Simplified: How to create an IIS website that requires client certificate using self-signed certificates

Some IE/IIS issues may involve client certificate. It always took me hours to deploy a test website that requires client certificate. Therefore, I am going to write this blog to record every steps including: creating self-signed root CA, server certificate, client certificate and configuring IIS. Prerequisites Domain IIS server iis-lab-server @…

Resolving IIS 403.17 Issues

Windows 2012 introduced stricter certificate store validations. the Trusted Root Certification Authorities (i.e. Root) store can only have certificates that are self-signed. If that store contains non-self-signed certificates, client certificate authentication under IIS returns with a 403.16 error code. To solve the problem, you have to remove all non-self-signed certificates…

Windows Server 2012 R2 Cannot install KB2919355

Following several unsuccessful attempts to install the Windows Server 2012 R2 Update for x64-based Systems (KB2919355), each of which produced error code 80070002, 1. Verify that Windows Update KB2919442 is installed by examining Control Panel\System and Security\Windows Update\View update history and, if not, download and install it (http://www.microsoft.com/en-us/download/details.aspx?id=42162) 2. Download…

Shrink Large SQL LDF Log Files

In  Server Management Studio Right click on the database in question and go to Properties: Go to "Options" on the left Change the line "Recovery Model:" from Full to "Simple" and hit OK Right click on the database again, go to Tasks - Shrink - Files Under File Type: select…

Windows Auth in IIS does not work when browsing to the website

In Registry Editor, locate and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0 Right-click MSV1_0, point to New, and then click Multi-String Value. Type BackConnectionHostNames, and then press ENTER. Right-click BackConnectionHostNames, and then click Modify. In the Value data box, type the host name or the host names for the site(s) that…

Windows Server Hardening – Disable weak ciphers

; ASLR hardening settings for Internet Explorer in KB3125869 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING] "iexplore.exe"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ALLOW_USER32_EXCEPTION_HANDLER_HARDENING] "iexplore.exe"=dword:00000001 ; Disable weak ciphers [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000…