IIS Express to Accept Client Certificates

    Feb 06, 2014 03:40 AM|Terry Guo - MSFT|LINK

    Hi joeller,

    Do you install the Centeralized SSL Certificate Support in your new server?

    If not, please try to refer to the following steps for install it:

    1. Open Control Panel.

    2. Open Programs, and then open Turn Windows features on or off.

    3. Select the Centeralized SSL Certificate Support in Internet Information Services -> World WIde Web Service -> Security.

    Hope it helps.

    Best Regards,
    Terry Guo

    We are trying to better understand customer views on social support experience. Click HERE to participate the survey. Thanks!
  • Re: Setting Up IIS Express to Accept Client Certificates

    Feb 06, 2014 08:55 AM|joeller|LINK

    Hi Terry;

    Please note I am referring to IIS express, not IIS and it is a development machine not a server.  We are prevented from installing IIS on these machines by the Navy's group security policy.

    Part 1 of the set of articles referenced above gave direction for setting up IIS Express including generating the "server" certificate. http://www.jasonrshaver.com/post/2011/09/28/WP7-Client-Certificates-Part-1-(Setting-Up-IIS-Express).aspx

     Part 2 given above discusses setting the client certificates.  As I explained this all worked twice on two separate machines so I don't understand why it is failing now.

    E.R. Joell
  • Re: Setting Up IIS Express to Accept Client Certificates

    Mar 24, 2014 12:31 PM|joeller|LINK

    I just found out today that the same thing happening on that one machine is happening on the machines which work, when you run debug using Firefox.

    E.R. Joell
  • Re: Setting Up IIS Express to Accept Client Certificates

    Mar 24, 2014 12:47 PM|joeller|LINK

    IIS.Net says at http://www.iis.net/learn/extensions/using-iis-express/running-iis-express-without-administrative-privileges says:

    Using SSL Configuring access over the secure sockets layer (SSL) requires administrative privileges on IIS Express, just like it does on IIS. However, the IIS Express setup program performs the following tasks that enable standard users to use SSL with IIS Express: •It automatically creates and installs a self-signed SSL server certificate in the local machine store. •It configures HTTP.SYS to reserve ports 44300 through 44399 for SSL. Incoming SSL requests that use localhost and one of the ports in the specified range are automatically associated with the self-signed certificate. (HTTP.SYS is an operating system component that handles SSL for IIS and IIS Express. The setup program is able to configure HTTP.SYS because setup runs under elevated privileges.) Consequently, using SSL to test a website with IIS Express is as simple as adding a binding like the following to the site element in applicationhost.config: <binding protocol="https" bindingInformation="*:44300:localhost" /> This works only for local traffic (localhost requests) and for the specified range of ports. Administrator privileges are required in order to configure a custom SSL certificate or to run SSL using a port outside the specified range.

    I did all of that. It works on some machines but not others. It works for IE but not Firefox.

    E.R. Joell
  • Re: Setting Up IIS Express to Accept Client Certificates

    Apr 05, 2016 03:43 AM|heikkiri|LINK

    I know this is little bit old thread, but I landed here few times researching this issue. So, maybe others will as well. For me the problem was the my IIS Express sent the trusted list to the browser. As I used self-signed certificates, the browser did not prompt for certificate.

    I added the following key (Default: 1), and rebooted my machine. After this I got prompted for certificate.

    http://support.microsoft.com/kb/933430/EN-US

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL 
    Value name: SendTrustedIssuerList 
    Value type: REG_DWORD 
    Value data: 0 (False) 

    HTH,

    ~ Heikki

  • Re: Setting Up IIS Express to Accept Client Certificates

    Sep 22, 2017 06:26 PM|dotnetftw|LINK