CAPI 2

Trust

If you activate the setting <local>, make sure to install all relevant certificates into Local Machine. Otherwise chain building and revocation checking will fail. Net iD Access fully relies on Microsoft CAPI for all certificate checking. In solutions with many concurrent users the owner of Net iD Access Server could disable the validation and instead use the PKCS #7-signature in the COMPLETE-message to do validation outside of the IIS-environment.

<verify>
  <local>yes</local>
  <ocsp>yes</ocsp>
  <host>yes</host>
  <niv>no</niv>
</verify>
000011
000012

Events

Use the Event Viewer to make sure you have no errors if certificate validation is activated.

000013

Look for events generated by: [ProcessName] w3wp.exe.

000014
Error may occur without anything being wrong. Always analyze each error to find real problems.

Disabling the WinHTTP Web Proxy Auto-Discovery Service can avoid errors regarding OCSP/CDP connections

000015