IIS: How to setup mTLS authentication for Belgian eID Card

Question

IIS: How to setup mTLS authentication for Belgian eID Card

Cyril COLIN 0

Hello,

I've been trying to deploy an API using mTLS authentication on a Windows Server 2022 VM with an IIS 10.0 installed with no success.

The Web API is developped using .NET Core 8.0 and works properly when launched through Visual Studio. It's goal is quite simple: allowing users to register with a username, password and their Belgian eID Card's authentication certificate, allowing the manager to validate the registration, and then providing a HTTP Only authentication token that grants readonly access to a selection of our internal apps from outside.

I've been following mainly this guide to configure things correctly.

As far as local development goes, the API works fine while launched through Visual Studio 2022.

Where things go wrong is when I try to deploy it on the test server that was provided to me by the company's System Engineers. As said before, it's a Windows Server 2022 VM with a valid SSL certificate (provided by Sectigo).

When deployed, the IIS always return the following error:

HTTP Error 403.13 - Forbidden
Your client certificate was revoked, or the revocation status could not be determined.

When enabling Failed Request Logging, the XML file contains the following:

IIS Web Core
ModuleName	IIS Web Core
Notification	BEGIN_REQUEST
HttpStatus	403
HttpReason	Forbidden
HttpSubStatus	13
ErrorCode	The revocation function was unable to check revocation because the revocation server was offline. (0x80092013)
ConfigExceptionInfo

What I've tried:

Re-installing all Belgian Root CA's (and Intermediate Citizen CAs) on the server
Checking that the OCSP and CRL are accessible (I can download them from Edge on the server so I assumed they are)
Using certutil -urlfetch -verify MyeIDAuthCert.DER to check if everything goes well (and it seems like it does). The end of the output is Leaf certificate revocation check passed .
Checking the Event Viewer to verify that the SSL handshake succeeds. I can clearly see in those logs that it does indeed succeed. The log even contains both the server certificate and my eID certificate.
Asking the System Engineers if any request is blocked by the company's firewall but they say that nothing was.

The weird thing is that if I use the company's Active Directory provided certificate that is installed on my laptop... it works.

So I was wondering if it was possible at all to configure IIS to use Mutual TLS Authentication with other (non AD linked) certificates and if it is, what did I do wrong ?

Any help would be appreciated.

Thanks in advance.

Lex Li (Microsoft) 6,032 Reputation points Microsoft Employee

2025-04-24T00:37:18.6733333+00:00

Web apps on IIS are running differently from on Visual Studio, https://docs.lextudio.com/blog/web-application-differences-in-visual-studio-and-iis-60fec7e311b3 Can your System Engineers verify if a system proxy setting is needed for IIS/Windows components to connect to OCSP/CRL? Testing the connections under your account is not very effective, because IIS does not use your account and user session to connect.

1 answer

Your answer

Lex Li (Microsoft) 6,032 Reputation points Microsoft Employee

2025-04-24T00:37:18.6733333+00:00

Web apps on IIS are running differently from on Visual Studio, https://docs.lextudio.com/blog/web-application-differences-in-visual-studio-and-iis-60fec7e311b3 Can your System Engineers verify if a system proxy setting is needed for IIS/Windows components to connect to OCSP/CRL? Testing the connections under your account is not very effective, because IIS does not use your account and user session to connect.

Answer 1

Hello,

I finally found the answer thanks to @Lex Li (Microsoft) .

TLDR: the company's firewall is doing weird things.

As Lex Li said, testing under my account was a bad idea.

To test that theory I created a Service Account (SA) and tried to run the
certutil -urlfetch -verify command with the SA's credentials using the runas command.
It failed with the The revocation function was unable to check revocation because the revocation server was offline error !

To try and get more details, I specifically allowed this SA to log in interactively and logged into the server with it's credentials.

Then, when trying to access the CLR and OCSP's URL I would get a nice firewall error:

image (1)

I don't know exactly why my regular user could get through but not the Application Pool nor the SA. As far as I know, the firewall doesn't care about users, only IPs. But it looks like it's not quite true.

What I know though, is that the System Engineers added an exception that allows the server's main IP (not the one binded to the IIS Website) to access the OCSP and CLR's domain and that the IIS can now properly validate the certificate.

Thanks again to Lex Li for the help.

Lex Li (Microsoft) 6,032 Reputation points Microsoft Employee

2025-04-25T17:12:54.18+00:00

Thanks for sharing such details. I think the behavior of your firewall can be normal, as it might not only use incoming/outgoing IP addresses/ports for filtering (like Windows Firewall), but can also authenticate the requests (like a proxy server). System engineers (or network administrators) should be very familiar with such software/hardware, and that's why they easily configured an exception for you.

Share via

IIS: How to setup mTLS authentication for Belgian eID Card

1 answer

Your answer