IIS cant validate my client certificate - ssl

I've tried setting up SSL for localhost running my azure web role.
What I've done is that I've created my own CA, created a client and server certificate and then installed them all in my certificate store. The server certificate is located in the local computer personal certificates, the client certificate is installed in the current user store under personal and the CA certificate is installed in trusted root certificates in both stores.
I've also configured my IIS website to use SSL and used netsh to bind the server certificate to the ip the site is running on.
However when I try to access my website through the IIS, I get an error:
HTTP Error 403.16 - Forbidden
Your client certificate is either not trusted or is invalid.
I know for a fact that the certificates I use are issued by the same CA, so I cant really see any other reason than that the IIS probably cant access my trusted root store. When I deploy my solution to azure, it works without giving me this error, so I'm positive that its a configuration issue with the local IIS that I cant work out.
Any suggestions on what could be the problem here?

Related

Visual Studio 2022 Access is Denied when adding the certificate to the Trusted Root Certificates store

I recently changed my IDE from VS 2019 to 2022 and I have not been able to successfully debug an SSL web site without receiving the popup message:
This project is configured to use SSL. To avoid SSL warnings in the browser you can choose to trust the self-signed certificate that IIS Express has generated. Would you like to trust the IIS Express SSL certificate?
After clicking Yes, the following message pops up:
Adding the certificate to the Trusted Root Certificates store failed with the following error: Access is denied.
After doing some research I ran the following command in an administrative prompt:
dotnet dev-certs https --clean
dotnet dev-certs https --trust -v
This resulted in the following:
An error has occurred while trusting the certificate: Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: Access is denied.
at Internal.Cryptography.Pal.StorePal.Add(ICertificatePal certificate)
at System.Security.Cryptography.X509Certificates.X509Store.Add(X509Certificate2 certificate)
at Microsoft.AspNetCore.Certificates.Generation.WindowsCertificateManager.TrustCertificateCore(X509Certificate2 certificate)
at Microsoft.AspNetCore.Certificates.Generation.CertificateManager.TrustCertificate(X509Certificate2 certificate).
There was an error trusting HTTPS developer certificate.
So far, I have tried importing the localhost certificate directly into the Trusted Root Certification Authorities, changing permission on the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder, uninstalling IIS Express and repairing, and uninstalling and reinstalling VS 2022. So far nothing has worked, not sure what to try from here?
For people seeing this post and having the same issue. I 'fixed' this by doing the following:
Go to your Current User certificates store and click the Personal and then the Certificates folder. If you can see there a localhost certificate where the friendly name is something like IIS Express Development Certificate then try to move that certificate to the Trusted Root Certification Authorities --> Certificates folder.
If you get an Access Denied error then try to set the Physical certificate stores checkbox, as per this post: The certificate cannot be pasted into the Trusted Root Certification Authorities store. Access is denied, under (View --> Options), make sure you selected the root certificates file to see the View/Options menu.
Repeat the above steps also for the Local Computer certificates. For some reason sometimes my localhost certificate was stored under Current User and sometimes under Local Computer.
When starting the application the following 'error' should have dissapeard:
This project is configured to use SSL. To avoid SSL warnings in the
browser you can choose to trust the self-signed certificate that IIS
Express has generated. Would you like to trust the IIS Express SSL
certificate?
Though, in my case I got the ERR_CONNECTION_RESET error after doing the above. To fix this I had to manually add the localhost port certificate as per this post: https://stackoverflow.com/a/68804745/3242154
After doing the above it generated another certificate in my personal certificate folder for the specified port, I once again had to repeat steps 1-3 (depending in which certificates store it was created), then it finally worked without problems.

Provide SSL certificate for internal Website

I have a website in my local network and the website is not ssl secured.
Many clients can not reach the website because of
"ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Is there any way to secure websites in a local network with ssl? I am using an Active Directory Server in my network.
There are also a lot of local Websites on a vmware that are not secured. I would like to secure them easily.
• I would suggest you to please install ADCS (Active Directory Certificate Services) role in your Active Directory and create a self-signed SSL certificate through it for your internal use. Since, Active Directory is a trusted public key authentication infrastructure provider, the concerned role installed on it for the said purpose does not need certificates from globally trusted CA (certification authority) and can be thus, used locally. For the time being, if you want to create a self-signed SSL certificate on the concerned server, you will have to install ‘Web Server (IIS)’ role and then open the ‘IIS manager’ console from where you can generate the SSL self-signed certificate and bind the same to the website on that server itself. For this process, kindly refer to the link below which explains in detail the steps to be followed for generating a self-signed certificate and binding it to a website: -
https://www.thewindowsclub.com/create-self-signed-ssl-certificates-in-windows-10
Please note that the above stated process is for that server on which the website is hosted locally. Thus, the self-signed certificate generated will not be useful on other servers in your environment.
• To generate an SSL certificate for a web service/website that is hosted on a cluster of servers configured for the same purpose/website, then you will have to configure an SSL certificate template from a root CA, in your case, an AD server installed with ADCS role will serve as a root CA in your domain environment. Then assign that template to the CA (AD server in your case) for it to authorize the issuing of the configured SSL template to the concerned server where the website for which this SSL certificate is to be installed is hosted. For more detailed information regarding this, please refer to the documentation link below: -
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn781428(v=ws.11)#obtain-an-ssl-certificate-from-ad-cs
Please note that the above link states the issuing of the SSL certificate for an ADFS Server. You will need to change the Subject Name of the issued certificate to that website for which you are issuing this certificate.

Run same site with two different ssl ports on iis

I have my website https://www.MyWebSite.com running on port 433. But I also have a admin login that only are available from the office local network http://MyServer:9999/Login.aspx. Both addresses points to the same site but different bindings.
Is it possible to get the one on port 9999 to use https? I tried creating a self signed certificate in IIS but my browser still complained, even though I exported the certificate and stored it in my CA Trusted root.
So just to sum everything:
My regular site: https://MyWebSite.com <-- working fine
My admin login, only accessible via local network: http://MyServer:9999/Login.aspx works fine.
When adding a selfsigned certificate issued to "MyServer" (not MyWebSite) and add the new binding on port 9999 I though to the website but Chrome is giving me a warning NET::ERR_CERT_COMMON_NAME_INVALID, even though the cert is Issued To MyServer and are trusted
Is it possible to get the one on port 9999 to use https?
yes it is possible to setup another port with selfsigned
certificate.
Normally Selfsigned certificate will have fully qualified machine name
e.g. machinename.subdomain.domain so you have to browse using https://machinename.subdomain.domain:9999/
Please double check what error you are running into ,In chrome
Your connection is not private
Attackers might be trying to steal your information from in08706523d (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
in IE,you may get
There is a problem with this website’s security certificate.
The security certificate presented by this website was issued for a different website's address.
Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.
In that case,assuming you have given hostname as * in IIS binding, and also installed the selfsigned certificate installed your "Root Certification Authorities " You should be able to browse to
https://machinename.subdomain.domain:9999/ without any issues

403 - Forbidden: Access is denied, certificates issue in IIS7

I have installed a renewed SSL certificate on my web server running IIS7.
After installation, I applied website binding to port 443.
My application uses client certificates too, so I have changed the SSL setting to Require 'client certificate'.
Both client and SSL server certificates are valid but still I am not able to access my application. The error I get is:
403 - Forbidden: Access is denied.
I have enabled client certificate mapping in IIS role settings also but still not getting rid of this 403 error.
I guess client certificate is not able to handshake with server certificate. Please help!
In certificate Store verified all server certificate and client cert with its authority hierarchy are available.
also cross check below settings
Application Authentication: Anonymous
Application SSL Setting: Require SSL/ Accept
ApplicationHost.config: enabled OnetoOneMapping under iisClientCertificateMappingAuthentication also added base64 certificate mapped with service accounts
Also based on my past experience we need to ensure we have SChannel registry setting as mentioned in below post.
https://support.microsoft.com/en-us/kb/2464556
Simplest workaround just discovered this today. In IIS for your application, Go to Edit Bindings and change your port number. 443 to 4431 or 44301. Any variation you want. In your client computer, type in the new URL using new port number and you will establish a fresh connection to application. Make sure you SSL Settings for IIS Application is set to "Accept" instead of "Require". This means you can click "Cancel" when the pop up asks you to select a certificate you can simply hit "Cancel" and still hit the site. No 403 Error.
Do not spend hours trying to mess with your certificate store, just simply change the port on IIS Server and you'll be fine.

Cannot Access LDAPS from webbrowser on Hyper V virtual machine

We have an test environmnet where the physical AD server is set up for LDAPS connections and a Hyper V virtual machine running the webserver with our AD management web app loaded up. We have set up the x509 certs on both the physical AD server and on the virtual webserver. We are able to link to the AD server using SSl via Ldap.exe with no problems. When we try to access through the web browser it fails to connect. The event logs show an Schannel event with
"The certificate received from the remote server was issued by an
untrusted certificate authority. Because of this, none of the data
contained in the certificate can be validated. The SSL connection
request has failed. The attached data contains the server
certificate."
If we try the same thing from two phyisical boxes it works fine and likewise if we try to access the AD server from a virtual machine without using LDAPS it works fine.
I have gone on to the server and via the certificate snap in deleted the hyper v virtual machine management's self signed trusted root cert and restarted the service with no change. I can't find anything else relevent to our setup to try.
Anyone have any insight in to what we are missing on the virtual machine that is causing this failure?
According to me the message :
"The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate."
Indicates that you do not intstall the public key certificate of the certificate authority on your client (Virtual Web server) certificate repository.
Try to install it on computer repository, but also on the reposository of the user which is in charge to start IIS.