IIS 5.0 client cert authentication problem

Giganews Newsgroups
Subject: IIS 5.0 client cert authentication problem
Posted by:  Doug (do…@hugheses.co.uk)
Date: Fri, 29 Aug 2008

We have an IIS 5.0 / Windows 2000 web server which is behaving
strangely when using client cert authentication.

Trading partners HTTP POST electronic documents to an ASP page on the
server. The page security is configured as follows in IIS admin:

Under "Authentication Methods", all checkboxes are cleared.
Under "Secure Communications", "Require SSL" is ticked, "Require
client certificates" is selected and "Enable client certificate
mapping" is ticked.
In "Account Mappings", the partner's public certificate is mapped to a
local Windows user. This user is only a member of the Windows "Users"
group.

The ACL is set on the ASP page such that members of the Administrators
group have full control, and the user mapped to above has Read &
Execute.

Normally, everything works well.

However, when the trading partner tries to send particular documents,
their system reports the error "Connection closed by remote host".

A "bad" document will never transmit, i.e. it's repeatable. It doesn't
matter when a re-transmit is attempted, it always fails. So, I've
discounted server loading, etc. Nothing is recorded in the IIS logs
and there are no errors reported in the Event Viewer.

Conversely, a "good" document will always transmit OK.

If I remove the requirement for client certificate authentication on
the ASP page, i.e. tick the "Anonymous access" box, select "Ignore
client certificates", un-tick the "user mapping" box and allow
"Everyone" Read & Execute access under Windows, the "bad" document
will transmit. Note that in this case HTTPS is still being used and it
works OK.

I've tried a few diagnostics tools, which don't show any obvious
errors, but I'm not knowledgeable enough to diagnose this properly.

Any ideas? What can I try next?

Thanks in advance.

Doug

Replies