HTTP Error 401.2 and Login Error 0x80090325 During Client Certificate Mapping Authentication

0

I am receiving HTTP error 401.2 when trying to authenticate to a website in IIS using the client certificate mapping module (clientCertificateMappingAuthentication). I have followed the instructions to set this up on a new website that serves a single html page. I've enabled client certificate mapping at the applicationhost.config level using the location tab just like in the configuraiton example.

I have this working in another test environment with an on domain AD certificate authority, but it does not work in my production environment where the certificate authority is third party. I have the root CAs in the trusted root store on the web server and the client gets prompted correctly to supply the user cert. The user cert also shows no chain issues when viewing the cert on the web server. However, the response is 401.2 and the security log logs an audit failure with 0xc000006d (an error occured during login) with substatus 0x80090325 (the Certificate chain was issued by an authority that is not trusted).

I've tried failed request tracing, but couldn't discern the issue. Is there a way to figure out where the issue is? Something I'm missing? I'm using a DoD CA is that matters.

security
authentication
iis
ssl
iis-7.5

1 Answer

0

It turns out that some validation software that checked the revocation status of the certificates presented to the web server was causing the error. Once the validation software was disabled (it couldn't contact the revocation server) then IIS successfully validated the certificate.

The problem of properly troubleshooting this error is still there though. The 401.2 error isn't the proper response I should be getting and there should be a more descriptive error in the event logs or during failed request tracing.

answered on Stack Overflow Jan 9, 2016 by James Santiago

User contributions licensed under CC BY-SA 3.0