From time to time I have to deal with certificate based authentication, when developing WCF services and from time to time I’m falling into the same pit.
Today I was configuring WCF service to use certificates for authentication (via AD certificate mapping). After configuring the IIS and WCF I’ve tried to access the SVC help page/metadata, but was getting 403.7 Forbidden: Client certificate required from IIS. The IIS logs contained something like this:
<date time> W3SVC1 <IP> GET /site/service.svc – 443 – <IP> <Browser> 403 7 64
Bing came out with the support KB article on this issue, but all possible causes were dealt with: CA was trusted, certs were not revoked or expired. And then it hit me – “not expired”, yes, of course – how the IIS checks the revocation of the certificate? Simply by looking into the certificates CRL distribution points information (if it is present there) and it must be accessible and reachable from IIS, which hosts the service. To check if everything is ok, just copy CRL’s URL from the certificate and try to open it via browser on IIS hosting service.
In my situation that was the problem, which was fixed easily by entering appropriate DNS records.
Of course, it is possible to switch off the certificate revocation checking on IIS, but that’s completely NOT recommended.