Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1652
  • Last Modified:

SSL client certificate is required

We have several web sites that are password protected and SSL enabled, but not PKI enabled.  A few users from one of our hosted sites state that they are being prompted to provide PKI credentials when trying to access the site.  Our server is running Windows 2003.  We are ignoring certificates and using basic authentication.  The following is the error what the users receive:

HTTP Error 403.7 - Forbidden: SSL client certificate is required
 
As you probably know, PKI settings are established server-wide and not by individual site.  We have over 100 password protected/SSL enabled sites on the same web server.  None of the other hosted web sites are experiencing the same problem.  Is it same to assume that the problem is not a server issue, but with the users browser or perhaps required by a firewall setting?  If so, do you know of a solution?
 
Any information is greatly appreciated.
0
John Sheehy
Asked:
John Sheehy
  • 3
  • 3
1 Solution
 
ParanormasticCryptographic EngineerCommented:
SSL indicates PKI - PKI is anything certificate related, which SSL uses certs.  PKI settings CAN be established server wide, but are normally set for individual sites.  The cert may apply to the whole server, but whether to force SSL, etc. is a setting for the site as you want your password pages SSL enabled, but typically not the entire site as this would result in major performance issues.

This type of setting for requesting client certs can be enabled for an individual page.  Presuming IIS, open up the page and look on the File Security tab, then click Edit under Secure Communications, then see if it may be set for "requre client certificates".  If not here, then work your way up the tree for the site and see if the same may exist, it may be under Directory Security tab for other areas.
0
 
John SheehySecurity AnalystAuthor Commented:
We are hosting our websites using Windows SharePoint Services 2.0.  We are also using host headers.  We have one virtual server that hosts all of the SSL enabled websites.  I have verified on the virtual server settings under the secure communications section that we are ignoring client certificates.
0
 
ParanormasticCryptographic EngineerCommented:
Here's a guide for how to do this with sharepoint:
http://office.microsoft.com/en-us/sharepointportaladmin/HA011647711033.aspx
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

 
John SheehySecurity AnalystAuthor Commented:
Thank you for the URL.  I have verified that our configuration of the certificate is correct.  However, the content manager of one of our hosted sites is still being prompted for PKI credentials.

I am going to research to see if the problem is with the user's browser.
0
 
ParanormasticCryptographic EngineerCommented:
Might see if they have SSO (single sign on) or something where it might be prompting them for their PIN to access that?  Maybe they just don't use it for many things.  I know the smartcard software I used to test for was managed so the users may or may not have enrolled their own page - some pop up automatically and some are done on demand for training a page for recognition.  Our SSO was stored on the card, but there are plenty of other SSO products that are not smartcard enabled.

Maybe have them try on another box, another user account, etc.
0
 
John SheehySecurity AnalystAuthor Commented:
Roger that.  Thank you for the information
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now