One-to-one client certificate mapping. 401.1 with a sc-win32-status of 2148086018

I’ve seen a few cases like this, so I thought I do a post on this.

The scenario is that you would like to set up one-to-one client certificate mapping on IIS.

“One-To-One Mappings <oneToOneMappings>“

https://www.iis.net/ConfigReference/system.webServer/security/authentication/iisClientCertificateMappingAuthentication/oneToOneMappings?showTreeNavigation=true

The post most often referred to on how to do this is the following:

“Configuring One-to-One Client Certificate Mappings“

https://learn.iis.net/page.aspx/478/configuring-one-to-one-client-certificate-mappings

 or

https://blogs.iis.net/rlucero/archive/2008/05/23/iis-7-walkthrough-one-to-one-client-certificate-mapping-configuration.aspx

So, you have followed these steps. Then you try to access your site for which you have set this up. And you get:

401 - Unauthorized: Access is denied due to invalid credentials.

You do not have permission to view this directory or page using the credentials that you supplied.

Basically, since we are dealing with encryption here, it is enough that one char is wrong or missing in the certificate blob string.

It is easy to accidentally remove one char when concatenating the blob string into one line.

So, have a look at the IIS logs for the failed request and see if you see something like this:

<date><time><sip> GET /default.aspx - 443 - <cip><user agent> 401 1 2148086018

So you have a 401.1 with a sc-win32-status of 2148086018.

If this is the case, then you most like have made a mistake when concatenating the string to a single line.

The first thing to test then is to do the following:

. Again export client certificate from client machine.

. Again concatenate all the lines into a single line of text.

. Add this to IIS via Configuration Editor or directly in applicationhost.config (#8 in Step 2 in the walkthrough).

Hope this helps.