0

Scenario:

  • AWS hosted EC2
  • Machine running IIS directly.
  • Default inetpub/wwwroot setup
  • Installed self-signed certs to enable HTTPS.
  • Open browser to localhost - OK.
  • Open browser to https://localhost - Ok (but warning of unsecure SSL cert but works for test purposes and resolves request).
  • Go back to default website settings and pick SSL settings.
  • Change option to ACCEPT Client Certificates (default is ignore).
  • Open browser to localhost - OK.
  • Open browser to https://localhost - FAIL -

Error from page

Internal Server Error with code 0x80070032

From this error, I found MS Error info:

Description of HRESULT ISAPI filter drive:\FilePath\ISAPI_FLT.dll tried to register for SF_NOTIFY_READ_RAW_DATA notification.

I need to authenticate users and provide secure ID card information, but why fail out-the-gate even with the default IIS and nothing I am doing special otherwise?

Will eventually be running C# MVC Razor pages / Kestrel, but cant even get this basic component going before putting in anything else.

Improve this question
4
  • Have you considered using debug, as mentioned in the More Information section of the MS doc, to find out what is triggering the exception in finer detail? Have you tried to find the actual error message so you know what directory "drive:\FilePath\" is actually pointing to? You have very general information here, and not really enough to figure out how to help. Commented Oct 25 at 3:15
  • @tsc_chazz, as mentioned, this is all the DEFAULT of IIS. I have not done or written anything associated with this. It is just brand-new startup instance of IIS which is the concern. Commented Oct 25 at 8:01
  • 1
    It might be the default from AWS, but not actual the default from Microsoft (like the original Windows Server installation media). Thus, you should share your concerns with the right people. Usually you might start with AWS technical support and see where they guide you to. Commented Oct 25 at 18:52
  • You have not mentioned anything about your client certificate mapping configuration learn.microsoft.com/en-us/iis/configuration/system.webserver/…. In addition your server does not have client certificate, so it will not work from the server in any case. Commented Oct 26 at 11:56

2 Answers 2

Reset to default
1

You’re hitting this because simply switching IIS to “Accept client certificates” isn’t enough — IIS will attempt to negotiate a client certificate during the TLS handshake, but your HTTPS binding is using a self-signed server cert with no client-trust chain and no client cert installed/mapped. The handshake fails before IIS can serve the default page, so you see 0x80070032 at BeginRequest.

To get mTLS working locally:

  • Create a test CA + server cert + client cert (not just a single self-signed cert).
  • Install the client cert in your browser's personal certificate store.
  • Install the root CA into Trusted Root Certification Authorities on the server.
  • IIS → SSL Settings: Require SSL (once working) Client Certificates → Accept (or Require, after validation)
  • If you're doing mapping: enable Client Certificate Mapping Authentication under Authentication in IIS.
  • Restart IIS.

For local testing, PowerShell New-SelfSignedCertificate works, but you need to generate a chain (root → server → client).

If you run into issues generating the cert chain or mapping client certs, this might help you: https://learn.microsoft.com/iis/manage/configuring-security/configure-client-certificate-mapping-authentication

Improve this answer
1
  • Sorry, just seeing now. Was on vacation last week just got back this week. Will look into, but makes sense. Will update once I have had a chance to apply since I cant do on local machine, but apparently need to run on SERVER for creating a Cert Auth. entry. Commented yesterday
0

After further checking and researching, I had to copy the cert into the Trusted Authorities path as well.

The final part was to explicitly add the permission to the folder for the "defaultAppPool" even though that test failed, the permissions WAS the solution for me.

GO to folder, right-click Properties Security Tab Edit Add

In the box for Enter the object names to select enter: iis apppool\DefaultAppPool

Click Check Names to the right to confirm and then ok. Default permissions of Read & Execute, List Folder contents, Read

Issue resolved (at least for me) and hopefully helps others

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.