Avatar of consoll

asked on 

DRM license request using SSL client certificate - fails

We are running IIS 6.0 on Windows Server 6.0. And use Windows Media Player (WMP) 11 as client.

We have set up a DRM License Provider Service (license server) that issues DRM licenses upon requests from WMP (a .NET web-app). WMP requests a license from the this server when it tries to play our DRM protected media content.

Before issuing a license, we wish to authenticate the client using an SSL client certificate. So we create a CA-certificate which we install on the server. Then we install a client certificate signed by this CA on the client. Using Internet Explorer (IE) 6 or 7 we can access our web with no problem. The Client Authentication dialog box pops up, we select our client certificate, and get access to resources on the license server.

When WMP pops up a browser window to acquire a DRM license however, the SSL process seems to fail. We only get a page announcing: "HTTP Error 403.7 - Forbidden: SSL client certificate is required." The  Client Authentication dialog box never pops up. This is tested with WMP 11.

I have tried the remedies suggested in http://support.microsoft.com/kb/332077, with no luck.
Microsoft IIS Web ServerASP.NETSSL / HTTPS

Avatar of undefined
Last Comment
Avatar of Kamran Arshad
Kamran Arshad
Flag of Pakistan image


The Internet Explorer client certificate and the Internet Information Server (IIS) client certificate need to be synchronized.

Run the following three commands from a command prompt in the <%SystemRoot%>\System32\Inetsrv directory:

   Net Stop IISAdmin /y
   Net Start W3SVC


Avatar of consoll


I can't find the tool IISCA in <%SystemRoot%>\System32\Inetsrv on my server. From the articles concerning this (http://support.microsoft.com/kb/186812, http://support.microsoft.com/kb/190004/EN-US/) it seems that this does not apply to IIS 6.0?
Avatar of consoll


A strange thing here is that after having accessed the protected page through the Media Player's DRM license window, trying to access the page through IE 6 also fails with the same 403.7 error !  As mentionned in the initial post this does not fail when accessing the page directly (in freshly opened IE).
Avatar of consoll


I have discovered that one can avoid this "bug" (if it is indeed a bug...) by unchecking the "Acquire licenses automatically for protected content" option in MediaPlayer in the Privacy tab (on WMP 9, similar on 10 I think).  In WMP 10 this results in a warning being shown to the user when a media requires a license. The user must confirm that a third party site should be contacted to retrieve license. If the user confirms, the media player contacts the site and client side certificate authentication works.
Avatar of cj_1969
Flag of United States of America image

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup Zone:
PAQ - Refund
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
cj_1969 - Experts Exchange Cleanup Volunteer
Avatar of consoll


I have worked on this and found that there probably is no real solution. What happens is:
1. MediaPlayer (MP) sees that a media resource requires a license. It reads the license acquisition url.
2. MP tries to retrieve a license by silent delivery, ie with no user interaction. A request is sent to license server (at acquisition url).
3. The license server is set up to require client side authentication. It therefore responds with a client certificate request (not quite into the details and terminology of ssl handshake here, but I think this should give the general picture).
4. MP does not respond to this request (which is the cause of the whole problem). MP does not recognize the response as a license so it pops up an IE window and sends the same request (license challenge) again, this time for a non-silent delivery. The server is not very impressed with this client that seems to be  ignoring its request for a client certificate, and gives an error message.

I have found a work-around to the problem: I now let the first page that the MediaPlayer request be unprotected (this is the license acquisition url), so that it is correctly displayed in the IE popup. This page merely redirects the client to the protected page. Now we are in an IE window and the client therefore responds correctly to the servers client certificate request.
Avatar of Computer101
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial

The successor to Active Server Pages, ASP.NET websites utilize the .NET framework to produce dynamic, data and content-driven web applications and services. ASP.NET code can be written using any .NET supported language. As of 2009, ASP.NET can also apply the Model-View-Controller (MVC) pattern to web applications

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo