Home/ Questions/Q 8986259
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-15T21:30:30+00:00

I have a WCF service hosted under IIS 6.0 running under Windows 2003 R2.

  • 0

I have a WCF service hosted under IIS 6.0 running under Windows 2003 R2. The service is SSL secured with “Required client certificates” option.
When I browse the service from IE within win 2003 R2, I am able to see the WSDL.
When I try to browse from my development machine running IE on Win XP. I see 403.7 error like this.

The page requires a client certificate
......
......

HTTP Error 403.7 - Forbidden: SSL client certificate is required.
Internet Information Services (IIS)

I have spent 5 days on it tried everything possible like

  1. Checking the client certificate on Client, private key, importing it again and again.
  2. Checking its intended purpose (client Authentication) and EKU value.
  3. Checking the CA is installed on both server and client in Trust Root Cert Authority Folder.
  4. Running SSL Diag tool. Unfortunately it shows the message which i pasted above and not much detail.
  5. It works when I try the option “Accept Client certificates” under IIS Directory security tab.

Is there something that I am missing or unaware of it?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Finally with the help of MSFT support, I have resolved it.
    The reason was, on the webserver there were too many certificates in the Trusted Root Certificates Authority folder that it exceeds the recommended length. Hence i got this warning in eventlog.

     When asking for client authentication, this server sends a list of
 trusted certificate authorities to the client. The client uses this
 list to choose a client certificate that is trusted by the server.
 Currently, this server trusts so many certificate authorities that the
 list has grown too long. This list has thus been truncated. The
 administrator of this machine should review the  certificate
 authorities trusted for client authentication and remove those that 
 do not really need to be trusted.

    I did delete some the the expired/unused certificates but still it wasn’t sufficient. I couldn’t delete more certificates due to fear of breaking the system because they were not expired.
    We used method 3 to fix the problem which is discussed here

    Though it had fixed my problem but only draw back of using this method is, client browser will present you the list of all client certificates present in the computer instead of choosing which one server wants based on the Trust Root CA.
    This works for me because I have a WCF service and not a website.

    • 0