0

So we've just set up a site with IIS 8.0, that is normally accesible via port 80 and no certificate requirement.

  1. we've created a self signed certificate
  2. we've set up site bindings through port 443 with the self signed certificate, IP address set to : All Unassigned, Hoste name field is left empty. Bindings
  3. on Site's SSL settings we've ticked the "Require SSL"
    • if the option "Accept" under Client Certificates is selected, the site is accessible with the standard "this site can't be trusted prompt"
    • if we select "Require" under Client Certificates, the site becomes inaccessible, with the 403.7 Forbidden error on the server, and 403 error when connecting form clients.

What we've tried:

  • Site restart
  • IIS restart
  • Machine restart
  • Selecting different certificate stores for that certificate, no luck
  • Creating a certificate in PS with the New-SelfSignedCertificate command, no luck
  • Check the C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA read/write rights, were all ok
  • The certificate seems ok, displays the "You have a private key that corresponds with this certificate" prompt Certificate
  • Using SSL Diagnostics tool 1.1, displays no error with the connectivity

At this point we're baffled. It's like we're runing in circles, yet we suspect that the self signed certificate published by the IIS 8.0 is broken (we're tried publishing a few, and binding them on the site, same errors all the time)

Specs: a Virtualized Win Serv 2012 r2 (updated), 3,5ghz 4 cores, 4Gb of ram, 80Gb of space, running with admin rights.

Any suggestions or answers would be appreciated

Thomas
  • 4,155
  • 5
  • 21
  • 28
kekkec
  • 1
  • 1
    It sounds like everything is working the way it's supposed to work. What exactly is the problem you're trying to fix? – Michael Hampton Feb 15 '17 at 08:59
  • 3. b) this part is the problem. Using a self-signed certificate for authorization purposes fails. We'd like to give Access to a site only to those with a certificate. – kekkec Feb 15 '17 at 09:48
  • `403.7` means _Forbidden - client certificate required._. Do you have client certificates? You've not stated so in your question. – garethTheRed Feb 15 '17 at 10:14
  • The self signed certificate from the IIS server was installed on a client, and it didn't recognize it. What we're trying to do: We have a site for fileshare, and we'd like only the users with the certificate have access to it. That certificate is self published/self signed. The site does not accept it's own certificate. I do apologize for any inconvinience, and syntax, english is not my first language. – kekkec Feb 15 '17 at 10:34
  • A server can only accept the client certificate if it can check it is valid. It can only do that if the certificate was signed by a Certification Authority which is trusted by the server. – garethTheRed Feb 15 '17 at 11:57
  • So, let me understand this, a self-signed certificate, cannot be used as an authorization protocol in this case? Thanks for all the answers – kekkec Feb 15 '17 at 13:12
  • It doesn't make sense that you're trying to enable client certificates. Why are you doing this? – Michael Hampton Feb 15 '17 at 15:54
  • To add a 2nd stage of authentication. Users must already log-in the fileshare-site with a username and pw, and adding a certificate to Access the site would add another layer of security since the whole thing is sitting in a dmz – kekkec Feb 16 '17 at 12:48

0 Answers0