IIS 7 and Above
IIS 8.5 offers all client certificates
Last post Nov 25, 2015 09:27 AM by Matra
Mar 22, 2015 06:04 AM|Urmas|LINK
Situation: WS2012 R2 / IIS 8.5, two way SSL is required, so client must have certificate for accessing website. While trying to access website, all certificates with authentication EKU are allowed/listed in client. Even certificates not trusted by IIS server.
Question: How to configure IIS to allow only certificates in Trusted Certification Authorities and/or Client Authentication Issuers stores to be listed in client side?
Mar 23, 2015 05:42 AM|Pengzhen Song - MSFT|LINK
In my opinion, IIS can't limit the client certificates to listed in client side. And I suggest that you can post it in IE forum where you can get better answers.
Mar 27, 2015 08:18 AM|Urmas|LINK
Cannot agree with you. In IIS 7.5 there was possibity to configure IIS to show all certificates on client side by configuring sendtrustedissuerlist registry key (defult value 1). So, by default only certificates trusted by IIS server were listed on client
In IIS 8.5 the default value is 0 and I don't understand (yet) how to tell new IIS server to allow client to show only trusted certificates.
Jun 05, 2015 07:49 AM|city|LINK
I have the same problem. I set HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList = 1 and added the CA cert to Client Authentication Issuers. lsass,exe reads reg key, but the IIS seems to ignore it completely and sends
no client CAs. The Logs of iis or CAPI2 are showing no hints why the list is not send.
The only source of information regarding WIndows 2012 R2 from MS I found is: https://technet.microsoft.com/en-us/library/hh831771.aspx#BKMK_TrustedIssuers
Sep 28, 2015 08:00 PM|Matra|LINK
We are running in same problem. City, were you able to solve it?
Sep 28, 2015 08:27 PM|Ken Schaefer|LINK
The new behaviour and reg keys to control it are documented here:
Sep 29, 2015 01:09 AM|Matra|LINK
I have read the article, performed the steps listed bellow, but it did not have any efects:
Add one CA certificate to "Client Authentication Issuers" local computer store
Remove server SSL certificate binding with netsh http delete sslcert
Added server SSL certificate binding with netsh http add sslcert ipport=0.0.0.0:443 certhash=.... appid=.... sslctlstorename=ClientAuthIssuer
Verified that settings were applied with netsh http show sslcert
Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList to 1
Rebooted machine just in case (I've also tried with net stop http /y & net start w3svc)
Reopen the web page with internet explorer, it still lists all the certificates (not only the ones issued by CA added in step 1.
If I verify SSL protocl with openssl command as described here: http://blogs.msdn.com/b/saurabh_singh/archive/2007/12/07/certificate-trust-list-not-being-honored-by-iis-5-0-6-0-7-0.aspx it still shows "No client certificate CA names sent" instead of "Acceptable
client certificate CA names (list of DN)
What am I doing wrong?
UPDATE: To clarify, I only started playing with "Client Authentication Issuers" store, because removing undesired certificates from Trusted root store did not help. The real problem is that IIS is not sending a list of trusted CAs certificates as part of
SLL handshake - regardles of registry setting SendTrustedIssuerList (whose default value has changed in Win2012)
Nov 25, 2015 05:06 AM|de97nia|LINK
I have tried to preform the same steps as Matra, with the same dissapointing result.
I tried to set the registry key "ClientAuthTrustMode" to 1, which also has no effect.
Running on Windows Server 2012 R2 Datacenter.
IIS version 8.5.9600.16384
Nov 25, 2015 09:27 AM|Matra|LINK
My problem was that I had an extra space at the end of the registry key name. So I actually used "SendTrustedIssuerList " instead of "SendTrustedIssuerList". After renaming the registry key to exclude the trailing space everything was OK.
The irony is that I have deliberately copied the key name from a web page to avoid typing errors. It looked like my browser decide to be smart and added an extra space at the end :-)