All geek questions in one place

ASP.NET Request.ClientCertificate Returning Null in IIS 7

I am migrating a web application from IIS 6 to IIS 7, and I am having problems obtaining a client certificate.

Part of the code I'm using looks like this:

HttpClientCertificate cert = Request.ClientCertificate; if (cert.IsPresent) { ... }

On IIS 6, the cert.IsPresent value cert.IsPresent always true. However, in the IIS 7 field, it is always incorrect. Both tests were performed with IE 8 from the same computer. The only change was the server URL, so the client must be configured correctly.

I do not receive SSL connection errors (I view the page via https ) and I set the SSL settings -> Client certificates: Accept (same as IIS 6 configuration).

I went through and configured the IIS 7 server as close as possible to the IIS 6 server, but I still do not get the certificate.

Are there other areas I need to configure?

Also, if I install client certificates: Mandatory, I get 403.7 error in the IIS 7 field. I don’t know if this is a symptom, but just in case the information is useful ...

+6
source share
3 answers

This basically boils down to the fact that the client cannot provide the client certificate. This is why you get 403.7 error when you need it. I believe you need this:

http://blogs.msdn.com/b/puneetgupta/archive/2009/08/03/where-is-the-client-certificates-ui-in-iis-7-0.aspx

Please let me know if this helps.

/ Daddy

+4
source

I came across this question looking for more information on how to get certificates in IIS 7 and IIS 6. I see that @whosrdaddy's solution worked for the crawler. There is one more thing I had to track down.

One of the differences between IIS 6 and IIS 7 is that IIS 6 has a Directory Security tab in each website configuration. For server requests to request certificates in IIS 7, you must click on the "SSL Settings" setting for the website or virtual directory that you configure to see the "Client Certificates:" option: Ignore, accept or require.

Make sure that this parameter is not set to "Ignore", otherwise you will never receive certificates for work!

+3
source

IsPresent == false can be caused by several different things related to the server and client. We struck all of them on the way to their final correction, and I will talk in detail about them ....

Server Problem # 1 - A client certificate that has passed has 1 or more certification paths that DO NOT exist on the server. Open the certificate, go to the certification path (tab) and make sure that each of the root resources is in the trusted root certification services SERVERS. Please note: you do not need to install the certificate on the server with only the public keys of the root resources in the Certificates (local computer) \ Trusted Root Certification Authority section.

Problems with server # 2 (previously mentioned solution). In IIS for the site, verify that the SSL settings are set to Accept OR Require (never ignore). The advantage of using Require is that IIS logs will show you a 403 7 error, where, since Accept will just get your IsPresent == false, but with 200 http code.

Client Problem # 1 - Same as Server Problem # 1, trusted by these authorities!

Client # 2 - You have trusted root credentials, but NOT a private key for the certificate itself. Make sure you install pfx (private key) in the certificate store, not the public key (.cer). You can also see if you have a private key by double-clicking cert in the certificate store, and on the general tab you will see a message that says the same.

Client No. 3 - You are placing the certificate in the wrong place. It is probably best to place your certificate in certificates (local computer) \ Personal \ Certificates, and not (current user). This will make the certificate available for processing accounts that run your code and actually need access to it.

Client No. 4 - right-click the certificate (there is no .cer file in the repository) β†’ All tasks β†’ Manage private keys ... and make sure that the process account on which your code is running has β€œRead” permission. A quick test of this (but not recommended for use in production) is to add "Everyone" as read to see if this is your problem.

0
source

Source: https://habr.com/ru/post/890626/

More articles:


All Articles