none
Client certificate changes between Server 2008 R2 and Server 2012 R2? RRS feed

  • Question

  • For several years now we've been using client certificates as a second factor in our 2FA strategy. The strategy is this:

    1) The user hits one WCF endpoint (https) with an encrypted username and password

    2) We pass back a self-signed client certificate (which we also store in the "Trusted People" store on the server)

    3) Client then challenges a second endpoint (also https) with the client certificate and makes all calls for the application through that endpoint.

    Now this works fine in Server 2008, but we are now evaluating Server 2012 and the only way I can get it to work is to store the cert in either "Trusted Root" or "Third Party Trusted Root".   I can also make it work by chaining the client cert back to a root cert.  However, we don't want to do this, because a) our security group doesn't want us loading up Trusted Root with a bunch of client certs and b) we don't want to use chaining, because this means that if we remove the cert from the server we will not disconnect the client (you'd have to remove the root cert) and we don't necessarily have the ability to remove the client cert from the user's machine.

    I have tried all three methods of "ClientAuthTrustMode" under SChannel, along with SendTrustedIssuerList set to both 0 or 1, and I've tried tweaking the Group Policy "Public Key Policies/Certificate Path Validation Setting" any way I could (including completely off, like our 2008 server) with no change in behavior.

    Again, this strategy works fine in 2008, or by placing the client certs in trusted root, or TP trusted root in 2012, but not using the trusted people store.

    Monday, December 18, 2017 8:07 PM

All replies

  • Hi Aaron,

    >> Now this works fine in Server 2008, but we are now evaluating Server 2012 and the only way I can get it to work is to store the cert in either "Trusted Root" or "Third Party Trusted Root"

    What error did you get under Server 2012?

    Based on description, it seems to be related with Permission. I suggest you check which account did you use to run WCF Service, and try to run the service under the account who installed the certificates.

    Best Regards,

    Tao Zhou 


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, December 19, 2017 2:46 AM
  • The certificate was rejected with a 403.16 error.   Again, if the cert is in trusted root or third-party trusted-root it goes through fine.   I also checked and there are no non-self-signed certs in either of those stores or in Intermediate trusted roots (as some articles suggested might be the problem).
    Tuesday, December 19, 2017 1:09 PM
  • Hi Aaron, 

    I'm trying to involve some senior engineers into this issue and it will take some time. Your patience will be greatly appreciated.

    Sorry for any inconvenience and have a nice day!

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, December 21, 2017 9:39 AM