IIS 6.0: Computer must trust all certification authorities trusted by individual sites (332077)


The information in this article applies to:

  • Microsoft Internet Information Services
  • Microsoft Internet Information Services version 6.0
This article was previously published under Q332077

SYMPTOMS

If you have a Web site on Internet Information Services (IIS) 5.0 that requires client certificates, when you upgrade the server to Microsoft Windows Server 2003 with IIS 6.0, clients that connect to the site may receive one of the following error messages even if the client certificates are not controlled by a certificate trust list (CTL):
HTTP 403.16 Forbidden: Client certificate untrusted or invalid.
HTTP 403.16 Forbidden: Client certificate is ill-formed or is not trusted by the web server.
HTTP Error 403.7: Forbidden: SSL client certificate is required.
When the client accesses the Web site, the client may not receive the Client Authentication dialog box in the browser (the Client Authentication dialog box permits you to select the client certificate that you want to use to access the site). If the client receives the Client Authentication dialog box, the certificate list in the Client Authentication dialog box may not list the client certificate.

CAUSE

This may occur if the client certificate was created by a certification authority that the IIS computer does not trust.

MORE INFORMATION

In IIS 5.0, you can specify a CTL that contains certification authorities whose root certification authority certificates are installed in the personal certificate store of the local computer. However, in IIS 6.0, the root certification authority certificates must be installed in the local computer Trusted Root Certification Authorities certificate store. With this change, IIS 6.0 verifies certificates based on the rules that are specified in the crypto API. The crypto API rejects certificates if the root certification authority certificates are not installed in the local computer Trusted Root Certification Authorities certificate store.

RESOLUTION

To resolve the error and display the certificate in the browser, you must install the root certification authority certificate in the local computer Trusted Root Certification Authorities certificate store.
  1. Add a certificate snap-in for the local computer:
    1. Click Start, click Run, type mmc, and then click OK.
    2. On the File menu, click Add/Remove Snap-in, and then click Add.
    3. Under Snap-in, double-click Certificates, select Computer account, and then click Next.
    4. Select Local computer, click Finish, and then click Close.
    5. Click OK to exit the wizard.
  2. Export the certificate from the local computer Personal Certificate store:
    1. In the snap-in for the local computer, double-click Certificates (local computer), double-click Personal, and then double-click Certificates.
    2. Right-click the root certification authority certificate for the certification authority that issues the client certificates, click All Tasks, and then click Export to open the Certificate Export wizard.
    3. Click Next, select a format for the export, specify the directory where you want to store the exported certificate, click Next, and then click Finish.

      Note The DER Encoded Binary X.509 format and the Base64 Encoded X.509 format are used for interoperability if the certification authority is not a Microsoft Windows 2000-based server. If you do not know the certification authority type, use one of these formats.
  3. Import the certificate to the local computer Trusted Root Certification Authorities certificate store:
    1. In the snap-in for the local computer, double-click Trusted Root Certification Authorities, double-click Certificates, right-click All Tasks, and then click Import to start the Certificate Import wizard.
    2. Click Next, specify the exported certificate that you created in step 2, and then click Open.
    3. Click Next. Verify that Place all certificates in the following store is selected and that Certificate Store lists Trusted Root Certification Authorities.
    4. Click Next, and then click Finish.
This error message may also indicate that the administrator has previously configured a specific trust list by checking the Enable certificate trust list check box and by populating the dialog box with one or more root certificates. If the Enable certificate trust list check box is selected, verify that the expected server certificate appears in the list. This includes all renewed certificates. To do this, follow these steps:
  1. Open the Internet Information Services management console, right-click the Web site that is experiencing the error, and then click Property.
  2. Click the Directory Security tab.
  3. Under Secure communications, click Edit.
  4. If the Enable certificate trust list check box is selected and the Current CTL field is populated, you can do the following tasks:
    1. Click to clear the Enable certificate trust list check box. This will enable IIS to use all certificates in the server certificate store.
    2. Click Edit, and follow the prompts in the Certificate Trust List Wizard to add the appropriate server certificate.

      Note Edit is only available when the CTL is populated with one or more certificates from the server certificate store.
    3. Click OK when you are prompted.
  5. Test a page that requires a client certificate.

REFERENCES

More information about CTLs is available in the product documentation. To view this documentation, visit the following Microsoft Web site:

http://technet2.microsoft.com/windowsserver/en/default.mspx

You can also access the product documentation through IIS Manager. For more information about how to access this Help feature, click the following article number to view the article in the Microsoft Knowledge Base:

815127 How to access IIS 6.0 Help documentation

Modification Type:MinorLast Reviewed:3/10/2006
Keywords:kbpending kbprb KB332077
©2004 Microsoft Corporation. All rights reserved.