Setup SSL Mutual Authentication

I am trying to setup SSL Mutual Authentication in IIS. When I try to access ny method of the web service on Server side, passing client certificate it throws Forbidden 403 error.
Please let me know how to setup it in IIS.
VibhugAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

VibhugAuthor Commented:
Also I have added client certificate in CA trust root still it doesn't show the certificate when I directly access the web service. It shows the dialog box but asking to select certificate but doesn't show any certificate in the list.
0
ParanormasticCryptographic EngineerCommented:
The client cert was issued from a CA right?  The CA Trust Root should point to the root CA certificate, not the client cert.

The client cert needs to have the 'Client Authentication' listed under Enhanced Key Usage (EKU) - verify this on the Details tab of the client cert.

Make sure the cert is listed in certmgr.msc under Personal - Certificates.  When you open it on the client box make sure on general tab there is a message at the bottom saying you have the private key.  If not, then go on Details tab and copy the serial number, paste serial number into notepad and remove spaces and copy again, open cmd - certutil -user -repairstore My %pasteSerialNumber%
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yasserkCommented:
The client cert was issues from a CA.

The client cert is only for Server Authentication purpose marked. I am not able to add the purpose for client certification.

Client certificate is listed in certmgr.msc under Personal - Certificates. Where should I check it for private key. from certmgr.msc itself ?
0
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

VibhugAuthor Commented:
Private key is visible now. Also the problem is same.
Should I also download GEO Trust Root CA as root Certificate ?
0
VibhugAuthor Commented:
Hello Paranormastic,

Everything is same as you asked for. Still I have the same problem. Just to make sure how should I get
root CA certificate.I feel problem might be there. I went on the site of the issuer of the client certificate and downloaded Root Certificate and added in CA trust root. Please let me know if I am wrong on this.
0
ParanormasticCryptographic EngineerCommented:
Server Authentication isn't going to do it.  You need to get a certificate based off of the User template (or a template duplicated from User).
0
ParanormasticCryptographic EngineerCommented:
Last post was assuming it was issued from your own CA.  If it was issued from GeoTrust then you should talk to them about getting your money back and getting a user certificate with the Client Authentication EKU - if they have one they should be able to recommend a product for you.  The server and client would need to trust the root certificate of whatever CA - if it is GeoTrust there is a very good chance it is already there they have been around for a long time and have extremely good product integration.
0
yasserkCommented:
Can you please describe in set of steps exactly how we should be configuring the Mutual SSL authentication on IIS 6 for ASP.NET C# Web Services. I would appreciate if you can exactly layout the steps on which type of certificate is required on server and client, how it will be configured on either side and what is required in the code to actually make it work.
0
yasserkCommented:
On the server itself where I have hosted web service, when I try to access the web service from the browser it shows the client certificate in the list. When I select the certificate and click OK it opens the web service while if I don't select the certificate and click OK it doesn't take me to the web service page and shows the error "The page requires client certificate" on the page.

When I try to access the URL of the server to access web service from my local machine or any other machine it doesn't show client certificate in the list of dialog box.

Please suggest how should I follow ahead.
0
yasserkCommented:
We are able to authenticate with valid certificates issued by valid CA but the same approach is not working for test certificates. Is there other way to for authentication with test certificates ?
0
yasserkCommented:
We are able to use Valid certificates signed by trusted CA as Client Certificate successfully but we are not able to use self signed certificate as client certificate.

We have stored self signed certificate in local machine account as well as same certificate in Trusted Root store. Now when we go to give IIS permission to this certificate it gives the error "Private key is not accessible". Ofcourse the sefl signed certificate we are using doesn't have private key. Is there any other way to give permission to self signed certificate to be used as client certificate. Please suggest.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Applications

From novice to tech pro — start learning today.