IIS 7.5 Client certificate authentication

Question

I have asp.net site on my local machine.

IIS configuration: binding: https binding with self-signed certificate, ssl settings: Require SSL and Require client certificates

I have installed next certificates on my machine: CA certificate (call it 'CA Center') in Trusted Root Certification Authorities store. Client certificate issued by 'CA Center' in Personal store

I go to site and accept server certificate. But next i get error:

HTTP Error 403.7 - Forbidden. The page you are attempting to access requires your browser to have a Secure Sockets Layer (SSL) client certificate that the Web server recognizes.

That means browser (IE) doesn't send applicable client certificates to server.

What's wrong? Should I configure something else?

Answer 1

I had exactly this problem, and it took me an age to figure out the cause. Turned out it was because my computer was part of a domain, and there was some sort of group policy for that domain was restricting the trusted root certificates that IIS would be willing to accept. I don't know exactly what the setting was or how to alter it, but I found I could work around it by choosing to install my certificate into the enterprise physical store using the certutil command:

certutil -addstore -v -enterprise root CertificateAuthority.cer