IIS Support Voice column
IIS and client certificatesTo customize this column to your needs, we want to invite you to submit your ideas about topics that interest you and issues that you want to see addressed in future Knowledge Base articles and Support Voice columns. You can submit your ideas and feedback using the Ask For It form. There's also a link to the form at the bottom of this column.
IntroductionHello. My name is David Dietz and I have been supporting Microsoft Internet Information Services (IIS) for the past six years. Over the course of this time, one topic that has been a challenge for many Web administrators is client certificates. In this article, I will go over some basics of client certificates and try to make some sense of what they are for and what they can do.
Some of the misconceptions that we see on a regular basis are:
- Client certificates are needed to make SSL work properly.
- When using client certificates, you don't need a certificate on the server.
- A client certificate that is issued by any certification authority will work with any server.
- If you issue a client certificate, your Web server will automatically accept it.
Client certificates are issued to a user by a certification authority. They consist of the public key portion of the certificate and a private key that is held only by the entity to which the certificate is issued. The certification authority may be a well-known public organization that provides certificate services as part of its business, or it could be an internal server that only your company uses. In either case, the client certificate will have certain information that identifies the user either individually or as part of a group.
In IIS, you have the option of ignoring, accepting, or requiring client certificates when a user accesses resources on your server. Ignoring certificates simply means that you are not using them, will not ask the client for one, and will discard one if it is sent to your server. If you choose to accept certificates, your server will prompt for a certificate but will not necessarily deny access if a certificate is not provided. If you require client certificates, the user must supply a valid certificate or the user will receive an error message.
For a certificate to work properly, certain requirements must be met on both the server and the client. Each side has a list of root certification authorities that they trust. When the server prompts for a certificate, the request includes a list of the certification authorities that the server trusts. The client then compares this list to the list of certification authorities that the client trusts and creates a list of the ones that match. Then, the client compares that list to the client certificates it has and determines which, if any, certificates have been issued by certification authorities that both the client and the server trust. Depending on the client, you may see a list of certificates to choose from if there is more than one certification authority that both sides trust. The client then sends the public portion of the certificate to the server. At this point, the server generally checks to make sure that the certificate is valid and, if no mapping is performed, the communications between the client and the server can continue.
This is the most basic functionality of client certificates. At this point, the server knows only that the client has a valid certificate.
Here is where things get interesting. The server can be configured to do a mapping of the certificate to a user account. This can be either a one-to-one mapping, where the specific certificate is mapped to a single user account, or a many-to-one mapping, where the server uses certain fields in the certificate information to map any matching certificate to a designated user account. When a mapping is used, the certificate allows the user to be granted or denied access to resources as a particular user. When using client certificates in this manner, you do not have to use any other authentication method.
Common error messages that are related to client certificates
403.7 - Client certificate requiredThis error message is received if a client does not provide a client certificate when one is required. Either the client refused to send a client certificate or the client did not have a certificate issued by a mutually trusted certification authority.
403.13 - Client certificate revokedThis error message means that the client sent a certificate, but either the certificate shows up as revoked in the issuing authority's Certificate Revocation List or the server could not retrieve a CRL from the issuing authority.
403.16 - Client certificate is untrusted or invalid.This error message is primarily generated when the certificate that the client provided is improperly formed. It can also be generated if there are intermediate certification authorities in the certificate chain that are not trusted by the Web server.
403.17 - Client certificate has expired or is not yet validThis error message is fairly self-explanatory. It means that the current date on the server is not within the valid date ranges that are presented in the client certificate.
For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
Ask For It form.
252657 IIS 5.0: HTTP 403.16 Forbidden: Client certificate untrusted or invalid
248031 Error message: HTTP 403.17 - Forbidden: Client certificate has expired or is not yet valid
294305 IIS returns HTTP "403.13 Client certificate revoked" error message although certificate is not revoked
313070 How to configure client certificate mappings in Internet Information Services (IIS) 5.0Client certificate mapping (IIS 6.0)
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/751c99bd-9657-41a5-b541-569d305872ef.mspx?mfr=trueSPKI certificate theory
Ask For It form.