IIS 8.5 - 相互证书身份验证失败，错误403.16 [英] IIS 8.5 - Mutual certificates authentication fails with error 403.16

问题描述

我使用的是Windows Server 2012和IIS 8.5。我已为网站设置了SSL，SSL设置包括：Require必需和需要客户端证书。

I'm using Windows Server 2012 and IIS 8.5. I've set SSL for the website and the SSL Settings are: Require Required and Require Client Certificates.

我向服务器发送的客户端证书已发出通过自签名的权威（让我们称之为MyCompany CA）。 MyCompany CA证书已成功安装在本地计算机帐户 - 受信任的根证书颁发机构中。它的到期日期为2039，客户端证书的过期日期也是如此。

The client certificate that I'm sending to the server has been issued by a self-signed authority (let's called it MyCompany CA). MyCompany CA certificate has been successfully installed in the Local Computer Account - Trusted Root Certification Authorities. It's expiration date is 2039, so is the client certificate expiration date.

但是，在所有此设置中，我收到错误403.16结果。我已启用失败的请求跟踪规则，并设法记录错误的请求，并获得一些额外的详细信息：

However, with all this setup, I'm getting an error 403.16 as result. I've enabled Failed Request Tracing Rules and managed to log an erroneous request and got some extra details about it:

52.- MODULE_SET_RESPONSE_ERROR_STATUS - 警告
ModuleName - IIS Web核心
通知 - BEGIN_REQUEST
HttpStatus - 403
HttpReason - Forbidden
HttpSubStatus - 16
ErrorCode - 处理的证书链，但在根证书中终止，不受信任提供者信任。 （0x800b0109）
ConfigExceptionInfo

52.- MODULE_SET_RESPONSE_ERROR_STATUS - Warning ModuleName - IIS Web Core Notification - BEGIN_REQUEST HttpStatus - 403 HttpReason - Forbidden HttpSubStatus - 16 ErrorCode - A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (0x800b0109) ConfigExceptionInfo

我已经检查过多个网站的结果403.16和错误代码0x800b0109，所有这些都指向未安装的证书颁发机构本地计算机 - 受信任的根证书颁发机构，但这不是我的情况。

I've checked multiple sites regarding the result 403.16 and error code 0x800b0109 and all of them points to the certification authority not been installed in Local Computer - Trusted Root Certification Authorities, but that's not my case.

谢谢！

推荐答案

我一直在这个工作了很长时间，终于找到了！

I have been working on this for a long time and finally found it!

向HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SecurityProviders \SCHANNEL
添加一个新值键值名称：ClientAuthTrustMode
值类型：REG_DWORD
值数据：2

Add a new key to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: ClientAuthTrustMode Value type: REG_DWORD Value data: 2

刷新网页，选择证书并观看神奇的事情。

Refresh the webpage, select the certificate and watch the magic happen.

研究

使用Windows 8和IIS 8.5我按照此处的说明 http://itq.nl/testing-with-client-certificate-authentication-ina-a- development-environment-on-iis-8-5 / 。

Using Windows 8 and IIS 8.5 I followed the instructions here http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/.

证书是在正确的位置创建的，并且在IIS中正确配置了所有证书，但我一直得到403.16错误。

Certificates were created in the correct place and everything configured in IIS properly but I kept getting 403.16 errors.

在许多MSDN文章和其他尝试失败后，我找到了以下注册表设置。

After the many MSDN articles and other attempts failed I found the following registry setting.

设置HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
值名称：ClientAuthTrustMode
值类型：REG_DWORD
值数据：2

Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: ClientAuthTrustMode Value type: REG_DWORD Value data: 2

设置HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\安全提供程序\SCHANNEL
值名称：SendTrustedIssuerList
值类型：REG_DWORD
值数据：0（False或delete此键完全）

Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: SendTrustedIssuerList Value type: REG_DWORD Value data: 0 (False, or delete this key entirely)

以下是有关此特定设置的一些详细信息（在这里：http://technet.microsoft.com/en-us/library/hh831771.aspx ）

Here is some more information about this specific setting (found here: http://technet.microsoft.com/en-us/library/hh831771.aspx)

默认为信任模式
Schannel提供程序支持三种客户端认证信任模式。信任模式控制如何执行客户端证书链的验证，并且是由在HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel下的REG_DWORDClientAuthTrustMode控制的系统范围设置。

Defaults for Trust Modes There are three Client Authentication Trust Modes supported by the Schannel provider. The trust mode controls how validation of the client’s certificate chain is performed and is a system-wide setting controlled by the REG_DWORD "ClientAuthTrustMode" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel.

0机器信任（默认）
需要客户端证书由受信任的颁发者列表中的证书颁发。

0 Machine Trust (default) Requires that the client certificate is issued by a certificate in the Trusted Issuers list.

1独占根信任
要求客户端证书链接到包含在调用方指定的受信任发布者存储中的根证书。该证书还必须由受信任的颁发者列表中的发放者颁发

1 Exclusive Root Trust Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list

2独占CA Trust
需要将客户端证书链连接到中间CA证书或根证书在调用程序指定的受信任发布者存储。
有关受信任发布者配置问题导致的身份验证失败的信息，请参阅知识库文章280256.

2 Exclusive CA Trust Requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store. For information about authentication failures due to trusted issuers configuration issues, see Knowledge Base article 280256.

希望此操作也适合您。

这篇关于IIS 8.5 - 相互证书身份验证失败，错误403.16的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！