IIS 10 CTL not working correctly [Answered]RSS

3 replies

Last post Nov 01, 2019 06:11 PM by brentil

  • IIS 10 CTL not working correctly

    Oct 31, 2019 07:50 PM|brentil|LINK

    We've been running CTL (Certificate Trust Lists) to do CAC access to websites for a while under WIndows 2008 R2 and IIS 7.5 but we've begun our migration to Windows Server 2019 with IIS 10.  However after enabling the CTL using the netsh http add command like we've used in the past CAC works but the CTL list does not seem to be being implemented.  When we load one of the development websites with the CTL enabled on it instead of a filtered list of certificates being shown to the user ALL certificates a user has is in the list of certificate to choose from.  Revocation is disabled below just for development testing.  SSL Settings in IIS are also set to Require SSL and Require client certificates.

    Command run

    netsh http add sslcert ipport=1.1.1.1:443 certhash=HASH-VALUE appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlidentifier=MyCustomCTL sslctlstorename=CA verifyclientcertrevocation=disable verifyrevocationwithcachedclientcertonly=disable clientcertnegotiation=enable

    Results from netsh http show sslcert

    IP:port : 1.1.1.1:443
    Certificate Hash : HASH-VALUE
    Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name : (null)
    Verify Client Certificate Revocation : Disabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout : 0
    Ctl Identifier : MyCustomCTL
    Ctl Store Name : CA
    DS Mapper Usage : Disabled
    Negotiate Client Certificate : Enabled
    Reject Connections : Disabled
    Disable HTTP2 : Not Set
    Disable QUIC : Not Set
    Disable TLS1.2 : Not Set
    Disable TLS1.3 : Not Set
    Disable OCSP Stapling : Not Set
    Disable Legacy TLS Versions : Not Set

    Anyone run into this or know the solution for it?

  • Re: IIS 10 CTL not working correctly

    Nov 01, 2019 01:53 AM|Jalpa Panchal|LINK

    Hi,

    In netsh command try to remove certhash and Identifier.

    you could refer some similar thread I hope it may help you:

    https://forums.iis.net/t/1163334.aspx

    https://forums.iis.net/t/1230079.aspx?Certificate+Trust+List+on+IIS+8+5

    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue.
    If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.
  • Re: IIS 10 CTL not working correctly

    Nov 01, 2019 02:09 PM|brentil|LINK

    I'm not sure what you're trying to suggest?  If you remove the certhash and appid it unbinds the SSL certificate from the assigned website.  They're also required items to run netsh http add or update

    We've been doing CTL based CAC for a while so I'm familiar with the process on IIS6 through IIS 8.5 but the behavior in IIS 10 is where I'm having trouble, it's not respecting the CTL list that shows as being enabled.  Instead of filtering the list of user certs a user can choose from it shows them all of them.

    - Use MakeCTL to create the CTL list with the 1.3.6.1.4.1.311.10.1 code and add the certs and move it to the local computer CA

    - netsh http show sslcert (and get the details of the IP you want to modify)

    - netsh http delete sslcert ipport=1.1.1.1:443

    netsh http add sslcert ipport=1.1.1.1:443 certhash=HASH-VALUE appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlidentifier=MyCustomCTL sslctlstorename=CA verifyclientcertrevocation=disable verifyrevocationwithcachedclientcertonly=disable clientcertnegotiation=enable

    I've also used the update command instead too removing the extra options to do only the CTL addition for testing but that also doesn't respect the CTL.

    - netsh http update sslcert ipport=1.1.1.1:443 appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certhash=HASH-VALUE sslctlstorename=CA sslctlidentifier=MyCustomCTL

    The output shows the CTL as being bound to the website but it's not respecting it.

    IP:port : 1.1.1.1:443
    Certificate Hash : HASH-VALUE
    Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
    Certificate Store Name : (null)
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check : Enabled
    Revocation Freshness Time : 0
    URL Retrieval Timeout : 0
    Ctl Identifier : MyCustomCTL
    Ctl Store Name : CA
    DS Mapper Usage : Disabled
    Negotiate Client Certificate : Disabled
    Reject Connections : Disabled
    Disable HTTP2 : Not Set
    Disable QUIC : Not Set
    Disable TLS1.2 : Not Set
    Disable TLS1.3 : Not Set
    Disable OCSP Stapling : Not Set
    Disable Legacy TLS Versions : Not Set

    This is what it should look like

    This is what's actually happening;

  • Re: IIS 10 CTL not working correctly

    Nov 01, 2019 06:11 PM|brentil|LINK

    I found the solution finally.  It appears this was in a couple of the last later versions too but the fact that it was set on our newer servers was lost in pre configuration management tracking era.  Once this setting is set and I ran iisreset the CTL list began being respected for client certificate selection.

    https://techcommunity.microsoft.com/t5/IIS-Support-Blog/Client-Certificate-Authentication-Part-1/ba-p/324623

    The behavior to send the Trusted Issuer List by default is off: Default value of the SendTrustedIssuerList registry key is now 0 (off by default) instead of 1.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\

    DWORD SendTrustedIssuerList = 1