IIS 7 and Above
Certificate mapping (oneToOneMapping) results in 403.7.
Last post Jun 24, 2020 06:21 AM by andrej.zozulya
Jun 22, 2020 12:01 PM|andrej.zozulya|LINK
There are many of very interesting articles and forum topics about a proper way to configure IIS for Client Certificate Mapping (oneToOne or manyToOne). None of them help me to troubleshoot my very own 403.7.
Legend : Some simple razor Pages site is deployed to IIS. This IIS is not a Production Server –it is rather a sandbox. So only one Site is hosted (backed by one application pool). I have added bindings to it. HTTP on 80, checked and worked. Then HTTPS on
443. For testing I’ve created CA-Root and 2 self-signed certificates signed with previous CA. CA-Root certificate placed in LM/trusted sore on both sides (Client and Server). Self-signed certificate for client authentication on server ((220.127.116.11.18.104.22.168.2))
was stored in LM/Personal Store on client PC and self-signed Certificate for Server Authentication ((22.214.171.124.126.96.36.199.1)) was placed in LM/Personal Store on server. Server certificate was properly bind to 443 within IIS. Anonymous authentication for this site
is ON. MMC shows both certificates on server and client as trustworthy with PK.
Registryfix for emitting of certificates to client is applied HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\SendTrustedIssuerList=1. I’m not sure about this but at least after this fix both browsers (chrome and edge) starts
to ask for client certificate at connection initialisation.
IIS management console:
Test Iteration 1: Ignore (x), Accept (), Require () - Everything works fine. But there is no client mapping triggered
Test Iteration 2: Ignore (), Accept (x), Require () - Everything works fine. But there is no client mapping triggered
Test Iteration 3: Ignore (), Accept (), Require (x) – error 403.7
At this point error is very understandable because there was no mapping created. So some changes to
system.webServer/security/authentication/iisClientCertificateMappingAuthentication, pulling a blob certificate and storing this with user credential in
oneToOneMapping. Blob is right – checked many times manually. (Bad is IIS not proposing any validation / monitoring utility for client certificates. Neither in
oneToOneMapping nor In manyToOneCertificateMaping.) oneToOneMappingEnabled = true;
Still 403.7 from any browser outside of this server. Server log – nothing particularly useful – just plain old 403.7.
I’m running out of ideas how to troubleshoot this.
Thank you in advance for any hints and forgive me please my weak English.
Jun 23, 2020 07:07 AM|Yuk Ding|LINK
403.7 means Server side require SSL has been enabled and no valid client certificate can be passed to IIS server. So please try to generate trusted certificate from makecert or openSSL. Then you should be able to deliver the certificate.
Please try method 1 in this link：
If the reply is helpful, it is appreciated if you could mark it as answer.
Jun 24, 2020 06:21 AM|andrej.zozulya|LINK
Thank you for idea, but no. Could you please provide command line for makecrt that I have to try?
Both sides, server and client, have same CA-Root and each of them has their own proper Client or Server certificate. Both are with private key and everything possible I can come to idea they need . Due opening of new session from client, I'm becoming a request
to choose certificate. There are one (right so) visible. Everything I see in certificate fits 100%. Right after it - 403.7. Maybe there are something wrong with certificate(s) and they need something different, beside those fields I put in. I don’t know -
server is just refusing connection and states nothing in logs beside “403 7 5 …”. Worth noting, server-authentication certificate is accepted by browser and browser marks is as trustworthy. There no difference between server and client certificate beside
(188.8.131.52.184.108.40.206.2)/(220.127.116.11.18.104.22.168.1) (And ofc PK/PubK, Thumbprint and so on).
May be there are some possibilities to force IIS to be more verbose and at least show which authentication method was tried and what was wrong?