VS2010 refuses to debug a secure ASP.NET application, where the application's SSL settings in IIS require client certificate. RRS feed

  • Question

  • Dear ladies and sirs.

    I have an ASP.NET application, its SSL settings in IIS require client certificate (i.e. mutual authentication).

    When I am trying to debug the application from VS2010 I get this error:

    Microsoft Visual Studio
    Unable to start debugging on the web server. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

    Click Help for more information.
    OK   Help  

    Note, that debugging the same application when client certificate is not required works fine.

    Any suggestions how can I enable debugging with mutual authentication?


    Wednesday, January 19, 2011 9:37 PM


All replies


    Here is a blog discussed Debugging an ASP.NET Web Site with SSL, you may want to have a read:


    First you should know there are two types of web projects: ASP.NET Web Site and ASP.NET Web Application. The ASP.NET Web Site is new to .Net 2.0 and there are a number of differences between the two project types. You can look up most of them later, I'm only interested in one difference.In the ASP.NET Web Application, when you go to Project->Properties->Web tab, you can specify to debug with the IIS Web server. You can even tell it which Url to use. So if your url is normally "http://localhost/MyWebApp" you can change it to "https://localhost/MyWebApp" and viola!, you are debugging a secure web site! ...

    Eric Yang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Sunday, January 23, 2011 5:06 AM
  • Hi.

    I have read the blog. It seems irrelevant to me. My web project is a Web Application project, the URL is already an https:// one. And indeed, I am able to debug it if SSL settings on the virtual directory do not require the client certificate (i.e. one way authentication). However, the problem arises if I require the client certificate (i.e. mutual authentication).

    Any more ideas?


    Sunday, January 23, 2011 12:49 PM
  • Hi, Thank you for your question, we're doing research on this case. It might take some time before we get back to you.
    Eric Yang [MSFT]
    MSDN Community Support | Feedback to us
    Get or Request Code Sample from Microsoft
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, January 24, 2011 1:48 PM
  • OK, looking forward...
    Wednesday, January 26, 2011 10:44 AM
  • Hi,

    Are you still seeing this issue? Are there IIS log files you can share for us to review?


    bill boyce
    Monday, February 14, 2011 8:25 PM
  • Sure I see this issue - nothing has changed since the last time. Please instruct me which logs do you need. BTW, don't you want VS2010 logs? Just tell me how to activate the logs and where to find them and we are good.


    Thursday, February 17, 2011 7:02 PM
  • Thursday, February 24, 2011 5:12 PM
  • OK.

    1. IIS log is empty. It is created, but empty. Indeed, I never actually get to accessing any web resources, hence it makes sense that the log is empty.
    2. Visual Studio is another story. When I run it like so devenv /log C:\logs\ActivityLog.xml , the log file is indeed created. But, simply running devenv is not good, because in order to debug a web application, the devenv has to be run as administrator. But, the same command line when run as administrator does not create any log file!

    Awaiting for further instructions.



    Monday, February 28, 2011 7:44 PM
  • Anyone?
    Sunday, March 13, 2011 8:09 AM
  • Using a client certificate we will not be able to debug directly. Alternatively you can attach the debugger to a process and debug your ASP.NET application.

    Error: Unable to Start Debugging on the Web Server

    ASP.NET Debugging: System Requirements

    How to: Attach to a Running Process


    bill boyce
    Tuesday, March 22, 2011 10:15 PM
  • Hmm.

    I did not understand you reply. Do you confirm that there is a problem debugging web app, when the mutual authentication is requested?  Because, all the items in the links you gave are irrelevant - the same web app is debugged just fine once you change the SSL settings of the respective virtual directory to accept the client certificate rather than require it.

    If it is indeed a bug, I'd like to make sure that it is known.

    Tuesday, March 29, 2011 8:10 PM
  • I guess no one cares.
    Monday, April 11, 2011 7:01 AM
  • In research with team and finding that,  No, it's not a bug. It is a product limitation.

    Your options are to attach manually after the process is running or you can turn off "Required" for client certs.


    Vijay has a short blog about this here:


    You need Windows Auth enabled for VS to be able to attach automatically.  The customer can still attach manually after the site is running.


    My suggestion is to see about what options to check out through support. Here is info for more in depth level into the problems.


    There are various support options such as advisory and per issue. Please visit the below link to see the various paid


    support options that are available to better meet your needs.


    bill boyce
    • Marked as answer by Markell Tuesday, April 12, 2011 9:34 AM
    Monday, April 11, 2011 2:47 PM
  • Thanks.

    Of course, you understand that attaching to the process and debugging it from the very start is not the same when we are talking about VS. Namely, when I start the process from the debugger I am able to debug the MS source code and inspect the state of the local variables inside the MS code (with the help of the source server). However, inspecting the local variables in MS code is unavailable when one attaches to the process. Strange, but true. So, the two techniques are not equivalent.


    Tuesday, April 12, 2011 9:38 AM
  • Alternatively, you can create a blank web application on Visual Studio, call it "debugging", and have it use the same application pool as the site requiring client certificates. Set this "debugging" project as the startup project on VS and you will be able to debug the application that requires the client certificate using F5 because it runs on the same application pool. 

    You can even create a dummy html page on the "debugging" site to redirect you to the start page on your other project.

    Note: the "debugging" application would obviously need to be configured to Ignore Client Certificates on IIS.
    Friday, February 10, 2012 12:57 AM