Re: Client certificate private key prompt

From: Berndt Johansson (berndt.johansson_at_removenospamom.com)
Date: 06/16/04

Next message: John Saunders: "Re: ThreadStart and ThreadPool"
Previous message: Microsoft: "Re: Managing IIS 5.0 using WMI"
In reply to: Peter Huang: "Re: Client certificate private key prompt"
Next in thread: Peter Huang: "Re: Client certificate private key prompt"
Reply: Peter Huang: "Re: Client certificate private key prompt"
Messages sorted by: [ date ] [ thread ]

Date: Wed, 16 Jun 2004 14:39:32 +0200

Hi Peter,

Just tried to run the test application against a WebService on an IIS 6
server (on Windows 2003 Server). That worked fine. When looking at the
network traffic using Ethereal there is a difference in behaviour with
regards to the connection. IIS 5 closes the connection whereas IIS 6
maintains the connection. Don't you think that this is reason for the double
prompting? But what is the difference between my setup and your's?

My configuration is XP Pro SP1, IIS 5, VS.NET 2003, .NET FX 1.1. I am
running both the IIS server and the client application on my developer
machine. When I tried the IIS 6 I copied the WebService application to an
Windows Server 2003 server without the Header manually added to the request.

Below is an excerpt from the ethereal result. Sorry for the big post...
Frame 34 will be closing the connection. This is not happening on IIS 6.

Do you think that it is a good idea to keep posting this or should we use
emails instead?

/Berndt

No. Time Source Destination Protocol
Info Port
1 0.000000 10.112.136.88 10.112.136.127 NETLOGON SAM
LOGON request from client netbios-dgm

No. Time Source Destination Protocol
Info Port
33 6.095175 10.112.136.76 10.112.136.157 TCP
2954 > https [ACK] Seq=1621 Ack=9979 Win=65239 Len=0 https

Frame 33 (54 bytes on wire, 54 bytes captured)
    Arrival Time: Jun 16, 2004 10:19:23.361175000
    Time delta from previous packet: 0.000014000 seconds
    Time since reference or first frame: 6.095175000 seconds
    Frame Number: 33
    Packet Length: 54 bytes
    Capture Length: 54 bytes
Ethernet II, Src: 00:08:02:b7:9a:dd, Dst: 00:0e:83:55:ef:00
    Destination: 00:0e:83:55:ef:00 (Cisco_55:ef:00)
    Source: 00:08:02:b7:9a:dd (CompaqCo_b7:9a:dd)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 10.112.136.76 (10.112.136.76), Dst Addr:
10.112.136.157 (10.112.136.157)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x7d7b (32123)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x578b (correct)
    Source: 10.112.136.76 (10.112.136.76)
    Destination: 10.112.136.157 (10.112.136.157)
Transmission Control Protocol, Src Port: 2954 (2954), Dst Port: https (443),
Seq: 1621, Ack: 9979, Len: 0
    Source port: 2954 (2954)
    Destination port: https (443)
    Sequence number: 1621 (relative sequence number)
    Acknowledgement number: 9979 (relative ack number)
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 65239
    Checksum: 0xac34 (correct)
    SEQ/ACK analysis
        This is an ACK to the segment in frame: 32
        The RTT to ACK the segment was: 0.000014000 seconds

No. Time Source Destination Protocol
Info Port
34 6.095184 10.112.136.157 10.112.136.76 TCP
https > 2954 [FIN, ACK] Seq=9979 Ack=1621 Win=64512 Len=0 2954

LOOK HERE!!!
Frame 34 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Jun 16, 2004 10:19:23.361184000
    Time delta from previous packet: 0.000009000 seconds
    Time since reference or first frame: 6.095184000 seconds
    Frame Number: 34
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II, Src: 00:0e:83:55:ef:00, Dst: 00:08:02:b7:9a:dd
    Destination: 00:08:02:b7:9a:dd (CompaqCo_b7:9a:dd)
    Source: 00:0e:83:55:ef:00 (Cisco_55:ef:00)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src Addr: 10.112.136.157 (10.112.136.157), Dst Addr:
10.112.136.76 (10.112.136.76)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x284b (10315)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 126
    Protocol: TCP (0x06)
    Header checksum: 0xaebb (correct)
    Source: 10.112.136.157 (10.112.136.157)
    Destination: 10.112.136.76 (10.112.136.76)
Transmission Control Protocol, Src Port: https (443), Dst Port: 2954 (2954),
Seq: 9979, Ack: 1621, Len: 0
    Source port: https (443)
    Destination port: 2954 (2954)
    Sequence number: 9979 (relative sequence number)
    Acknowledgement number: 1621 (relative ack number)
    Header length: 20 bytes
    Flags: 0x0011 (FIN, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...1 = Fin: Set
    Window size: 64512
    Checksum: 0xaf0a (correct)

No. Time Source Destination Protocol
Info Port
35 6.095195 10.112.136.76 10.112.136.157 TCP
2954 > https [ACK] Seq=1621 Ack=9980 Win=65239 Len=0 https

Frame 35 (54 bytes on wire, 54 bytes captured)
    Arrival Time: Jun 16, 2004 10:19:23.361195000
    Time delta from previous packet: 0.000011000 seconds
    Time since reference or first frame: 6.095195000 seconds
    Frame Number: 35
    Packet Length: 54 bytes
    Capture Length: 54 bytes
Ethernet II, Src: 00:08:02:b7:9a:dd, Dst: 00:0e:83:55:ef:00
    Destination: 00:0e:83:55:ef:00 (Cisco_55:ef:00)
    Source: 00:08:02:b7:9a:dd (CompaqCo_b7:9a:dd)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 10.112.136.76 (10.112.136.76), Dst Addr:
10.112.136.157 (10.112.136.157)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x7d7c (32124)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x578a (correct)
    Source: 10.112.136.76 (10.112.136.76)
    Destination: 10.112.136.157 (10.112.136.157)
Transmission Control Protocol, Src Port: 2954 (2954), Dst Port: https (443),
Seq: 1621, Ack: 9980, Len: 0
    Source port: 2954 (2954)
    Destination port: https (443)
    Sequence number: 1621 (relative sequence number)
    Acknowledgement number: 9980 (relative ack number)
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 65239
    Checksum: 0xac33 (correct)
    SEQ/ACK analysis
        This is an ACK to the segment in frame: 34
        The RTT to ACK the segment was: 0.000011000 seconds

No. Time Source Destination Protocol
Info Port
36 6.099015 Cisco_55:ef:20 Spanning-tree-(for-bridges)_00 STP
Conf. Root = 32778/00:0e:83:55:ef:00 Cost = 0 Port = 0x8020

Frame 36 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Jun 16, 2004 10:19:23.365015000
    Time delta from previous packet: 0.003820000 seconds
    Time since reference or first frame: 6.099015000 seconds
    Frame Number: 36
    Packet Length: 60 bytes
    Capture Length: 60 bytes
IEEE 802.3 Ethernet
    Destination: 01:80:c2:00:00:00 (Spanning-tree-(for-bridges)_00)
    Source: 00:0e:83:55:ef:20 (Cisco_55:ef:20)
    Length: 38
    Trailer: 0000000000000000
Logical-Link Control
    DSAP: Spanning Tree BPDU (0x42)
    IG Bit: Individual
    SSAP: Spanning Tree BPDU (0x42)
    CR Bit: Command
    Control field: U, func=UI (0x03)
        000. 00.. = Command: Unnumbered Information (0x00)
        .... ..11 = Frame type: Unnumbered frame (0x03)
Spanning Tree Protocol
    Protocol Identifier: Spanning Tree Protocol (0x0000)
    Protocol Version Identifier: Spanning Tree (0)
    BPDU Type: Configuration (0x00)
    BPDU flags: 0x00
        0... .... = Topology Change Acknowledgment: No
        .... ...0 = Topology Change: No
    Root Identifier: 32778 / 00:0e:83:55:ef:00
    Root Path Cost: 0
    Bridge Identifier: 32778 / 00:0e:83:55:ef:00
    Port identifier: 0x8020
    Message Age: 0
    Max Age: 20
    Hello Time: 2
    Forward Delay: 15

No. Time Source Destination Protocol
Info Port
37 6.104466 10.112.136.76 10.112.136.157 TCP
2954 > https [FIN, ACK] Seq=1621 Ack=9980 Win=65239 Len=0 https

Frame 37 (54 bytes on wire, 54 bytes captured)
    Arrival Time: Jun 16, 2004 10:19:23.370466000
    Time delta from previous packet: 0.009271000 seconds
    Time since reference or first frame: 6.104466000 seconds
    Frame Number: 37
    Packet Length: 54 bytes
    Capture Length: 54 bytes
Ethernet II, Src: 00:08:02:b7:9a:dd, Dst: 00:0e:83:55:ef:00
    Destination: 00:0e:83:55:ef:00 (Cisco_55:ef:00)
    Source: 00:08:02:b7:9a:dd (CompaqCo_b7:9a:dd)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 10.112.136.76 (10.112.136.76), Dst Addr:
10.112.136.157 (10.112.136.157)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x7d7d (32125)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x5789 (correct)
    Source: 10.112.136.76 (10.112.136.76)
    Destination: 10.112.136.157 (10.112.136.157)
Transmission Control Protocol, Src Port: 2954 (2954), Dst Port: https (443),
Seq: 1621, Ack: 9980, Len: 0
    Source port: 2954 (2954)
    Destination port: https (443)
    Sequence number: 1621 (relative sequence number)
    Acknowledgement number: 9980 (relative ack number)
    Header length: 20 bytes
    Flags: 0x0011 (FIN, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...1 = Fin: Set
    Window size: 65239
    Checksum: 0xac32 (correct)

No. Time Source Destination Protocol
Info Port
38 6.104823 10.112.136.157 10.112.136.76 TCP
https > 2954 [ACK] Seq=9980 Ack=1622 Win=64512 Len=0 2954

Frame 38 (60 bytes on wire, 60 bytes captured)
    Arrival Time: Jun 16, 2004 10:19:23.370823000
    Time delta from previous packet: 0.000357000 seconds
    Time since reference or first frame: 6.104823000 seconds
    Frame Number: 38
    Packet Length: 60 bytes
    Capture Length: 60 bytes
Ethernet II, Src: 00:0e:83:55:ef:00, Dst: 00:08:02:b7:9a:dd
    Destination: 00:08:02:b7:9a:dd (CompaqCo_b7:9a:dd)
    Source: 00:0e:83:55:ef:00 (Cisco_55:ef:00)
    Type: IP (0x0800)
    Trailer: 000000000000
Internet Protocol, Src Addr: 10.112.136.157 (10.112.136.157), Dst Addr:
10.112.136.76 (10.112.136.76)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 40
    Identification: 0x284c (10316)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 126
    Protocol: TCP (0x06)
    Header checksum: 0xaeba (correct)
    Source: 10.112.136.157 (10.112.136.157)
    Destination: 10.112.136.76 (10.112.136.76)
Transmission Control Protocol, Src Port: https (443), Dst Port: 2954 (2954),
Seq: 9980, Ack: 1622, Len: 0
    Source port: https (443)
    Destination port: 2954 (2954)
    Sequence number: 9980 (relative sequence number)
    Acknowledgement number: 1622 (relative ack number)
    Header length: 20 bytes
    Flags: 0x0010 (ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 64512
    Checksum: 0xaf09 (correct)
    SEQ/ACK analysis
        This is an ACK to the segment in frame: 37
        The RTT to ACK the segment was: 0.000357000 seconds

No. Time Source Destination Protocol
Info Port
39 6.105259 10.112.136.76 10.112.136.157 TCP
2955 > https [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460 https

Frame 39 (62 bytes on wire, 62 bytes captured)
    Arrival Time: Jun 16, 2004 10:19:23.371259000
    Time delta from previous packet: 0.000436000 seconds
    Time since reference or first frame: 6.105259000 seconds
    Frame Number: 39
    Packet Length: 62 bytes
    Capture Length: 62 bytes
Ethernet II, Src: 00:08:02:b7:9a:dd, Dst: 00:0e:83:55:ef:00
    Destination: 00:0e:83:55:ef:00 (Cisco_55:ef:00)
    Source: 00:08:02:b7:9a:dd (CompaqCo_b7:9a:dd)
    Type: IP (0x0800)
Internet Protocol, Src Addr: 10.112.136.76 (10.112.136.76), Dst Addr:
10.112.136.157 (10.112.136.157)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x7d7e (32126)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x5780 (correct)
    Source: 10.112.136.76 (10.112.136.76)
    Destination: 10.112.136.157 (10.112.136.157)
Transmission Control Protocol, Src Port: 2955 (2955), Dst Port: https (443),
Seq: 0, Ack: 0, Len: 0
    Source port: 2955 (2955)
    Destination port: https (443)
    Sequence number: 0 (relative sequence number)
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0xde9d (correct)
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

""Peter Huang"" <v-phuang@online.microsoft.com> wrote in message
news:A3a2$F4UEHA.2616@cpmsftngxa10.phx.gbl...
> Hi Berndt,
>
> Can you post the detailed information about your environment so that I can
> reproduce the problem on my side?
> e.g.
> Windows XP+SP1, IIS 5,VS.NET 2003, .NET framework 1.1 and so on.
>
> Best regards,
>
> Peter Huang
> Microsoft Online Partner Support
>
> Get Secure! - www.microsoft.com/security
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>

Next message: John Saunders: "Re: ThreadStart and ThreadPool"
Previous message: Microsoft: "Re: Managing IIS 5.0 using WMI"
In reply to: Peter Huang: "Re: Client certificate private key prompt"
Next in thread: Peter Huang: "Re: Client certificate private key prompt"
Reply: Peter Huang: "Re: Client certificate private key prompt"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

454 5.7.3 Client does not have permission to Send As this sender
... Laut Ethereal ist die Authentifizierung erfolgreich (Frame 13). ... Transmission Control Protocol, Src Port: 43103, Dst Port: smtp ...
(microsoft.public.de.exchange)
PuTTY terminate on open Alteon Director - Contains packet dump (LONG POSTING)
... Using SSH protocol version 1 ... I have also tried multiple different protocol settings and bugs ... Header checksum: 0xbdc1 ... Transmission Control Protocol, Src Port: 2759, Dst Port: ssh ...
(comp.security.ssh)
Re: mystery martian source from 127.0.0.1 - more details
... 2005 22:33:57.-11226009 Time delta from previous packet: 0.000000000 seconds Time since reference or first frame: 0.000000000 seconds Frame Number: 1 Packet Length: 60 bytes Capture Length: 60 bytes Protocols in frame: eth:ip:tcp ... Bad: False Source: 127.0.0.1 Destination: 80.219.238.182 Transmission Control Protocol, Src Port: http, Dst Port: ...
(comp.os.linux.security)
Sygate Firewall warning
... Ethernet II (Packet Length: 76) ... Internet Protocol ... Header checksum: 0x76cd ... Source port: 1161 ...
(alt.computer.security)
Re: mystery martian source from 127.0.0.1 - more details
... > MAC address in the data link header. ... > This is a TCP reset packet from the WWW server port. ... Transmission Control Protocol, Src Port: http, Dst Port: ...
(comp.os.linux.security)