If you activate the setting <local>, make sure to install all relevant certificates into Local Machine. Otherwise chain building and revocation checking will fail. Net iD Access fully relies on Microsoft CAPI for all certificate checking. In solutions with many concurrent users the owner of Net iD Access Server could disable the validation and instead use the PKCS #7-signature in the COMPLETE-message to do validation outside of the IIS-environment.
<verify> <local>yes</local> <ocsp>yes</ocsp> <host>yes</host> <niv>no</niv> </verify>
Use the Event Viewer to make sure you have no errors if certificate validation is activated.
Look for events generated by: [ProcessName] w3wp.exe.
|Error may occur without anything being wrong. Always analyze each error to find real problems.|
Disabling the WinHTTP Web Proxy Auto-Discovery Service can avoid errors regarding OCSP/CDP connections