I've been trying to set up a website with 2 way SSL in IIS 10. It's not going so great.
Already have a domain I got through NameCheap, and have DNS through CloudFlare (DNS only, no proxy).
The server has a certificate for that domain which I got through Certify with Let's Encrypt.
On that server I set up AD CS and used it to create a Certificate Authority.
CA Web Enrollment is active and accepts requests only from a VPN connection set up through RRAS (I didn't want it open to the internet, and BTW the VPN connection uses the certificate I got earlier, so that's working correctly).
The client PC started a certificate and sent it to the server using CA Web Enrollment through the VPN. That request was then issued, and the resulting certificate and the CA were then imported to the CurrentUser\My, LocalMachine\TrustedRoot stores respectively. I also checked that the client certificate has a private key.
So far the situation with the certificates is:
-Server: CA (LocalMachine\TrustedRoot(no key) and LocalMachine\My(key)), Server Certificate (LocalMachine\My(key)).
-Client: CA (LocalMachine\TrustedRoot(no key)), Client Certificate (CurrentUser\My(key)).
Then comes the IIS configuration: There are three sites on the server. 1st one is the default one with the certsrv app, that one listens only on the VPN ip and localhost, and only has HTTPS active with server certificate (ports 443 both). 2nd one is an FTP site which only listens on the VPN IP and port 21. This ones are irrelevant, I mention them only because I don't want to leave anything out.
3rd one is the one we care about. It listens on the domain name, any ip, and has both HTTP and HTTPS active (both with ports 80 and 443 respectively). HTTP is only active so URL Rewrite can redirect it to HTTPS, and HTTPS uses the server certificate.
This site has SSL required enabled and Client Certificates as required.
In Authentication all methods are disabled.
In system.webServer/security/authentication/iisClientCertificateMappingAuthentication I have Enabled set to true, and manyToOneCertificateMappingsEnabled set to true. Inside manyToOneMappings I have one item mapped to a user on the server, and inside rules I have one with certificateField=Issuer, certificateSubField=CN, and matchCriteria="name of the CA I created".
A registry key named SendTrustedIssuerList with a value of 1 was created inside Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL.
The server certificate was removed and re added with clientcertnegotiation=enabled to the domain:443 binding on the site using netsh in powershell.
Lastly, I used IISCrypto from https://www.nartac.com/Products/IISCrypto/ to set up protocols inside Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols.
That's all I've done so far and it should cover all responses to similar issues all over the internet, but all it does is give me a 403.7 error. I used wireshark to check the TLS traffic during a connection attempt and the server does seem to send the request certificate with the trusted CA list (my CA included on the list) but i can't get any browser to prompt me for a client certificate. Oh forgot to mention I did add the CA and client certificates through the browsers and IE 11 has de Do not prompt when you only have one cerrificate option as disabled, but still nothing.
Any ideas?
