相互证书身份验证失败，错误403.16 [英] Mutual certificates authentication fails with error 403.16

问题描述

我正在使用Windows Server 2012和IIS 8.5。我为网站设置了SSL，SSL设置为：需要并且需要客户端证书。

I'm using Windows Server 2012 and IIS 8.5. I've set SSL for the website and the SSL Settings are: Require Required and Require Client Certificates.

我发送给服务器的客户端证书已经发布由一个自签名的权威机构（我们称之为MyCompany CA）。 MyCompany CA证书已成功安装在本地计算机帐户 - 受信任的根证书颁发机构中。它的到期日期是2039，客户端证书的到期日期也是如此。

The client certificate that I'm sending to the server has been issued by a self-signed authority (let's called it MyCompany CA). MyCompany CA certificate has been successfully installed in the Local Computer Account - Trusted Root Certification Authorities. It's expiration date is 2039, so is the client certificate expiration date.

但是，通过所有这些设置，我收到错误403.16。我启用了失败请求跟踪规则并设法记录错误请求并获得了一些额外的详细信息：

However, with all this setup, I'm getting an error 403.16 as result. I've enabled Failed Request Tracing Rules and managed to log an erroneous request and got some extra details about it:

52.- MODULE_SET_RESPONSE_ERROR_STATUS - 警告
ModuleName - IIS Web Core
通知 - BEGIN_REQUEST
HttpStatus - 403
HttpReason - 禁止
HttpSubStatus - 16
ErrorCode - 处理证书链，但终止于根证书，即信任提供商不信任。 （0x800b0109）
ConfigExceptionInfo

52.- MODULE_SET_RESPONSE_ERROR_STATUS - Warning ModuleName - IIS Web Core Notification - BEGIN_REQUEST HttpStatus - 403 HttpReason - Forbidden HttpSubStatus - 16 ErrorCode - A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (0x800b0109) ConfigExceptionInfo

我检查了多个关于结果403.16和错误代码0x800b0109的网站，所有网站都指向未安装的证书颁发机构本地计算机 - 受信任的根证书颁发机构，但这不是我的情况。

I've checked multiple sites regarding the result 403.16 and error code 0x800b0109 and all of them points to the certification authority not been installed in Local Computer - Trusted Root Certification Authorities, but that's not my case.

谢谢！

推荐答案

我已经做了很长时间了，终于找到了！

I have been working on this for a long time and finally found it!

向HKEY_LOCAL_MACHINE \SYSTEM \ CurrentControlSet \Control \ SecurityProviders \ SCHANNEL
添加新密钥值名称：ClientAuthTrustMode
值类型：REG_DWORD
值数据：2

Add a new key to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: ClientAuthTrustMode Value type: REG_DWORD Value data: 2

刷新网页，选择证书并观察魔术发生。

Refresh the webpage, select the certificate and watch the magic happen.

研究

使用Windows 8和IIS 8.5我按照此处的说明 http://itq.nl/testing-with-client-certificate-authentication-in-a-开发环境on-iis-8-5 / 。

Using Windows 8 and IIS 8.5 I followed the instructions here http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/.

证书是在正确的地方创建的，并且在IIS中配置的所有内容都正确但我仍然获得403.16错误。

Certificates were created in the correct place and everything configured in IIS properly but I kept getting 403.16 errors.

在许多MSDN文章和其他尝试失败后，我找到了以下注册表设置。

After the many MSDN articles and other attempts failed I found the following registry setting.

设置HKEY_LOCAL_MACHINE \SYSTEM\Curren tControlSet\Control\SecurityProviders\SCHANNEL
值名称：ClientAuthTrustMode
值类型：REG_DWORD
值数据：2

Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: ClientAuthTrustMode Value type: REG_DWORD Value data: 2

设置HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\SecurityProviders \ SCHANNEL
值名称：SendTrustedIssuerList
值类型：REG_DWORD
值数据：0（错误，或完全删除此键）

Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL Value name: SendTrustedIssuerList Value type: REG_DWORD Value data: 0 (False, or delete this key entirely)

以下是有关此特定设置的更多信息（可在此处找到： http://technet.microsoft.com/en-us/library/hh831771.aspx ）

Here is some more information about this specific setting (found here: http://technet.microsoft.com/en-us/library/hh831771.aspx)

信任模式的默认值
Schannel提供程序支持三种客户端身份验证信任模式。信任模式控制如何执行客户端证书链的验证，并且是由HKEY_LOCAL_MACHINE \SYSTEM \ CurrentControlSet \Control \ SecurityProviders \Schannel下的REG_DWORDClientAuthTrustMode控制的系统范围设置。

Defaults for Trust Modes There are three Client Authentication Trust Modes supported by the Schannel provider. The trust mode controls how validation of the client’s certificate chain is performed and is a system-wide setting controlled by the REG_DWORD "ClientAuthTrustMode" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel.

0计算机信任（默认）
要求客户证书由受信任的发行人列表中的证书颁发。

0 Machine Trust (default) Requires that the client certificate is issued by a certificate in the Trusted Issuers list.

1独占根信任
要求客户端证书链接到调用者指定的受信任颁发者商店中包含的根证书。证书还必须由受信任发行人列表中的发行人颁发

1 Exclusive Root Trust Requires that a client certificate chains to a root certificate contained in the caller-specified trusted issuer store. The certificate must also be issued by an issuer in the Trusted Issuers list

2独家CA Trust
要求客户证书链为中间CA证书或调用者指定的受信任颁发者商店中的根证书。
有关由受信任发布者配置问题导致的身份验证失败的信息，请参阅知识库文章280256.

2 Exclusive CA Trust Requires that a client certificate chain to either an intermediate CA certificate or root certificate in the caller-specified trusted issuer store. For information about authentication failures due to trusted issuers configuration issues, see Knowledge Base article 280256.

希望这也适用于您。

这篇关于相互证书身份验证失败，错误403.16的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！