相互证书身份验证失败，错误 403.16 [英] Mutual certificates authentication fails with error 403.16

问题描述

我使用的是 Windows Server 2012 和 IIS 8.5.我已经为网站设置了 SSL，并且 SSL 设置是:需要必需和需要客户端证书.

I'm using Windows Server 2012 and IIS 8.5. I've set SSL for the website and the SSL Settings are: Require Required and Require Client Certificates.

我发送到服务器的客户端证书是由自签名机构(我们称之为 MyCompany CA)颁发的.MyCompany CA 证书已成功安装在本地计算机帐户 - 受信任的根证书颁发机构中.它的有效期是 2039 年，客户端证书的有效期也是 2039 年.

The client certificate that I'm sending to the server has been issued by a self-signed authority (let's called it MyCompany CA). MyCompany CA certificate has been successfully installed in the Local Computer Account - Trusted Root Certification Authorities. It's expiration date is 2039, so is the client certificate expiration date.

但是，通过所有这些设置，我收到了错误 403.16.我启用了失败请求跟踪规则并设法记录了一个错误的请求并获得了一些关于它的额外详细信息:

However, with all this setup, I'm getting an error 403.16 as result. I've enabled Failed Request Tracing Rules and managed to log an erroneous request and got some extra details about it:

52.- MODULE_SET_RESPONSE_ERROR_STATUS - 警告模块名称 - IIS Web 核心通知 - BEGIN_REQUESTHttpStatus - 403HttpReason - 禁止HttpSubStatus - 16ErrorCode - 已处理的证书链，但在不受信任提供者信任的根证书中终止.(0x800b0109)配置异常信息

52.- MODULE_SET_RESPONSE_ERROR_STATUS - Warning ModuleName - IIS Web Core Notification - BEGIN_REQUEST HttpStatus - 403 HttpReason - Forbidden HttpSubStatus - 16 ErrorCode - A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (0x800b0109) ConfigExceptionInfo

我检查了多个站点，结果 403.16 和错误代码 0x800b0109 都指向本地计算机中未安装的证书颁发机构 - 受信任的根证书颁发机构，但这不是我的情况.

I've checked multiple sites regarding the result 403.16 and error code 0x800b0109 and all of them points to the certification authority not been installed in Local Computer - Trusted Root Certification Authorities, but that's not my case.

谢谢！

推荐答案

这个我搞了好久终于找到了！

I have been working on this for a long time and finally found it!

向 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL 添加新密钥值名称:ClientAuthTrustMode值类型:REG_DWORD价值数据:2

Add a new key to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL Value name: ClientAuthTrustMode Value type: REG_DWORD Value data: 2

刷新网页，选择证书并观看奇迹发生.

Refresh the webpage, select the certificate and watch the magic happen.

研究

使用 Windows 8 和 IIS 8.5 我按照这里的说明操作 http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/.

Using Windows 8 and IIS 8.5 I followed the instructions here http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/.

在正确的位置创建了证书，并且在 IIS 中正确配置了所有内容，但我不断收到 403.16 错误.

Certificates were created in the correct place and everything configured in IIS properly but I kept getting 403.16 errors.

在许多 MSDN 文章和其他尝试失败后，我找到了以下注册表设置.

After the many MSDN articles and other attempts failed I found the following registry setting.

设置 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL值名称:ClientAuthTrustMode值类型:REG_DWORD价值数据:2

Set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL Value name: ClientAuthTrustMode Value type: REG_DWORD Value data: 2

设置 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL值名称:SendTrustedIssuerList值类型:REG_DWORD数值数据:0(假，或者完全删除这个键)

Set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL Value name: SendTrustedIssuerList Value type: REG_DWORD Value data: 0 (False, or delete this key entirely)

以下是有关此特定设置的更多信息(可在此处找到:http://technet.microsoft.com/en-us/library/hh831771.aspx)

Here is some more information about this specific setting (found here: http://technet.microsoft.com/en-us/library/hh831771.aspx)

信任模式的默认值Schannel 提供程序支持三种客户端身份验证信任模式.信任模式控制如何执行客户端证书链的验证，是一个系统范围的设置，由 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannel 下的 REG_DWORD ClientAuthTrustMode"控制.

Defaults for Trust Modes There are three Client Authentication Trust Modes supported by the Schannel provider. The trust mode controls how validation of the client’s certificate chain is performed and is a system-wide setting controlled by the REG_DWORD "ClientAuthTrustMode" under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSchannel.

0 机器信任(默认)要求客户端证书由 Trusted Issuers 列表中的证书颁发.

0 Machine Trust (default) Requires that the client certificate is issued by a certificate in the Trusted Issuers list.

1 独占根信任要求客户端证书链接到包含在调用者指定的受信任颁发者存储中的根证书.该证书还必须由受信任的颁发者列表中的颁发者颁发

1 Exclusive Root Trust Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list

2 独家 CA 信托要求客户端证书链到调用者指定的受信任颁发者存储中的中间 CA 证书或根证书.有关由于受信任的颁发者配置问题导致身份验证失败的信息，请参阅知识库文章 280256.

2 Exclusive CA Trust Requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store. For information about authentication failures due to trusted issuers configuration issues, see Knowledge Base article 280256.

希望这也适用于您.

这篇关于相互证书身份验证失败，错误 403.16的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！