Menu
I optionally want to support Client Certificates. That's why I set Client certificates to Accept on IIS. This works on most machines. However, on some machines IIS returns a 500. This can either be "solved" by setting Client certificates to Ignore (which is not an option to me) or by setting Negotiate Client Certificate to Enabled (this can either be done with netsh http add ... or by changing DefaultFlags to 2 in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\0.0.0.0:443\; can this also be changed in IIS Manager?). While (enabling) this setting sounds reasonable just from looking at the name I don't understand why it's needed on some machines but not on others...
758
Client or User Identity And the reason to see why is simple – client certificates play a vital role in ensuring people are safe on line. As the name indicates, they are used to identify a client or a user, authenticating the client to the server and establishing precisely who they are.
Activate a client certificate (console)In the left navigation pane, choose Secure, choose Certificates. In the list of certificates, locate the certificate that you want to activate, and open the option menu by using the ellipsis icon. In the option menu, choose Activate.
Validation is done by the server the same way the client validates the server's certificate. The client sends a signed certificate to the server. System SSL at the server decrypts the signature (message digest) using the public key of the client certificate issuer found in the server key database file.
TL;DR
You can enable this all the time if you require client-certificate to access any resource on the server. The primary reason is that some clients do not allow TLS re-negotiation due to possible Man-in-the-Midddle (MITM) attacks.
You can disable this if your clients support TLS re-negotiation and the MITM risk is acceptable.
Description
IIS has two ways to negotiate TLS:
The Negotiate Client Certificate setting determines which is used, the first if enabled, and the second if disabled. Here is more from Microsoft's blog:
- If this setting is enabled, the client certificate will be sent by the client browser when the initial secure connection with the web-server is negotiated.
- If it is disabled, an initial secure connection will be negotiated between the web-server and the browser based on the server certificate, and then the connection will be re-negotiated when the client sends the client certificate.
Client Support and Error
The issue is that some clients do not re-negotiate the TLS session. If the client does not do this, you may encounter the following error in the server log. Setting Negotiate Client Certificate to Enabled can fix this.
The following fatal alert was generated: 20. The internal error state is 960.
TLS Re-Negotiation MITM Attack
A reason some clients do not re-negotiate the TLS connection is due to Man-In-The-Middle (MITM) attacks associated with TLS re-negotiation:
Since the discovery of the MITM attack arround SSL Renegotiation, the answer in alot of circles has been to hangup on renegotitation requests.
The clients requiring Negotiate Client Certificate likely do this to prevent MITM attacks during TLS re-negotiation.
Summary
If you have no issue requiring client certificates for all IIS resources, enabling this feature may allow you to interoperate with more clients and enable you to further protect your traffic.
Disable this to support differential TLS client authentication support while understanding the MITM risks.
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
