MMP Client Certificate Auth problem

Similar Messages

• Lowest cost SSL accelerator for HTTPS client certificate auth testing

  Hi,
  I need to test some some https connections that use client certificate authentication and need a low cost ebay-purchasable cisco ssl box (I think).
  My understanding is that some Cisco products can terminate https connections (once client cert auth is successful) and then pass on the http connection with a cookie value set with the Subject DN information from the client certificate - correct me if I'm wrong :).
  So any suitable kit for this?
  Thanks,
  Marc.

  Hi Oliver,
  Have a look at this http://forum.java.sun.com/thread.jsp?forum=2&thread=258908
  You may find the answer to your question there.
  Majid.

• How can I prevent client certificate information from being written to kjs log?

  I have an application running on iPlanet Application server 6.0 that makes an SSL connection to an external site using client certificate. Problem : Every time the connection is wrapped in a client certificate, the entire SSL handshake including the key-exchange information is automatically being logged in the kjs log. How do I prevent the kjs from writing this inormation to the log ?

  How are you making this SSL connection? Whatever library you are using must be writing to System.out().
  You could avoid logging these messages by using file logs rather than console logs. But you could probably disable these messages by working with your SSL libraries as well.

• Client-Auth reports: HTTP4030: Timeout while waiting for client certificate

  Hello,
  I'm having problems with the certificate authentication in my Sun Java System Web Server Enterprise Edition 6.1: I have created an ACL in the SJWS that asks for a client certificate when the user goes to a specific URI:
  acl "uri=/server1/myaction.do";
  authenticate (user) {
  method="ssl";
  deny (all)
  user = "admin";
  It works great and, when the user goes to "/server1/myaction.do" (we are using Internet Explorer 7 as Web browser), the window for selecting the client certificate appears:
  - If the user selects a certificate that doesn't require password, everything works fine.
  - The problem comes when the certificate is configured in Internet Explorer for asking for a password every time it is accessed. Once the user has selected the password protected certificate, the window for typing the password appears, but if the user doesn't type it and click OK IN LESS THAN 5 SECONDS (I've timed it), the following messages appear in the SJWS logs:
  [28/Nov/2007:09:25:05] failure ( 2055): for host 10.0.145.11 trying to GET /server1/myaction.do, Client-Auth reports: HTTP4030: Timeout while waiting for client certificate.
  [28/Nov/2007:09:25:05] security ( 2055): HTTP4290: get_auth_user_ssl: client passed no certificate.
  I tried to add the following two lines to the magnus.conf file of the SJWS, but nothing changed:
  SSLClientAuthTimeout 240
  AcceptTimeout 3600
  Has anyone experienced something similar? Any little piece of advice would be greatly appreciated.
  Thank you very much in advance,
  Carlos.

  This is fixed in Web Server 7.0 update 2. Please migrate/upgrade to Web Server 7.0 update 2. Sorry for the inconvenience.

• SOAP Receiver Adapter problem (client certificate required)

  My Scenario is similar to described in https://www.sdn.sap.com/irj/sdn/weblogs?blog=/pub/wlg/3721. [original link is broken] [original link is broken] [original link is broken] I have two PI servers running on one machine. I am trying to post message HTTPS with Client authentication via SOAP adapter from one PI system to SOAP adapter of other PI server. I have done the following configuration.
  PI Server AXD - (Client) - Receiver SOAP adapter
  PI Server AXQ - (Server) - Sender SOAP Adapter.
  Steps in AXD
  1. I have created a certificate of AXD in the service_ssl view of key storage.
  2. I have imported the AXQ public certificate in to AXD in the TrustedCAs of Key storage
  Steps in AXQ
  1. I have created a certificate of AXQ in the service_ssl view of key storage.
  2. I have imported the AXD public certificate in to AXQ in the TrustedCAs of Key storage.
  3. I have created a user in AXQ and assigned the certificate of AXD under usermangement in Security provider to this user.
  4. I have added the AXD certificate under Client Authentication tab with require client certificate option checked in the SSL Provider.
  5. I have assigned the user created in AXQ in the step above to the Sender Agreement.
  Now when I post message from AXD with Configure Client Authentication checked (Here I have selected the certificate of AXD and view as service_ssl) I am getting the following error.
  Exception caught by adapter framework: SOAP: response message contains an error XIServer/UNKNOWN/ADAPTER.JAVA_EXCEPTION - java.security.AccessControlException: client certificate required at com.sap.aii.af.mp.soap.ejb.XISOAPAdapterBean.process(XISOAPAdapterBean.java:884) at com.sap.aii.af.mp.module.ModuleLocalLocalObjectImpl0_3
  Any pointer to solve this problem is highly appreciated.
  Thanks
  Abinash

  Hi Hemant,
  I have couple of questions. Why do we need to import certificate for SOAP WS-Security and from where I can get it?
  As far as my scenario goes I am not using message level security.
  Secondly what do you mean by TRUSTED/WebServiceSecurity? I don't see any such view inside the Key Storage.  I can see a view named just WebServiceSecuity though.
  Also I don't have a decentralized adapter installation rather I have two separate PI instances having their own central adapter engine.
  Abinash

• Problem with Require Client Certificate on on IPlanet 6.0 server

  I installed client certificate. When I connect to the server using browser, I get following error........
  You are not authorized to view this page
  You might not have permission to view this directory or page using the credentials you supplied.
  How can I run the server in Verbose mode and see exactly why this error.
  Default error file does not have any information about this rejection.
  Thanks
  Krishna

  The message is cut and paste of what client (IE) shows on the browser.
  But the Server does not show any thing in it;'s log. I don't see any activity. I have Log Verbose On.
  If I change the client certificate on to off it works fine.
  The problem is only when the client certificate is on.
  The client certificate is created using Iplanet Certificate Server as well the server certificate also generated using Iplanet Certificate Server.
  In this case I am not trying to authenticate user in the client certificate just the client certificate is valid or not.
  Thanks for the reply.
  Regards
  Krishna

• Problem using multiple Client Certificates

  Hi folks, I had (mistakenly) posted an earlier version of this question to the crypto forum.
  My problem is that I have multiple client certs in my keystore, but only one is being used as the selected certificate for client authentication for all connection�s. So, one connection works fine, the rest fail because the server doesn�t like the client cert being presented.
  I have been trying to get the JSSE to select the proper client certificate by making use of the chooseClientAlias method. (init the SSL context with a custom key manager that extends X509ExtendedKeyManager and implements the inherited abstract method X509KeyManager.chooseClientAlias(String[], Principal[], Socket))
  But, still no luck.. the JSSE is not calling in to the my version of chooseClientAlias, and it just keeps presenting the same client certificate.
  No clue why, any thoughts on how to get the JSSE to call my version of chooseClientAlias?
  Thanks!
  SSLContext sslContext = SSLContext.getInstance("TLS");
  sslContext.init(createCustomKeyManagers(Keystore, KeystorePassword),
              createCustomTrustManagers(Keystore, KeystorePassword),null);
  SSLSocketFactory factory = sslContext.getSocketFactory();
  URL url = new URL(urlString);
  URLConnection conn = url.openConnection();
  urlConn = (HttpsURLConnection) conn;
  urlConn.setSSLSocketFactory(factory);
  BufferedReader rd = new BufferedReader(new InputStreamReader(urlConn.getInputStream()));
  String line;
  while ((line = rd.readLine()) != null) {
       System.out.println(line);  }
  public class CustomKeyManager extends X509ExtendedKeyManager
      private X509ExtendedKeyManager defaultKeyManager;
      private Properties serverMap;
      public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
          SocketAddress socketAddress = socket.getRemoteSocketAddress();
          String hostName = ((InetSocketAddress)socketAddress).getHostName().toUpperCase();
          String alias = null;
          if(serverMap.containsKey(hostName)){
              alias = serverMap.getProperty(hostName.toUpperCase());
              if(alias != null && alias.length() ==0){
                  alias = null; }
          else {
              alias = defaultKeyManager.chooseClientAlias(keyType, issuers, socket);
          return alias;
  .

  Topic was correctly answered by ejp in the crypto forum..
  namely: javax.net.ssl.X509KeyManager.chooseClientAlias() is called if there was an incoming CertificateRequest, according to the JSSE source code. If there's an SSLEngine it calls javax.net.ssl.X509ExtendedKeyManager.chooseEngineClientAlias() instead.*
  You can create your own SSLContext with your own X509KeyManager, get its socketFactory, and set that as the socket factory for HttpsURLConnection.*
  Edited by: wick123 on Mar 5, 2008 10:26 AM

• Problem with client certificate based authentication

  Hello.
  We are developing an AIR application that uses client
  certificates for authentication. We have written a simple test case
  to show the problem.
  <?xml version="1.0" encoding="utf-8"?>
  <mx:WindowedApplication xmlns:mx="
  http://www.adobe.com/2006/mxml"
  layout="absolute">
  <mx:Script>
  <![CDATA[
  import mx.controls.Alert;
  private function responseHandler(): void {
  Alert.show("Response received");
  ]]>
  </mx:Script>
  <mx:HTTPService id="exampleService"
  url="https://www1.aeat.es/pymes1/pacargoi.html"
  showBusyCursor="true"
  result="responseHandler()">
  </mx:HTTPService>
  <mx:Button label="Send"
  click="exampleService.send()"/>
  </mx:WindowedApplication>
  When we click on the button, it sends the request to the
  protected page and then (if you have CA emitted certificates) the
  dialog appears requesting the client certificate. And it works
  fine.
  But next time we click on the button, the dialog requesting
  the client certificate appears again.
  Is there a way to stop showing the dialog every time?
  Any help would be very appreciated.
  Thanks a lot for your support.
  Paco.

  I have just sent a Feature Request/Bug Report with the
  following text:
  "We are experiencing a problem using AIR with a server that
  requires authentication via client certificate.
  The dialog for selecting the client certificate appears every
  time that the AIR application interacts with the server (not only
  the first time).
  Steps to reproduce bug:
  1. Install Apache HTTP Server with SSL and require client
  certificate in order to authenticate.
  2. Develop an AIR Application that connects to this server
  (HTTPService or RemoteObject have been tested with the same
  result).
  3. Every time that the AIR application connect to the
  server, the dialog appears in order the user to select the client
  certificate.
  Results: This makes the AIR application unusable.
  Expected results: The dialog requesting the client
  certificate should appear the first time only."
  Thanks,
  Paco.

• ISE Problem: EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain

  Hello, I´m stucked with this problem for 3 weeks now.
  I´m not able to configure the EAP-TLS autentication.
  In the "Certificate Store" of the ISE server I have Installed the Root, policy and the Issuing certificates as "trust for client authentication",and in the Local store I have a certificate issuing for the same issuing authority which sign the thw client ones.
  The ISE´s certificate has been issued with the "server Authentication certificate" template.
  The clients have installed the certificates  also the certificate chain.
  When I try to authenticate the wireless clients I allways get the same error: "     Authentication failed : 12514 EAP-TLS failed SSL/TLS handshake because of an unknown CA in the client certificates chain"
  and "OpenSSLErrorMessage=SSL alert
  code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error self-signed certificate in chain",OpenSSLErrorStack=  1208556432:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2720"
  I don´t know what else can I do.
  Thank you
  Jorge

  Hi Rik,
  the Below are the certificate details
  ISE Certificate Signed by XX-CA-PROC-06
  User PKI Signed by XX-CA-OTHER-08
  In ISE certificate Store i have the below certificates
  XX-CA-OTHER-08 signed by XX-CA-ROOT-04
  XX-CA-PROC-06 signed by XX-CA-ROOT-04
  XX-CA-ROOT-04 signed by XX-CA-ROOT-04
  ISE certificate signed by XX-CA-PROC-06
  I have enabled - 'Trust for client authentication' on all three certificates
  this is unchecked - 'Enable Validation of Certificate Extensions (accept only valid certificate)'
  when i check the certificates of current user in the Client PC this is how it shows.
  XX-CA-ROOT-04 is listed in Trusted root Certification Authority
  and XX-CA-PROC-06 and XX-CA-OTHER-08  are in Intermediate Certificate Authorities

• Safari client certificate problem w/ Canada Post website

  I am using OSX 10.8.5 and Safari 6.1.1
  I'm trying to use the Canada Post website for online shipping (ship-in-a-click) via the site:
  http://www.canadapost.ca/personal/tools/cst/intro-e.asp
  When I choose my option (in this case INTERNATIONAL) a pop-up opens asking to select a client certificate. A list of five certificates, which are all apparently valid and not expired, is given. No matter which certificate I select I cannot get past this pop up window. It just pops back up again.
  The certificates are all in the form:
  com.apple.idms.appleid.prd. then a very lengthy alpha numeric string
  From what I have read with certificate problems you can just delete them and next time you visit the site will ask you to select a new one. However, in this case, with all the certificates seemingly being valid, I don't think that will be the solution. Although, I am a complete novice when it comes to these issues.
  Can anybody suggest something other than using Firefox/Chrome etc. although if that is the ONLY choice then so be it. But surely this can be solved within Safari, no? The rest of the Canada Post site seems to behave OK with Safari.
  Thank you.

  Neither.  I am on Mavericks and it shows the exact same issue, so it neither fixes the problem or intoduces new ones, at least with my site.
  I also noticed that it is somewhat based on the loction (IP) of the server because on my local laptop (During development) and on our QA server would try and send a certificate that it should not send.  HOWEVER once we implemented the SSL client certificate on our production server it would no longer send the certificate.  I have no idea why and speculate that it is because our production server has a public IP.
  If you want you can use my site and see if the problem persists for you there (http://whf.to); however given the seemingly random why Safari decides to send certificates you may or may not see the issue.  If Safari does indeed send a certificate you should get an error page that details what happened (in somewhat lay-terms).
  Sorry that Mavericks doesn't fix the issue for you.

• SSL client certificate problem with exchange owa

  Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
  When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
  Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
  I cannot get through this dialog because it seems I do not have the required certificate.
  What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
  I do not understand what mobileme has to do with this exchange server at all.
  What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
  Can anybody point in the right direction please ?
  For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
  Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

  Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
  When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
  Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
  I cannot get through this dialog because it seems I do not have the required certificate.
  What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
  I do not understand what mobileme has to do with this exchange server at all.
  What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
  Can anybody point in the right direction please ?
  For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
  Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

• Problem in reading client certificate

  Hi,
  I am developing an web app. where client will use smart card for authentication.
  And server will read the clients certificate. All the application will run in https.
  So please guide me to develop such a system. I am using tomcat 6x and have created a server certificate by keytool.
  I am not using openssl.
  Please help me....
  Thanx in advance.

  hi
  when you pass the manual entry posting date will be 31.03.2009 and period will be 13 because when we close the year still open 4 special period to post further entries.
  Regards
  Tanmoy

• Auth via client SSL cert problem

  web server:iPlanet-WebServer-Enterprise/6.0SP2 B11/13/2001 00:49
  Am trying to setup ACL's to allow only certain clients access to web server via client side certificates.
  The LDAP entry does NOT have a "uid" attribute for the user's entry.
  Snooping show me that the LDAP server is returning the correct LDAP entry. Web server says "get_auth_user_ssl: unable to map cert to LDAP entry. Reason: ldap entry is missing the 'uid' attribute value"
  ACL files looks like
  version 3.0;
  acl "default";
  authenticate (user, group) {
  prompt = "foobar";
  method = "ssl";
  allow (read, list, execute,info) user = "*happy*" ;
  allow (write, delete) user = "all";
  Client cert CN looks like
  CN=happy.fmr.com test happy.fmr.com, OU=B2B, OU=Applications, O=FMR Co
  rp., C=US
  Any suggestions on how to allow only a user whose client CN contains a certain word? Also anyway to increse the debug level in the error logs, I know 6.1 can do more but we are limited to using 6.0
  Thanks
  Ashish

  Hi Faisal -- thanks for your reply. We had an offline chat where you said:
  >>>>>>>>
  These are the steps that u can follow
  Configure Weblogic Server for 2-way SSL
  mydomain> Servers> myserver>Keystores & SSL > Advanced Options
  Hostname Verification: None
  Two Way Client Cert Behavior: Client Certs Requested but not enforced
  mydomain> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter
  Trusted Client Principals: provide CN of the Client Certificate
  Types: X509
  Details:
  Use Default User Name Mapper: Checked
  Default User Name Mapper Attribute Type: CN
  Base64Decoding Required: Checked
  Go the security realm and create a user wih the username as CN of the certificate
  Dont forget to Import the client cert's root CA in the trust store of WLS.
  If you still face issues, enable SSL Debug, securityATN debug and mail me the log file.
  <<<<<<
  I think there are a few minor config differences and I may have a different version of WLS to you -- the DefaultIdentityAsserter did not contain some of the fields you refer to. Instead I have an LDAPX509IdentityAsserter at the top of the Providers list, and I have made the changes there. My Providers list is:
  - LDAPX509IdentityAsserter
  - ActiveDirectory
  - DefaultAuthentictor
  - DefaultIdentityAsserter
  I suspect you might be thinking I don't have two-way SSL working at all, but I do, and that's not my question. I can successfully validate a client based on SSL certificate so all the trust stores etc are correct. My question is what happens when there is no client certificate presented by the client -- I want it to fall through to Basic authentication. The ActiveDirectory provider has a Control Flag="SUFFICIENT" setting and I was expecting the X.509 one to have a similar flag, but it doesn't. What controls whether the X.509 provider is REQUIRED/REQUISITE/SUFFICIENT/OPTIONAL in the chain, like the Active Directory one?
  Thanks for your time.
  -- Ben.

• Client-cert auth impl in web.xml does not work in Oracle Application Server

  Hi,
  I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
  My server details are:
  Oracle Application Server 10g Release 2 (10.1.2)
  Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
  I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>WSCollection</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
  </login-config>
  It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
  I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
  Thanks,
  Ms

  I am having the same problem with doc and xsl. I have added this
  <mime-mapping>
  <extension>xls</extension>
  <mime-type>application/vnd.ms-excel</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>doc</extension>
  <mime-type>application/msword</mime-type>
  </mime-mapping>
  to my web.xml. I even restarted the server. I still see doc and xsl in binary.
  Is there some other setting that needs to take place?
  I am using WL6.1 with fixpack 1.
  I can see the doc and excel files in the browser if I don't go through the weblogic
  server. That just confirms it's not my browser.
  Kumar Allamraju <[email protected]> wrote:
  <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
  <html>
  It works fine for me in 6.1 SP1.
  <br><br>
  If the following doesn't work , can you
  <br>try application/winword instead of application/msword?
  <p>--
  <br>Kumar
  <p>Siming Mu wrote:
  <blockquote TYPE=CITE>Hi,
  <p>I setup in my web.xml a mime mapping as follows,
  <p><mime-mapping>
  <br><extension>doc</extension><mime-type>application/msword</mime-type>
  <br></mime-mapping>
  <p>When I specify a test.doc url, the doc file appears in my browser
  as
  binary data
  <br>instead of download.
  <p>Please reference change request 055002, which decribes this problem. 
  According
  <br>to edocs, it has been fixed in wls6.1sp1.
  <p>But I am seeing it fixed.  Am I doing anything wrong? Thanks.
  <p>Siming</blockquote>
  </html>

• CLIENT-CERT - UserNameMapper problem

  Hi,
  I have a client, wich sends a soap-message, containing a username, to a
  webservice, that responds with "hello, <username>". The communication
  is over ssl. The webservice is running in a weblogic server 7.0 sp1.
  I have 2-way ssl working. Now I'm trying to restrict access to the
  web-service.
  I changed the web.xml of the web-service to require BASIC as
  auth-method. This works fine.
  Then I changed BASIC to CLIENT-CERT in the web.xml.
  I changed the active type of the defaultIdentityAsserter to X.509.
  I implemented a UserNameMapper class, which prints data of the presented
  certificate, and returns a username, that exists in the
  embedded-ldap-realm of weblogic server, and that has the right to
  execute the webservice (it works with BASIC auth).
  I put the name of the UserNameMapper class in the
  defaultIdentityAsserter, and I included it in my classpath.
  The UserNameMapper is working, because the data of the certificate is
  printed on stdout. But I get a 401 (Unauthorized)-error code when trying
  to access the web-service.
  Can someone give me a hint on what I'm mising?
  Thanks,
  Noella
  ************* code of UserNameMapper *********************
  import java.security.cert.*;
  public class VZNUserNameMapper implements
  weblogic.security.providers.authentication.UserNameMapper{
  public VZNUserNameMapper() {
  public String mapCertificateToUserName(X509Certificate[] certs,
  boolean ssl) {
  System.out.println(certs[0].getSubjectDN().toString());
  return "noella";
  public String mapDistinguishedNameToUserName(byte[]
  distinguishedName) {
  return null;

  Thanks it worked. Somehow I missed in documentation this x.509 setting.
  I've also had a problem with setting "Client Certificate Requested But Not Enforced"
  in WLS 7.0.0 but it seems to be working fine in SP1.
  Thanks again
  Greg
  "kirann" <[email protected]> wrote:
  hi,
  I believe you need to turn on x.509 Identity Assertion in the server
  console..
  Please check the documention.
  thanks
  kiran
  "Greg" <[email protected]> wrote in message
  news:3e243a25$[email protected]..
  Hi!
  I'm trying to set up my web application to use client-cert
  authentication. I've set in web.xml login config to
  <auth-method>CLIENT-CERT</auth-method>. When I'm accessing my
  application I'm always getting 401 Unauthorized. If I set
  login to BASIC, browser pops up login dialog and everything works
  fine.
  I've done following:
  - created and installed in WLS trusted CA certificate
  - created and installed client certificate signed by that CA in
  IE 5.5
  - configured WLS to use ssl and set "Client Certificate Enforced"
  - managed to connect to document root or console application
  using https://localhost:7002/console and verified that accually client
  certificate
  is used (not able to connect without one)
  Now I'm really stuck and have no ideas.
  Please help. Thanks in advance.
  Greg