Symptoms

We have a Win2k3/Win2k8 Server. We are trying to send HTTPS messages to this Win2k3 Server. The Server Requires Client Side Certificates. The IIS log shows error 403.7 - Client Side Certs Reqd. Also if you enable deadlettering on the messages the messages end up in deadletter queue with HTTP error 403.

Cause

If a Win2k8 Server has this problem then the problem is that the Network Service Account under which MSMQ runs does not access to the Private Key in MSMQ Certificate Store. Here is the error logged in the System log on Win2k8 Server.

Log Name:      System
Source:        Schannel
Date:          8/18/2010 3:15:10 PM
Event ID:      36870
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ComputerName

Description:
A fatal error occurred when attempting to access the SSL client credential private key. The error code returned from the cryptographic module is 0x8009030d.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Schannel" />
    <EventID Qualifiers="49152">36870</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2010-08-18T19:15:10.000Z" />
    <EventRecordID>34419</EventRecordID>
    <Channel>System</Channel>
    <Computer>Computer Name</Computer>
    <Security />
  </System>
  <EventData>
    <Data>client</Data>
    <Data>8009030d</Data>
  </EventData>
</Event>

Resolution

On Windows 2008 Server you need to execute the command at command prompt. The command below gives network service account access to the Private Keys for the Certificates.

  certutil.exe -service -service -repairstore MSMQ\My "" D:PAI(A;;GAGR;;;BA)(A;;GAGR;;;SY)(A;;GAGR;;;NS) MSMQ\My

Recycle MSMQ and confirm that the error above is no longer logged in the event log.

The Step Below may or may not be required.

On the Win2k3 Server that is running IIS we execute the following command.

 C:\Inetpub\AdminScripts>

Cscript.exe adsutil.vbs SET w3svc/1/SSLAlwaysNegoClientCert "true" 

Note: You need to execute this from AdminScripts Directory.