浏览器不提示输入客户端证书 [英] Browser is not prompting for a client certificate

问题描述

背景:

我正在将内部应用程序更新为两步验证过程.我想在传统的用户名/密码表单之上添加一个客户端证书身份验证过程(通过智能卡).该应用程序使用 C# 编写，托管在 IIS7 上，面向 Chrome 和 IE8.

I am updating an internal application to a two-step authentication process. I want to add a client certificate authentication process (via a smart card) on top of a traditional username/password form. The application is written in C#, hosted on IIS7, and targeting Chrome and IE8.

问题:

我在让应用程序提示用户输入客户端证书时遇到问题.我一直在 Fiddler 的帮助下调试应用程序.当我将测试客户端证书保存在 Fiddler 的用户目录 (C:Documents and SettingsUSERMy DocumentsFiddler2) 中时，应用程序按预期工作.系统提示我输入保护智能卡的 PIN 码，如果输入正确，我将转到登录表单.当我关闭 Fiddler 时，应用程序会抛出 403 Forbidden 错误(因为 Fiddler 不再运行并指向其证书).我一直想不通的是为什么应用程序不会正常提示输入证书.

I am having issues with getting the application to prompt the user for a client certificate. I have been debugging the application with the help of Fiddler. When I have a test client certificate saved in Fiddler's user's directory (C:Documents and SettingsUSERMy DocumentsFiddler2), the application works as expected. I am prompted for a PIN number protecting the smart card, and, when entered correctly, takes me to the login form. When I close Fiddler, the application throws a 403 Forbidden error instead (since Fiddler is no longer running and pointing to its certificate). What I haven't been able to figure out is why the application won't prompt for a certificate normally.

当前服务器设置:

• 自签名证书已创建
• 443 绑定指向自签名证书
• 匿名身份验证已启用
• 自签名证书已添加到受信任的根 CA 和中间 CA(我读到另一个人在两者中都有它，而不仅仅是受信任的根 CA，这解决了他们的问题，尽管这两种设置都对我们不起作用).
• 我清除了 Trusted Root CA 中我不需要的其余证书(我在别处读到有太多证书会导致 SSL 阻塞).

除了在另一台服务器上从头开始之外，我没有其他尝试的想法.有谁知道可能是什么问题?这似乎应该相当简单，而且我错过了一些小事.欢迎提出任何想法.

I am out of ideas to try other than starting from scratch on another server. Does anyone know what the issue might be? This seems like it should be fairly straight forward and that I'm missing something minor. Any ideas are welcomed.

更新:

今天在这个问题上花了更多时间后，我坚信这与 IIS7 没有正确配置有关(我最初没有设置它).我认为这是因为我启用了失败请求跟踪，查看了后续生成的 .xml 文件，并看到抛出了 500 错误.

After spending more time with this issue today, I strongly believe it has to do with IIS7 not being configured correctly (I did not set up it originally). I think this because I enabled Failed Request Tracing, looked at the subsequent .xml files being generated, and saw that a 500 error was being thrown.

Chrome 正在抛出访问网页被拒绝"消息，而不是403 - 禁止:访问被拒绝".我不知道这是否有帮助.我确实知道，当我不需要证书时，该站点将按预期工作.需要证书是失败的地方.

Chrome is throwing a "Access to the webpage was denied" message rather than a "403 - Forbidden: Access is denied". I don't know if this helps. I do know that when I do not make certificates required, the site will work as intended. Requiring a certificate is where it fails.

应用程序池设置为 .Net 4.0 |经典 |网络服务.

The Application Pool is set to .Net 4.0 | Classic | Network Service.

推荐答案

你的问题是浏览器没有收到提供客户端证书的请求，或者有一个安全相关的选项来阻止它发生.仅当网站位于正确的区域(内联网或受信任的站点)时，IE 才提供证书.请先检查这一点.

Your problem is that the browser doesn't either get the request to provide client certificate or there is a security related option to block it from happening. IE offers certificate only if the web site is in correct zone (intranet or trusted sites). Please check this before everything.

如果这没有帮助，请查看此回答下一步.netsh 文档说:

If that doesn't help then see this answer for next step. The netsh documentation says:

clientcertnegotiation
Optional. Specifies whether the negotiation of certificate is enabled or disabled. Default is disabled.

启用它，即使是最愚蠢的浏览器也应该注意到它应该提供用于身份验证的证书.要进一步诊断您的问题，您可以使用 WireShark 查看正在进行的协商.

Enable that and even the dumbest browser should notice that it is supposed to offer certificate for authentication. To diagnose your problem further you can use WireShark to see the negotiation in action.

这篇关于浏览器不提示输入客户端证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！