I am trying to protect an IIS 6 resource with client certificate authentication, without user mapping, and I am struggling.
I have issued a certificate using the request criteria below. (The CN is a GUID that I need to use in a later step, unrelated to IIS)
I have added the client authentication OID in EKU, and the digital signature in the Key Usage.
I have the trust configured in my root CAs, and I have a CTL in place, which limits the list of accepted certificates even further.
When I hit the protected resource, IE prompts me for my certificate, meaning a certificate that is trusted by both parties has been found. I select the certificate, click OK, and I immediately get a 403 7 5 from IIS. I am not trying to map this certificate to a user, I want to accept anyone with a certificate from this CA. I have CRL checking disabled for the time being to eliminate that as an issue.
I cannot find a list of requirements anywhere for what IIS and IE consider a valid client certificate. I was under the impression that if the crypto API prompts you with a certificate in IE, then the certificate has already been found to match the criteria. One other note. I have a smart card that has a certificate from another trusted CA, and it shows up in the list and works if I select it. So I know IIS is working, and that CRL checking is in fact disabled. What is this certificate missing that makes IIS not accept it, or IE not send it?
[NewRequest]
Subject="CN=7259FEDE676E4A6EB818EA4D9AD0958E"
Exportable=FALSE
KeyLength=2048
KeySpec=1
KeyUsage=0x80
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.2
Thanks in advance. I appreciate any help I can get, as I have been working on this for about a week, and I am stumped.
- Josh