IIS 7 and Above
Client certificate authentication skip / continue 403 error
Last post Jun 18, 2020 09:30 AM by Yuk Ding
Jun 17, 2020 02:50 PM|ChristophThurnheer|LINK
have a working website, protected by SSL certificate authentication (SSL settings: require SSL: accept). Is there a possibility if a user provieds an "unknown" certificate towards ISS to continue to the website? As of now, we get an 403 error.
Background: many companies have configured which certificate they provide towards the web, so the user has no choice to select the correct certificate. However, the user should be allowed to see some content of the website, even without login / incorrect
certificate. The web application does recognize if the correct certificate is available and does then display the full website. Without some parts are invisible.
So IIS should continue even without a correct certificate. Technically unauthorized access as a user without any certificate.
Jun 18, 2020 01:01 AM|lextm|LINK
However, the user should be allowed to see some content of the website, even without login / incorrect certificate.
That can be done by redirecting such requests to another site, or a page excluded from authentication, usually via custom error page setting.
Jun 18, 2020 09:30 AM|Yuk Ding|LINK
What's the sub-status code of 403 error did you receive when you access the website? By default accept certificate allow user to pass client certificate to server side. But it won't return 403 without any authentication especially you don't use IIS client
You can re-construct your application in AOP authorize level. You may need to use code to verify the certificate and return different authorize users for valid cert and invalid cert. So your server can return different content based on different authorize
If you don't want to do like that, you can also create a website for invalid certificate user to access. Then set 403 status error page to redirect to this site.