HTTP错误403.16 - 客户端证书信任问题 [英] HTTP error 403.16 - client certificate trust issue
问题描述
我试图在IIS 8上实现客户端证书身份验证。我已经在开发计算机上部署了我的配置,并验证它正常工作。但是在服务器上设置后,每当我导航到该网站,并提示输入客户端证书,我选择它,并立即得到403.16错误。失败的请求日志提供错误代码2148204809和消息证书链已处理,但在信任提供者不信任的根证书中终止。
I am trying to implement client certificate authentication on IIS 8. I have deployed my configuration on a development machine and verified it working as expected there. However after setting up on the server, whenever I navigate to the site and am prompted for the client cert, I select it and immediately get the 403.16 error. The failed requests log gives the error code 2148204809 and message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider."
有效的客户端证书以及有效的CA证书。 CA证书安装在服务器和客户端计算机上的计算机帐户上的受信任的根授权中,客户端证书安装在客户端计算机上的当前用户帐户的个人区域中。
I have a valid client cert and also a valid CA cert. The CA cert is installed in Trusted Root Authorities on the computer account on both the server and the client machine, and the client cert is installed in the Personal area of the Current User account on the client machine.
客户端证书由根CA直接签名,正如我所说,两者都有效。
The client cert is signed directly by the root CA and as I said, both are valid. There are no other certs in the chain and there are no intermediate certs in the Trusted Root Authorities area.
IIS配置具有sslFlags = SslNegotiateCert和iisClientCertificateMappingAuthentication已启用。
The IIS configuration has sslFlags = SslNegotiateCert and iisClientCertificateMappingAuthentication is enabled.
服务器未配置为发送CTL,我们有SendTrustedIssuerList = 0。
The server is not configured to send a CTL and we have SendTrustedIssuerList = 0.
我看不到为什么客户端cert不应受信任。
I cannot see why the client cert should not be trusted.
推荐答案
Windows 2012引入了更严格的证书存储验证。根据 KB 2795828:Lync Server 2013前端服务无法在Windows Server 2012中启动,受信任的根认证机构(即根)商店只能有自签名证书。如果该商店包含非自签名证书,IIS下的客户端证书身份验证将返回403.16错误代码。
Windows 2012 introduced stricter certificate store validations. According to KB 2795828: Lync Server 2013 Front-End service cannot start in Windows Server 2012, the Trusted Root Certification Authorities (i.e. Root) store can only have certificates that are self-signed. If that store contains non-self-signed certificates, client certificate authentication under IIS returns with a 403.16 error code.
要解决此问题,来自根存储的自签名证书。此PowerShell命令将标识非自签名证书:
To solve the problem, you have to remove all non-self-signed certificates from the root store. This PowerShell command will identify non-self-signed certificates:
Get-Childitem cert:\LocalMachine\root -Recurse |
Where-Object {$_.Issuer -ne $_.Subject}
情况,我们将这些非自签名证书移入中级认证机构(即CA)商店:
In my situation, we moved these non-self-signed certificates into the Intermediate Certification Authorities (i.e. CA) store:
Get-Childitem cert:\LocalMachine\root -Recurse |
Where-Object {$_.Issuer -ne $_.Subject} |
Move-Item -Destination Cert:\LocalMachine\CA
根据 KB 2801679:安装KB 931125后出现SSL / TLS通信问题,您可能还有过多的受信任证书。
According to KB 2801679: SSL/TLS communication problems after you install KB 931125, you might also have too many trusted certificates.
[T] Schannel安全软件包支持的可信证书颁发机构列表的最大大小为16千字节(KB)。有大量的第三方根证书颁发机构将超过16k的限制,您将遇到TLS / SSL通信问题。
[T]he maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certication Authorities will go over the 16k limit, and you will experience TLS/SSL communication problems.
此情况下的解决方案是删除您不信任的任何认证中心证书,或停止发送受信任的证书颁发机构通过将 HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ @ SendTrustedIssuerList 注册表项设置为0 (默认,如果不存在,则为1)。
The solution in this situation is to remove any certification authority certificates you don't trust, or to stop sending the list of trusted certifiation authorities by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\@SendTrustedIssuerList registry entry to 0 (the default, if not present, is 1).
这篇关于HTTP错误403.16 - 客户端证书信任问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
