Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


SSL client certificate is required

Posted on 2008-10-09
Medium Priority
Last Modified: 2008-11-27
We have several web sites that are password protected and SSL enabled, but not PKI enabled.  A few users from one of our hosted sites state that they are being prompted to provide PKI credentials when trying to access the site.  Our server is running Windows 2003.  We are ignoring certificates and using basic authentication.  The following is the error what the users receive:

HTTP Error 403.7 - Forbidden: SSL client certificate is required
As you probably know, PKI settings are established server-wide and not by individual site.  We have over 100 password protected/SSL enabled sites on the same web server.  None of the other hosted web sites are experiencing the same problem.  Is it same to assume that the problem is not a server issue, but with the users browser or perhaps required by a firewall setting?  If so, do you know of a solution?
Any information is greatly appreciated.
Question by:John Sheehy
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 31

Expert Comment

ID: 22687159
SSL indicates PKI - PKI is anything certificate related, which SSL uses certs.  PKI settings CAN be established server wide, but are normally set for individual sites.  The cert may apply to the whole server, but whether to force SSL, etc. is a setting for the site as you want your password pages SSL enabled, but typically not the entire site as this would result in major performance issues.

This type of setting for requesting client certs can be enabled for an individual page.  Presuming IIS, open up the page and look on the File Security tab, then click Edit under Secure Communications, then see if it may be set for "requre client certificates".  If not here, then work your way up the tree for the site and see if the same may exist, it may be under Directory Security tab for other areas.

Author Comment

by:John Sheehy
ID: 22710935
We are hosting our websites using Windows SharePoint Services 2.0.  We are also using host headers.  We have one virtual server that hosts all of the SSL enabled websites.  I have verified on the virtual server settings under the secure communications section that we are ignoring client certificates.
LVL 31

Expert Comment

ID: 22720315
Here's a guide for how to do this with sharepoint:
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.


Author Comment

by:John Sheehy
ID: 22722128
Thank you for the URL.  I have verified that our configuration of the certificate is correct.  However, the content manager of one of our hosted sites is still being prompted for PKI credentials.

I am going to research to see if the problem is with the user's browser.
LVL 31

Accepted Solution

Paranormastic earned 2000 total points
ID: 22731568
Might see if they have SSO (single sign on) or something where it might be prompting them for their PIN to access that?  Maybe they just don't use it for many things.  I know the smartcard software I used to test for was managed so the users may or may not have enrolled their own page - some pop up automatically and some are done on demand for training a page for recognition.  Our SSO was stored on the card, but there are plenty of other SSO products that are not smartcard enabled.

Maybe have them try on another box, another user account, etc.

Author Comment

by:John Sheehy
ID: 22740619
Roger that.  Thank you for the information

Featured Post

Enroll in September's Course of the Month

This month’s featured course covers 16 hours of training in installation, management, and deployment of VMware vSphere virtualization environments. It's free for Premium Members, Team Accounts, and Qualified Experts!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question