All geek questions in one place

Getting 401.2 when certificate authentication is enabled

I configure the server so that only oriented certificates can get into the web service. It is configured to use SSL / Client certificates, anonymous authentication, asp.net impersonation, form authentication, and Windows authentication. One-on-one certificate mapping is enabled, and certificates are installed in the field with the corresponding user mappings. When I try to use webservice, I get 401.2. If I enable anonymous authentication, it works, but I do not want any old certificate to be able to access the website.

I have another machine that has anonymous authentication disabled in this configuration and it works. I'm not sure what the difference is.

+4
source share
3 answers

The problem was what the software called, not the configuration. I reward natemrice with generosity, as he made good efforts to answer what ultimately was not a question.

edit: for more information, this actually turned out to be a mismatch between the certificate being sent (from the local field) and the certificate that was placed in the oneToOne mappings. The common name was the same, but the certificates were different (probably the first expired), so the certificate was simply not allowed.

+1
source

I ran into the same problem, but the solution above did not solve my problem. I configured IIS certificate authentication in a subdirectory of the website, not the website itself.

So this is wrong:

Wrong usage

And it is right:

Correct usage

As soon as I moved the configuration to the root of the website, everything worked perfectly.

I found a solution at http://blogs.msdn.com/b/saurabh_singh/archive/2009/06/13/avoid-this-confusion-around-client-certificate-mapping-in-iis-6-0-7- 0.aspx .

+5
source

Have you issued your client certificates from the Certificate Server trusted by the clients / server? If you look at the Advanced Key Usage property in certificates, is Client Authentication one of its properties? Does IIS have a client certificate mapping role (see Image 1)? Did you enable Client Certificate Mapping and map users to a certificate? You need to import all client certificates and map them to user accounts here. You can remove all other client authentication methods when you configured it here.

enter image description here

+1
source

Source: https://habr.com/ru/post/1398865/

More articles:


All Articles