ASP.NET Request.ClientCertificate returning empty on IIS 7

Question

I\'m migrating a web app from an IIS 6 server to an IIS 7 server and I\'m having some troubles with getting the client\'s certificate.

The piece of code that I\'m us

Answer 1

I came across this question while looking for more information about how to get certificates in IIS 7 vs. IIS 6. I see that @whosrdaddy's solution worked for the asker. There is something else that I had to hunt down.

One of the differences between IIS 6 and IIS 7 is that IIS 6 has the "Directory Security" tab in each web site's configuration. In order to make the web server request certificates in IIS 7, you must click on the "SSL Settings" feature for the Web Site or Virtual Directory you are configuration to see the "Client certificates:" setting: Ignore, Accept, or Require.

Make sure that this is not set to "Ignore", or else you will never get your certificates to work!

Answer 2

The IsPresent == false can be caused by several different things, both related to the server and the client. We hit everyone of these on the way to finally fixing these and I will detail each....

Server Issue #1 - The client cert passed in has 1 or more certification paths that do NOT exist on the server. Open the cert go to certification path (tab) and make sure each of the root authorities are in the SERVERS trusted root certificate authorities. Note, you DO NOT need to install the cert on the server just the root authorities public keys under Certificates (Local Computer) \ Trusted Root Certification Authorities.

Server Issues #2 (previously mentioned solution) - In IIS, for the site, make sure the SSL Settings are set to Accept OR Require (never ignore). The benefit of using Require is that the IIS logs will show you are 403 7 error where as Accept will just get your the IsPresent == false but with a 200 http code.

Client Issue #1 - Same as server issue #1, got to trust those authorities!

Client Issue #2 - You have the trusted root authorites but NOT the private key for the cert itself. Make sure you install the pfx (private key) into the cert store not the public key (.cer). You can also see if you have the private key by double clicking the cert in the cert store and on the general tab you should see a message saying as much.

Client Issue #3 - You put the cert in the wrong place. Probably best to place your cert in Certificates (Local Computer) \ Personal \ Certificates, rather than (current user). This will make the cert available to process accounts that are running your code and actually need access to it.

Client Issue #4 - Right mouse click the cert (in the store not a .cer file) --> All Tasks --> Manage Private Keys... and make sure the process account running your code has "Read" permission. A quick test of this (but not recommended for production use) is to add "Everyone" as read to see if this is your issue.

Answer 3

Basically it boils down to the fact that the client can't provide the client certificate. That's why you get the 403.7 error when you require it. I believe you need this:

http://blogs.msdn.com/b/puneetgupta/archive/2009/08/03/where-is-the-client-certificates-ui-in-iis-7-0.aspx

Please let me know if this helps.