Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.RSS

11 replies

Last post Jun 18, 2014 09:46 AM by joeller

  • Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    May 29, 2014 04:51 PM|joeller|LINK

    I have a server created on a VirtualBox Virtual Machine using Windows Server 2008 R2 SP1.  I have implemented IIS on this server.  Windows Firewall is turned off.  The VM resides on a Windows 7 SP 1 host machine.  Both OS are using IE8, (as that is the latest version that the customer will be using).

    I am attempting to implement SSL on a web application under the DefaultWebSite web site.  A self-signed server certificate was created and added it to the Default Web Site.  I also verified that the binding for the DefaultWebSite was set to 443 for SSL using that same certificate.  I verified that this web app under the DefaultWebSite saw the same certificate.

    SSL is enabled on the web app.  It is easy to connect to the web app from IE server and on the host (client), when it was NOT SSL configured.  Then it easy to open the web app from IE on the server and on the host (client) when SSL was enabled but set to ignore client certificates.

    However when I tried to get it to request client certificates from the host machine and pass that on the the web app I started having problems.   At first I could not get it to request client certificates.  I decided, based on MSDN pages, that was because the root certificate for my client certificate did not exist on the server.

    1. First I had to recreate the Root Certificate Authority of all of our certificates on the server.  Did that.
    2. Then I had to put the Root Certificate authority in the Trusted Root Authorities folder for "Local Computer" on the server.  Did that. 
    3. Then I had to put the all the Intermediate Certificates Authorities into the corresponding "Intermediate Certificates Authorities" folder of the Local Computer on the server. Did that. However, a call to the web from the host machine (client) still did not request the client certifcates. 
    4. So I followed Jason Shaver's advice on changing the <access> element's SSLFlags to "SslNegotiateCert" in the applicationHost.config file in IIS Express  http://jasonrshaver.com/?tag=/Client+Certificates , but doing it in IIS's applicationHost.config file.  ( Did this when the command line statement to do so failed to run.)   
    5. Finally I followed instructions provided by Microsoft Support in getting my IIS Express to request client certificates to create a new registry DWord at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL called  SendTrustedIssuerList and set it to 0, again as instructed by Microsoft Support. 

    Now I was able to get a request for client certificates.  

    1. First I set the client certificates for that web app to "ignore".  The request properly requested the certificates and properly opened the web app in IE both on the server and the client.  (This is a special test app which does nothing except show all server variables.)
    2. Then I changed the client certificates to Accept for the web app, and ran it from IE on the server. The Web app opened properly.  (Although no certificates were requested.) 
    3. However when I called the web app from the client, the certificates were properly called and requested.  However,  the attempt to open the web app produced a "403 - Forbidden: Access is denied." error.
    4. Then I changed the SSL settings to require client certificates for that web app.  On the server this produced a "HTTP Error 403.7 - Forbidden The page you are attempting to access requires your browser to have a Secure Sockets layer (SSL) client certificate that the Web server recognizes." error.  On the host the same "403 - Forbidden: Access is denied." error is produced.

    I don't know what else to try. 

    E.R. Joell
  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    May 29, 2014 10:18 PM|Ken Schaefer|LINK

    How are you mapping the client certificate to a Windows identity that IIS can use?

  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    May 30, 2014 09:45 AM|joeller|LINK

    We are not mapping the client certificate to a windows identity. 

    We have no desire to do so.  In the situation for which this is a protototype, our customers will not have windows identities on our domain, their certificate SubjectCNs are mapped against a database list of users for authorization to open the web page.  Therefore we need the Cert_Subject Server variable.  Which means that IIS needs to request and pass the client certificate.  It is apparently now requesting it, but it is not passing it.

    Update:  It occurs to me that maybe I didn't understand your question.  As I re-read it, it sounds like you are referring to a windows identity that IIS is using to access the application, and that when IIS gets the certificate, it is using this identity to determine if it has permissions to run the application.  I see that anonymous authentication is enabled, and .Net authorization is "allow"/"all users".  Other than that I don't know where I would find out this information, as I am very very new to IIS 7, (and was only familiar with the standard routine aspects of IIS 6.0).

    ps I did not follow Jason Shaver's instructions concerning the <iisClientCertificateMappingAuthentication/> element.  He states change the <iisClientCertificateMappingAuthentication enabled="false"></iisClientCertificateMappingAuthentication> to <iisClientCertificateMappingAuthentication enabled="true"></iisClientCertificateMappingAuthentication> .   In the IIS 7 applicationhost.config file this is represented as <iisClientCertificateMappingAuthentication/>  I never saw any other page that suggested changing this either manually or via the command line, (nor any way to change it using the GUI).  However, I tried changing it both to <iisClientCertificateMappingAuthentication enabled="true"/> and <iisClientCertificateMappingAuthentication enabled="true"></iisClientCertificateMappingAuthentication> , but neither made any difference., so I changed it back to the default.

    E.R. Joell
  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    Jun 03, 2014 01:46 AM|Ken Schaefer|LINK

    joeller

    We are not mapping the client certificate to a windows identity. 

    You need to do this.

    Client Certification Authentication means exactly that - a process of user authentication. And the only identities that IIS understands are Windows identities.

    Now, you can have IIS run the app using a single identity (e.g. this is what's used when you allow "anonymous authentication" - as far as IIS is concerned, it will run the app using a single, fixed, Windows identity and not bother the end user for credentials).

    In your case you can use something called "many-to-one" certificate mapping. This maps all allowed certificates to a single Windows identity. You need to tell IIS which certs are valid (and which aren't), and you do that in the many-to-one mapping configuration. As long as a presented cert is in the mapping, IIS will use the single, fixed identity as the end user's identity.

    What you do with it after that, is entirely up to you.

  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    Jun 03, 2014 01:25 PM|joeller|LINK

    The app is running using anonymous authentication  All the tens of  thousand apps in the various data centers around the country are run using anonymous authentication.  All of the thousands of servers run on SSL.  All of the servers require a client certificate be read from a CAC card to get to the server.  Once the the cert_subject is passed to the server then the web app will retreive it either from the cert_subject server variable or from a special header depending on the data center.  Then the web app will use it to verify user permissions and rights.

    As for assigning all to a user, I thought of assigning them to either the "Network Service" account or the "ISUR_ServerName" IIS anonymous account.  But the certificate mapping gui asks for the password and I don't know of any password for those accounts.  I don't even see them in the computer manager's local users folder. 

    I added IIS Client Certificate Mapping Authentication, as specificed here:  http://www.iis.net/configreference/system.webserver/security/authentication/iisclientcertificatemappingauthentication

    I changed the applicationhost.config to this

    <configuration>
    	...
      <system.webServer>	
    	...
    	<security>
    
                <access sslFlags="Ssl, SslNegotiateCert" />
    
                <applicationDependencies />
    
                <authentication>
    
                    <anonymousAuthentication enabled="true" userName="IUSR" />
    
                    <basicAuthentication />
    
                    <clientCertificateMappingAuthentication />
    
                    <digestAuthentication />
    
                    <iisClientCertificateMappingAuthentication enabled="true">
                    </iisClientCertificateMappingAuthentication>
    
                    <windowsAuthentication />
    
                </authentication>
    		...
    	</security>
    	....
       </system.webserver>
       <location path="Default Web Site/TestNewGLDLL">
            <system.webServer>
                <security>
                    <access sslFlags="Ssl, SslNegotiateCert" />
                </security>
    
            </system.webServer>
        </location>
    </configuration>	

    As I tried to follow the guidance given on the above page while not disabling anonymous authentication and without mapping a specific certificate to a specific rule.

    E.R. Joell
  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    Jun 03, 2014 10:31 PM|Ken Schaefer|LINK

    joeller

    The app is running using anonymous authentication  All the tens of  thousand apps in the various data centers around the country are run using anonymous authentication.  All of the thousands of servers run on SSL.  All of the servers require a client certificate be read from a CAC card to get to the server.  Once the the cert_subject is passed to the server then the web app will retreive it either from the cert_subject server variable or from a special header depending on the data center.  Then the web app will use it to verify user permissions and rights.

    Are you saying you have it working elsewhere on thousands of other servers? Otherwise, I don't understand the point you are trying to make. Can you clarify?

  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    Jun 09, 2014 10:14 AM|joeller|LINK

    What I am saying is that every web site on every web server being run by this organization MUST be configured a specified way.  They MUST require Client certificates and they MUST use anonymous authentication.  NONE are allowed to use client certificate authentication, or windows authentication.  Cient certificate authentication is being used to verify access at a higher level than the web server, then the certificate information is passed to the web server as part of a request from the higher level to the web server.  As I am not a network administrator I do not know how this process works exactly but I know we are provided the necessary certificate information to perform our database lookups.

    Therefore in designing my development environment I need to ensure that information gets passed.  There is no problem in tdoing this with IIS Express on the local development machine.  The Cert_Subject Server variable gets populated and I can access the information from there.  I need it to work on the development server.

    E.R. Joell
  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    Jun 09, 2014 08:59 PM|Ken Schaefer|LINK

    joeller

    They MUST require Client certificates and they MUST use anonymous authentication. 

    When you use Anonymous Authentication, you must configure IIS to use a specific Windows account to access resources (e.g. read files off the hard disk). The end user is anonymous, but IIS still requires a Windows account to use.

    So, in your case, you can try two possible options:

    a) Enable Anonymous Authentication in IIS, require Client Certs in SSL settings. I don't believe that this will work, but if it does, then it should meet your requirements

    b) If (Option A) doesn't work, then map the certs to whatever your IIS anonymous access user account is using many-to-one mapping. IIS will still be using the same account for all processing and access.

  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    Jun 10, 2014 08:41 AM|joeller|LINK

    Ken Schaefer

    a) Enable Anonymous Authentication in IIS, require Client Certs in SSL settings. I don't believe that this will work, but if it does, then it should meet your requirements

    You are correct.  This does not work.

    Ken Schaefer

    b) If (Option A) doesn't work, then map the certs to whatever your IIS anonymous access user account is using many-to-one mapping. IIS will still be using the same account for all processing and access.

    I had the same thought as stated above.

    joeller


    As for assigning all to a user, I thought of assigning them to either the "Network Service" account or the "ISUR_ServerName" IIS anonymous account. 


    But the certificate mapping instructions at http://www.iis.net/configreference/system.webserver/security/authentication/iisclientcertificatemappingauthentication  states you must provide the password and I don't know of any password for those accounts.  In fact, I don't even see them in the computer manager's local users folder.

    		<manyToOneMappings>
                      <add name="Contoso Employees"
                            enabled="true"
                            permissionMode="Allow"
                            userName="Username"
                            password="[enc:AesProvider:57686f6120447564652c2049495320526f636b73:enc]">
                         <rules>
                            <add certificateField="Subject"
                               certificateSubField="O"
                               matchCriteria="Contoso"
                               compareCaseSensitive="true" />
                         </rules>
                      </add>
                   </manyToOneMappings>
    

    I need more information in order to complete this.

    E.R. Joell
  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    Jun 16, 2014 08:43 AM|Ken Schaefer|LINK

    joeller

    I need more information in order to complete this.

    You will not be able to use LocalSystem, LocalService or NetworkService - these principals are managed by Windows.

    You can either:

    a) set a password for the IUSR account explicitly, and then use the same in your .config file

    b) create a new user account, set password and use the same in your .config file.

    Be sure to set the password not to expire, or have a process to reset the password and update .config file accordingly.

  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    Jun 17, 2014 10:32 AM|joeller|LINK

    Ken Schaefer

    set a password for the IUSR account explicitly, and then use the same in your .config file

    But how can I do this when I can't even see the IUSR account in computer management?

    E.R. Joell
  • Re: Attempt to implement SSL in IIS 7.0 returns 403 - Forbidden: Access is denied error.

    Jun 18, 2014 09:46 AM|joeller|LINK

    The below is how to do Many to one mapping according to http://www.iis.net/configreference/system.webserver/security/authentication/iisclientcertificatemappingauthentication

    <iisClientCertificateMappingAuthentication enabled="true"
                      manyToOneCertificateMappingsEnabled="true">
                   <manyToOneMappings>
                      <add name="Contoso Employees"
                            enabled="true"
                            permissionMode="Allow"
                            userName="Username"
                            password="[enc:AesProvider:57686f6120447564652c2049495320526f636b73:enc]">
                         <rules>
                            <add certificateField="Subject"
                               certificateSubField="O"
                               matchCriteria="Contoso"
                               compareCaseSensitive="true" />
                         </rules>
                      </add>
                   </manyToOneMappings>
                </iisClientCertificateMappingAuthentication>
    

    Note the required encrypted password, and the rules.  Presumably the name field of the add element is the website name.  However, note that the rules require some kind of match criteria.  But I don't want any match criteria.  So how would I show that?

    Update:  I did this:

               <iisClientCertificateMappingAuthentication enabled="true"
            
              manyToOneCertificateMappingsEnabled="true">
    <manyToOneMappings> <add name="TestGLDLL" enabled="true" permissionMode="Allow" userName="IUSR_CPVFSWEB200864"> <rules> </rules> </add> </manyToOneMappings>
    </iisClientCertificateMappingAuthentication>

    But it delivered the same error.

    Update: 7/24/2014

    This is another thread we have neither forgotten nor neglected.  It is odd how easy it is to get IIS Express to do what is is supposed to using only a config file and no GUI, compared to how hard it is to get IIS 7.0 and up to do anything of value with both a gui and a config file.

    E.R. Joell