Follow

AuthAnvil Authentication over SSL fails when connecting to a server that is set to accept client certificates

Issue

When attempting to authenticate to AuthAnvil via SSL, you get the following error in the Application, AAWinLogon or AAWinLogonCP event logs,

"Unable to properly send an authentication message to the AuthAnvil server at 'http://<AuthAnvilServer>/authanvilsas/sas.asmx'. Is this machine currently on the network, and is the SSL certificate on the AuthAnvil server trusted by this machine?"

However, you can successfully reach the URL https://<AuthAnvilServer>/authanvilsas/sas.asmx from a browser, and the IIS logs in C:\inetpub\logs\logfiles on the AuthAnvil server are displaying an HTTP 500 response code for communication attempts between the agent and the server.

Cause

The SSL settings for the site are configured to accept client certificates. As explained by Microsoft Knowledge Base Article 314324:

A server that is running Internet Information Server with Secure Sockets Layer (SSL) enabled can either ignore or accept client certificates. By default, the server is set up to ignore these certificates; however, if you decide to accept client certificates and to still use Anonymous authentication on your Web server, IIS generates harmless HTTP 500 error messages in the Web site log files.

This is expected behavior. The HTTP 500 error is part of the negotiation process of the client and server. The immediate cause of the HTTP 500 error is that the client closed the connection when the server was searching for additional data from the request. Because the socket is closed, IIS cancels the request and logs an HTTP 500 error. When the server sends a request for a client certificate, the browser processes this as a fatal error and disconnects the connection. It then starts a new session based on the assumption that the server is a "non-anonymous server."

 

Resolution

Set the SSL settings for the AuthAnvilSAS application directory in IIS to ignore client certificates.

  

Affects

All version of AuthAnvil on Windows Servers running IIS 7.0 or later.

 

Questions?

If you have any questions or need some help, we would be happy to assist. Open a case at help.scorpionsoft.com or send an email to support@scorpionsoft.com.

 
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk