https ssl iis 403 error

i am getting below error when i try to access https website hosted on iis ( did all required configurations )
website configured to use "many to one certificate mapping enabled"
on iis -->website--> SSL settings-->Require ssl --> Ignore/accept ---> it works fine.
but when i do if i iis -->website--> SSL settings-->Require ssl -->Require ---> getting 403 error.
( though i am sending valid client certificate )
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
ram27Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Require client certificate means you actually have to import the public certificate to which the user provided certificate will be compared.

I.e. You tell a guard to check all persons wanting to enter requiring they present an ID.
As you did with iis, you update the instruction to only allow certain people.
Shortly you get a call from Jane who was denied access.
Reason, you did not provide a list to the guard with the new requirements identifying who is permitted to enter obce identified.

To clarify do you have an internal CA that issues the fluent certs to those who would be accessing the site?
0
btanExec ConsultantCommented:
Often the file system permissions can be correct, but IIS still won't allow users through if the authentication settings are wrong. The client certificate must be installed under a personal account, not local machine, and it should be in Personal Store, not Trusted people store.
The problem was that the CA cert that I used to sign the client certs was installed in the “Current User” Trusted Root Certificates store on the server running IIS. It needs to be installed in the “Local Computer” Trusted Root Certificates store since IIS runs as a local service account, not the current user. Unless it is installed in the “Local Computer” store, IIS will not be able to validate the client certificates and will throw back a 403 error.


Use the MMC Certificates Snap-In “Import” function to manually install the CA cert in the “Local Machine” Trusted Root Certificates store. Just double-clicking on the CA cert in Explorer will install it in the “Current User” Trusted Root Certificates store by default, leading to the 403 issue.

On the client machines, installing the CA cert in the “Current User” store is fine, since the browser runs as the “Current User” and thus has access to this store. It’s just the computer running IIS that needs the CA cert installed in the “Local Machine” store.
https://ondrej.wordpress.com/2010/01/24/iis-7-and-client-certificates/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
For author advice.
0
btanExec ConsultantCommented:
For consideration since no further inputs.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.