I've managed to fix this issue. It seems that the list of Trusted Root CA
Certs in WS2k3 is now too large for IE (including v7) to handle. Clearing out
some of the ones we'll never use miraculously brought my server back to life.
My worry now is what happens when the next Root CA update comes from MS...?
Looks like we'll be adopting a 'no Root CA updates' policy going forward!
Great resource though, this newsgroup, and thanks in particular to 'Steven'
who posted in the inetserver.iis group on this issue (look for Certificate
Trust List). It was his post which helped after 10days or so of tearing my
hair out. Cheers!
[quoted text, click to view] "gsimpson" wrote:
> I'm having a really wierd problem with client certificates on IIS. I can't
> see what might have changed, other than I applied a couple of MSXML patches
> to the box, but overnight, one of my webservers has stopped recognising
> client certificates from our CA. Stopped as in this worked fine one day and
> not the next, so I know something must have changed somehow...
>
> I've checked and re-checked everything I can think of: the CA's Root
> certificate is installed in the Local Computer>Trusted Root Certification
> Authorities store, I've created a CTL containing the CA's Root, and the
> target virtual directories are configured to use SSL, 128-bit encryption and
> 'require' client certificates - but the certificate list shown at client
> browsers is empty...
>
> I'm going quietly cuckoo trying to fix this one, so I really hope someone
I tried to report this issue to Microsoft a few weeks ago. They told me I
could pay for a support call and if the technician decided it was truly an
IIS bug they would refund my money. I thought that was nuts and instead
posted it to the IIS general discussion group. Getting no hits since
February 1 I've now posted a bug report to this group as well.
[quoted text, click to view] "gsimpson" <gsimpson@discussions.microsoft.com> wrote in message
news:5611EF09-AECA-4A30-9CD9-1ABC1066F79D@microsoft.com...
> I've managed to fix this issue. It seems that the list of Trusted Root CA
> Certs in WS2k3 is now too large for IE (including v7) to handle. Clearing
> out
> some of the ones we'll never use miraculously brought my server back to
> life.
>
> My worry now is what happens when the next Root CA update comes from
> MS...?
> Looks like we'll be adopting a 'no Root CA updates' policy going forward!
>
> Great resource though, this newsgroup, and thanks in particular to
> 'Steven'
> who posted in the inetserver.iis group on this issue (look for Certificate
> Trust List). It was his post which helped after 10days or so of tearing my
> hair out. Cheers!
>
> "gsimpson" wrote:
>
>> I'm having a really wierd problem with client certificates on IIS. I
>> can't
>> see what might have changed, other than I applied a couple of MSXML
>> patches
>> to the box, but overnight, one of my webservers has stopped recognising
>> client certificates from our CA. Stopped as in this worked fine one day
>> and
>> not the next, so I know something must have changed somehow...
>>
>> I've checked and re-checked everything I can think of: the CA's Root
>> certificate is installed in the Local Computer>Trusted Root Certification
>> Authorities store, I've created a CTL containing the CA's Root, and the
>> target virtual directories are configured to use SSL, 128-bit encryption
>> and
>> 'require' client certificates - but the certificate list shown at client
>> browsers is empty...
>>
>> I'm going quietly cuckoo trying to fix this one, so I really hope someone
>> can help!
