Visual Studio Update 4 Broke IIS Express' ability to request Client Certificates.

Question

User-1842880510 posted

I had my IIS Express configured as specified on this page http://jasonrshaver.com/?tag=/Client+Certificates .  This allowed me to run my application in SSL for the 11 months from June 2013 all the way up to 9:50 AM EST this morning April 22, 2014.  At 9:54 AM EST we ran Visual Studio 2012 Update 4.  At 11:00 AM EST I opened my web application and ran a debug.  At no point did IE or IIS Express request a client Certificate.  The application runs an authentication process which evaluates the server variables and headers to get the Subject value from the client certificate.  But there was no Client certificate, so there was no Cert_Subject server variable, so the application failed before it could even get to the part I was coding.   I checked

All of the settings in both applicationhost.config files are as directed on the web site.  This was not happening before VS 2012 Update 4 was run.  This started happening immediately after VS 2012 Update 4 was installed.  So there is a one to one correlation between these symptoms and the VS 2012 Update 4.  What did Update 4 do to my IIS Express.

Answer 1

User-1454326058 posted

Hi joeller,

Could you reproduce that scene in a new project?

Based on my test in the VS 2013 2012 Ultimate with Update 4 and VS 2013 Ultimate with Update 2, both of them work fine.

On the other hand, based on the Visual Studio 2012 update 4 description, I don’t find anything can affect the IIS Express to request certificated.

# Description of Visual Studio 2012 Update 4

http://support.microsoft.com/kb/2872520

I suggest that you could create a new project and check the result.

Thanks

Best Regards

Answer 2

User-1842880510 posted

Done 3 new projects.  Same result.  And I already did this last time it happened in Jaunary on a different machine, when I did not understand that it was update 4 that caused the issue.

And besides not the timeline

• 9:50 AM project runs just fine.  User requested to choose which client certificates to use. PIN entered. Project opens.
• 9:54 AM - 10:55 AM Visual Studio 2012 Update 4 installing.
• 10:56 AM machine rebooted
• 11:00 AM VS opened.  Project opened.  Run in debug.  No request to for you to choose client certificate.  Application fails because Cert_Subject is empty.

As you can see The only change made to the operating environment was the installation of Update 4.  Your tests with VS 2013 are not relevant.  You need to install a copy of VS 2012 Professional, Create a project using SSL with IIS. Write code in your project to access cert_subject, make the changes to applicationhost.config recommended by Jason Shaver to require IIS Express to request client certificates.  Run your project.  Then install Update 4 then run your project.

As stated this is the second time on three machines that it has happened.  The third machine has not had Update 4 installed.

Answer 3

User-1454326058 posted

Hi joeller,

I have a mistake, my test is in the VS 2012 Ultimate with Update 4 and VS 2013 Ultimate with Update 2. (I modified the reply)

As you said “Done 3 new projects”, did you do the test with a new project after install the update 4.

1. Install the VS 2012 update 4
2. Create a new project and repeat the steps to enable IIS Express to request client certificates
3. Check the result

Hi joeller,

I have a mistake, my test is in the VS 2012 Ultimate with Update 4 and VS 2013 Ultimate with Update 2. (I modified the reply)

As you said “Done 3 new projects”, did you do the test with a new project after install the update 4.

1. Install the VS 2012 update 4
2. Create a new project and repeat the steps to enable IIS Express to request client certificates
3. Check the result

On the other hand, after install the Vs 2012 update 4, please check the applicationhost.config file of IIS Express whether it was restored.

Thanks

Best Regards

Answer 4

User-1842880510 posted

As you said “Done 3 new projects”, did you do the test with a new project after install the update 4.

Yes of course

check the applicationhost.config file of IIS Express whether it was restored.

Already did.  No changes.

 

Answer 5

User-1842880510 posted

 

In an effort to get back to my status before I stupidly applied Update 4 I did the following:

• I did an uninstall of VS Pro 2012 Update 4.  However this resulted in the incapacity of VS 2012 to open any project.  They were all reported as "incompatible"
• I did a repair of VS Pro 2012.   Same situation.
• I installed Update 3 of Visaul Studio Pro 2012.  Same situation.
• I did an additional repair of VS Pro 2012.  This time project were able to open.
• Ran MVC SSL project.  Certificates not requested which causes project to fail because no certificates were supplied.
• Ran Web Forms SSL project. Cerfitcates not requested which again causes project to fail because no certificates were supplied.
• Tried to create new web forms project.  Attempt fails with error message below.

Error: this template attempted to load component assembly 'NuGet.VisualStudio.Interop, Version=1.0.0.0, 
Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'.  For more information on this problem and how to enable 
this template see documentation on Customizing Project Templates.

Again I checked both the applicationhost.config in my profile and the one under Program Files\IIS Express\AppServer
Neither of them had been changed.

I am thinking my next step is to totally uninstall VS 2012 and IIS Express, and do the reinstall from the disk and then apply Update 3.

 

Answer 6

User-1842880510 posted

Commencing uninstall now.  will advise.

Did not work;

Version of VS 2012 installed is RTMrel.  applicationhost.config on both profile and program files have

been changed from <access sslFlags="None" />   to <access sslFlags="SslNegotiateCert" /> and changed from <iisClientCertificateMappingAuthentication enabled="false">              </iisClientCertificateMappingAuthentication>  to <iisClientCertificateMappingAuthentication enabled="true"></iisClientCertificateMappingAuthentication>

However IE is still not requesting client certificates when application run in SSL.  It is not clear what happened.  I am going to delete the applicationhost.config under my profile, run regular new IIS express web forms project to recreate it. Then make those same changes to convert new project to SSl and make it ask for client certs.

 Did as specified above still IE does not ask for client certificates.   Surely someone has some ideas.

Answer 7

User-1842880510 posted

The only remaining machine which had IIS Express properly requesting client certificates ran VS 2012 Update 4 as part of a package of Windows Updates.  Now IIS express no longer requests client certificates there either.

Answer 8

User-1842880510 posted

I contacted Microsoft Support.  After going around Robin Hood's barn on the issue, doing things with certificates that had no bearing on the issue, it was finally resolved, (almost by accident) by the following registry edit.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL
• On the Edit menu, point to New, and then click DWORD Value.
• Type SendTrustedIssuerList, and then press ENTER to name the registry entry.
• Right-click SendTrustedIssuerList, and then click Modify.
• In the Value data box, type 0 if that value is not already displayed, and then click OK

The access element's sslFlags attribute must be left set to "SslNegotiateCert"

And that fixed it. 

(I knew it was a registry issue.)

Answer 9

User-1842880510 posted

When I applied this fix to a different machine, it did not work.  I am as confused as ever.

Update:  The fix for getting IIS to request a client cert works.  However after getting the client cert, IIS express will only deliver a 500 error.  I did this on a plain vanilla out of the box application which is not using the cert for anything and still got that error. 

However, when I applied that fix to the third machine affected by Update 4 then it threw an error because the root cert authority of the client was not in the trusted root authorities of the local machine, although it was listed in IE, and it never had to be listed in the local machine Trusted Root authorities before applying Update 4.  The trusted root cert authority IS listed in the trusted root authorities of the machine throwing the 500 error.

Answer 10

User-1842880510 posted

I never a satisfactory answer to this.  However as of the time I used VS 2012 I had added the server's, (local machine's), cert to the trusted root cert authority.  Now I am no longer experiencing this error.  No idea why this fixed it.

Our network was blocked from access WWW.ASP.Net for a couple of years which is why my posts were neglected so long.  Now we are allowed in so I am trying to close out all of my open questions.