Share via

Setting sslFLags to Ssl, SslNegotiateCert causes the site to not load

Blake Duffey 41 Reputation points
Aug 26, 2024, 8:57 PM

Have a .net core web app that uses client certificate authentication.

IIS is running on Windows 2022.

Site loads fine - when I add this to the web.config

<access sslFlags="Ssl, SslNegotiateCert" />

Suddenly the site won't load (doesn't even render a page). No error page, no 500, nothing. Nothing in the application or system log.

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,809 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. youzeliang 890 Reputation points
    Aug 30, 2024, 12:20 AM

    When configuring client certificate authentication in IIS for a .NET Core web application, setting the sslFlags in the web.config to Ssl, SslNegotiateCert should enable SSL and client certificate negotiation. However, if the site fails to load after adding this configuration, here are several troubleshooting steps and potential solutions:

    1. Check IIS Configuration
    • SSL Certificate: Ensure that the SSL certificate is correctly bound to the site in IIS. If the binding is incorrect or the certificate is invalid, it can prevent the site from loading.
    • Client Certificates: Verify that the client certificate settings in IIS are configured to accept client certificates. Navigate to your site in IIS Manager, select "SSL Settings," and make sure the option "Require SSL" is checked and "Accept" or "Require" client certificates is selected.
    1. Review the web.config

    Ensure your web.config file has the correct configuration for the application. A minimal example might look like this:

    <configuration>
    <system.webServer>
        <security>
            <access sslFlags="Ssl, SslNegotiateCert" />
        </security>
    </system.webServer>
</configuration>
    1. Event Viewer Logs
    • Even though you mentioned there are no logs in the application or system log, double-check the Event Viewer for any relevant logs under Windows Logs > Application and Windows Logs > System. Sometimes IIS logs critical issues that can help diagnose the problem.

    If my answer is helpful to you, you can accept it. Thank you.

    0 comments
  2. Blake Duffey 41 Reputation points
    Sep 9, 2024, 5:18 PM

    I opened a ticket with MS Support. Apparently there is a bug with Windows 2022 involving TLS 1.3 and client certificate auth.

    The 'fix' for now is to disallow TLS 1.3 in IIS (at the site level).

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.