• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 344
  • Last Modified:

Cannot secure web folder on IIS 6 with SSL

Hey fellow experts, need some help with locking down the site. I inherited a support of a website and I am having an issue securing several folders on a website SSL. The site is running on Win2K3 standard, IIS 6 (obviously), service pack 2, latest hotfixes. No server hardening has been done yet. The underlying code is C#, .Net, both .net 2.0 and 1.1.4 are in use .

The website has a certificate that client obtained from GoDaddy. The certificate appears to be valid and I have both .p7b and .cer.cs  files. Obviously cert chain is included as part of p7b. I'm not a PKI expert, so my knowledge is somewhat spotty. I've installed the cert in personal store and that allowed me to configure the website with the certificate. When I select it - it shows that cert is available.

The main page is supposed to be open to public say, http://www.somecorp.com. When customer hits the site, they have an option to log in as an admin or a client. This corresponds to /admin and /client sub-folders.  When I select directory security for www.somecorp.com/admin and tell it to require SSL, 128bit and then remove basic and integrated authentication, the site does not come up. The log was showing 403 15 5 - so, I granted the IUSR_computername account read rights to the content folder and also made sure that document type was registered. However, still no luck.

I'd appreciate some thorough step-by-step advise on what to do to get the https: to work on /admin and /client folders.

Thanks in advance.
1 Solution
Leon FesterSenior Solutions ArchitectCommented:
Enable logging on the site and then view which pages are causing the error.
Your site could be using frame so the url in your browser isn't really displaying the correct page with the error.

P.S. did you try to navigate the site without SSL enabled?
Do you get the same error?
SSL should only really help with configuring the HTTPS protocol, thus enabling a secure channel.
it doesn't really have anything to do with granting permissions to sites/folders.
Whats the actual error your seeing on the webpage?

A http 403.15 error is:
403.15 - Client Access Licenses exceeded.

Is your log definatly showing 403 15   and not 403 1 5  (eg with a space?)

Could there be a licensing issue with the web application?

CynepMeHAuthor Commented:
So, I found the solution to the issue. Several things:

I ran Microsoft SSL Diagnostics tool - that showed that the cert was invalid and that it could not validate it. I found out the hard way that the server was recently rebuilt, before I took over. While cert was installed, it was only the "public" cert - without the private keys. Once I re-created a CSR, got a new set of private/public keys - the cert installed without any issues and SSL began working again. So, just because cert shows up under "Select existing certificate", do not assume it is valid - always validate first with something as simple as SSL Diagnostics tool:


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now