I have one scenario where I am working on the IIS Website Configurations for URL Routing.
I have added the website and Import the required Certificates on the server.
My scenario is (I have multiple website URLs and two SSL Certs - as below):
qatest1.abc.com
qatest2.abc.com
qatest3.abc.com
Above 3 URLs need to be configured on one SSL Certificate - which is QA Certificate.
Another URL is:
perftest.abc.com
And for this URL there is a separate certificate as PERF (performance) certificate.
This is how the Task is given to me to configure the IIS Settings on MS IIS 10.
Now the Issues which I am facing is:
Not able to configure all the URLs configuration on the same IIS, as per the task given to me I am supposed to configure them all on the same IIS.
Getting a strange message (image attached) and it won't allow me to configure all my above website URLs on the same machine, on the same IIS.
Also trying to read about SNI (But Not sure about how to make use of SNI in this case).
Need help from IIS Experts who can support me on this activity to complete.
you could check the Server Name Identification by using this you can avoid the certificate prompt.
This feature offers an easier solution to hosting multiple sites that have a different or individual SSL on a single IP address.
Each HTTPS binding requires a unique IP/port combination because the Host Header cannot be used to differentiate sites using SSL.This is because the host header is not visible during the SSL handshake.
Server Name Indication (SNI) allows the server to safely host multiple TLS Certificates for multiple sites, all under a single IP address.
#1 - its possible via CLI commands (appcmd & netsh) or scripting (PowerShell) and programming (c#) but not with the IIS Manager GUI afaik.
#2 - (see #1). IIS Manager is stupid and will overwrite existing bindings with the last certificate selected. You end up with bindings attached to the wrong certificate if you click Yes. This is a limitation of IIS Manager GUI not IIS.
#3 - You want SNI turned on. It means you can have multiple certificates associated with the same IP address. Without SNI you would need 1 IP address per certificate
These 2 links will give you an idea how to use appcmd and netsh - this is the quickest/easiest way to create your desired configuration.
Adding a HTTPS binding to a site
Binding a certificate with netsh
If you know PowerShell("POSH") you can use the IISAdministration PowerShell cmdlet New-IISSiteBinding to create bindings and associate with a certificates thumbprint (though netsh is still useful for debugging and fixing issues).
Either approach your really configuring 2 things - IIS' bindings and Windows/SChannel/HTTPS.sys (the operating system component actually responsible for the 'S' in 'HTTPS'). Sometimes they get out of sync and the easiest fix is to delete and re-create the bindings (after clicking yes to "At least one other site is using the same HTTPS binding..." for example).
Few tips:
Once you start using this configuration IIS Manager or Windows Update/software installs will probably break your bindings at some point. Write a script that can remove and re-create all your bindings for port 443(only!) so you can easily fix future issues.
If you use netsh - its very fussy about the syntax. Order and spacing of parameters are important when using command netsh http add sslcert.
While your testing netsh http show sslcert and netsh http delete sslcert are very useful to try different configurations (this wont delete the cert, just the binding)
Cert needs to be in the Machine certificate store and make a note of the path. When using POSH or netsh always specify both certificate thumbprint and the store\path where the cert was installed.
If you need a default HTTPS binding on the IIS Site (eg load balancer healthchecks etc) add it before any named HTTPS bindings.
Final aside - if your domains are all 1 level under abc.com getting a wildcard certificate would save you a lot of bother. a single *.abc.com certificate would cover all your domains and you can avoid this limitation entirely.
Good luck!
I have been trying to get my MSMQ to pass messages over HTTPS without success. All outgoing messages sit in a queue with status "Waiting to connect".
This is not the case for messages over HTTP, they are received without issue.
I've created a Certificate Authority on the receiving machine, downloaded the cert chain and CA cert, installing under Trusted Root (Local Computer and Current User profiles).
I then exported the CA cert and installed that on the sending machine (under TRCA - Local Computer and Current User)
I have been able to navigate to the target MSMQ using internet explorer, this usually give a 501 not implemented error.
I don't really know why this isn't working and it's pretty fraustrating.
What other approaches can I take to get this to work??
Cheers
Niall
The screenshot shows that the server isn't properly accepting the HTTPS connection from the client.
You'll need to add more information to your question, including details of how you attempted to bind the Server Authentication certificate to the endpoint on which your server is listening.
I am dabbling with WCF and SSL and have hit a bit of a problem.
I have a self-hosted WCF service and a basic client which connects to request a token.
I have it set up on my development machine it appears to communicating over SSL just fine.
But when I set it up on a different machine to test the deployment the client keeps getting nothing back from the service.
I assume it has something to do with the certificates I have set up as this is the only thing I think could be different.
I have used the netsh command to associate my port with an existing certificate that was already on the server. And it appears the same as my dev machine (where I created the certificate with makecert manually.
I initially tried to follow the same steps on the deployment server but failed as there was already a certificate with a common name of the server, so eve though the certificate generated when ever I tried to use the cert hash thumbprint of the newly generated certificate I was being given the :
SSL Certificate add failed, Error: 1312
A specified logon session does not exist...
The only way I could get the netsh http add to work was by specifying the cert hash of the existing certificate.
Is this my problem or a red herring? How do you debug issues like this?
Personally I just configure WCF tracing. It usually provides more user friendly info about a problem. Here's a how to link Configuring Tracing
Hope it helps!
I have a WCF service that I want to secure with Client Certificates but I cannot get it to work on Azure.
I removed Azure from the equation by hosting the service on a standard Windows Server on Amazon. I installed both the service and client certificates (none are self-signed) into the Local Machine 'Personal' store on this server including the chained certificates and it all worked as expected, called from my local PC, with the client cert set against the binding/behavior. It did not work without the certificate being specified so it definitely worked correctly this way.
I then deployed the service to Azure. The client and server certificates are uploaded to the portal and set in the config against "Local Machine/My" and the CA and root certificates are uploaded and I tried them in various stores including "My", "Trusted" and "CA". Every variation I try, I continue to get "The HTTP request was forbidden with client authentication scheme 'Anonymous'" called from exactly the same program locally with the only change being the client endpoint address.
As another detail, I can get it to work without certificates so there is no problem with the web service but I am unsure how to work out what is actually happening with the certificate handshake between client and service.
I have finally got it to work, and have written a guide here: Blogspot.co.uk
I'm not sure what I had got wrong before since I have not done anything too weird to make it work. I think perhaps I had a small defect somewhere in configuration that I eventually fixed by starting again. Anyway, it DOES work and provides some useful security on Azure.
See my answer to this SO post - bottom line, cert in LocalMachine/My and run with elevated privileges in csdef file add:
<Runtime executionContext="elevated" />
Background:
I am updating an internal application to a two-step authentication process. I want to add a client certificate authentication process (via a smart card) on top of a traditional username/password form. The application is written in C#, hosted on IIS7, and targeting Chrome and IE8.
Problem:
I am having issues with getting the application to prompt the user for a client certificate. I have been debugging the application with the help of Fiddler. When I have a test client certificate saved in Fiddler's user's directory (C:\Documents and Settings\USER\My Documents\Fiddler2), the application works as expected. I am prompted for a PIN number protecting the smart card, and, when entered correctly, takes me to the login form. When I close Fiddler, the application throws a 403 Forbidden error instead (since Fiddler is no longer running and pointing to its certificate). What I haven't been able to figure out is why the application won't prompt for a certificate normally.
Current Server Setup:
Self Signed Certificate was created
443 Binding is pointing at Self Signed Certificate
Anonymous Authentication is Enabled
The Self Signed Certificate was added to both the Trusted Root CA and Intermediate CA (I read that another person had it in both rather than just the Trusted Root CA and that solved their issue, though neither set up has worked for us).
I cleared out the rest of the certificates in the Trusted Root CA that I didn't need (I read elsewhere that having too many certificates would cause SSL to choke).
I am out of ideas to try other than starting from scratch on another server. Does anyone know what the issue might be? This seems like it should be fairly straight forward and that I'm missing something minor. Any ideas are welcomed.
Update:
After spending more time with this issue today, I strongly believe it has to do with IIS7 not being configured correctly (I did not set up it originally). I think this because I enabled Failed Request Tracing, looked at the subsequent .xml files being generated, and saw that a 500 error was being thrown.
Chrome is throwing a "Access to the webpage was denied" message rather than a "403 - Forbidden: Access is denied". I don't know if this helps. I do know that when I do not make certificates required, the site will work as intended. Requiring a certificate is where it fails.
The Application Pool is set to .Net 4.0 | Classic | Network Service.
Your problem is that the browser doesn't either get the request to provide client certificate or there is a security related option to block it from happening. IE offers certificate only if the web site is in correct zone (intranet or trusted sites). Please check this before everything.
If that doesn't help then see this answer for next step. The netsh documentation says:
clientcertnegotiation
Optional. Specifies whether the negotiation of certificate is enabled or disabled. Default is disabled.
Enable that and even the dumbest browser should notice that it is supposed to offer certificate for authentication. To diagnose your problem further you can use WireShark to see the negotiation in action.
In every browser I've seen, the browser will not prompt you to select a certificate if it does not have any certificates signed by a CA the server trusts. So make sure your server is configured with the correct CAs. As Boklucius suggested, you can use openssl to examine the list of trusted CAs your server is sending to clients and see whether the CA you have signed your client certificates with is among them.
Try openssl s_client -connect yourip:443 -prexit
And see if the CA (your self signed cert) is send to the client in the Acceptable client certificate CA names.
you need to install openssl first if you don't have it
I'll throw in a "try restarting the browser" suggestion, particularly if you installed the certificate while the browser was running.
To add a rather painful lesson to the mix: Make sure you quit Skype (or any other application) that eats port 443.
So the idea here is if you are running a dev environment on the same machine (both client and IIS), and your team uses Skype or some other app to communicate.
Watch the hours go by as you try and debug this problem, seemingly doing everything "right", netsh http sslcerts and such, even rebooting but to no avail. Well, turns out Skype will eat 443 so turn it off and "poof" there goes your certificate prompt.
Then feel free to throw things at the wall, shout obscenities or just "Rage, rage against the dying of the light".
Also, make sure Fiddler isn't getting in the way. If you have it decrypting the SSL, it'll corrupt the message back to IE, and it doesn't have the certificate installed, so it can't offer it. Turn off fiddler, and voila, the certificate prompt appears.
In Firefox, if you press 'Cancel' the first time you're prompted for a certificate, and you left the sneaky 'Remember this decision' box checked, then Firefox will remember that and never offer it again.
You can view and delete your previous remembered decisions in Firefox Preferences -> Privacy & Security (about:preferences#privacy), View Certificates, and check the Authentication Decisions tab.
Just connecting to my VPN and trying showed me the certificate prompt. Needs to be done only the first time.