One-to-one client certificate mapping. 401.1 with a sc-win32-status of 2148086018

One-to-one client certificate mapping. 401.1 with a sc-win32-status of 2148086018

  • Comments 2

I’ve seen a few cases like this, so I thought I do a post on this.

 

The scenario is that you would like to set up one-to-one client certificate mapping on IIS.

 

“One-To-One Mappings <oneToOneMappings>“

https://www.iis.net/ConfigReference/system.webServer/security/authentication/iisClientCertificateMappingAuthentication/oneToOneMappings?showTreeNavigation=true

 

The post most often referred to on how to do this is the following:

 

“Configuring One-to-One Client Certificate Mappings“

http://learn.iis.net/page.aspx/478/configuring-one-to-one-client-certificate-mappings

 or

http://blogs.iis.net/rlucero/archive/2008/05/23/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration.aspx

 

So, you have followed these steps. Then you try to access your site for which you have set this up. And you get:

 

401 - Unauthorized: Access is denied due to invalid credentials.

You do not have permission to view this directory or page using the credentials that you supplied.

 

Basically, since we are dealing with encryption here, it is enough that one char is wrong or missing in the certificate blob string.

It is easy to accidentally remove one char when concatenating the blob string into one line.

So, have a look at the IIS logs for the failed request and see if you see something like this:

 

<date><time><sip> GET /default.aspx - 443 - <cip><user agent> 401 1 2148086018

 

So you have a 401.1 with a sc-win32-status of 2148086018.

If this is the case, then you most like have made a mistake when concatenating the string to a single line.

 

The first thing to test then is to do the following:

 

. Again export client certificate from client machine.

. Again concatenate all the lines into a single line of text.

. Add this to IIS via Configuration Editor or directly in applicationhost.config (#8 in Step 2 in the walkthrough).

 

Hope this helps.

 

 

 

 

 

 

 

 

 

 

Leave a Comment
  • Please add 8 and 7 and type the answer here:
  • Post
  • Sorry but not helpful.  Nothing is wrong with the blob because if I specify domain\username and password it works.  I don't want the added security of using credentials.

  • Thanks Michael, this was exactly the problem I was experiencing. Concatenating the Base64 certificate in Notepad resulted in weird word-wrapping behavior and the resulting paste wasn't valid. Removing the line breaks using Notepad++ resulted in a valid string to paste.

Page 1 of 1 (2 items)