Re: Client certificate private key prompt
From: Berndt Johansson (berndt.johansson_at_removenospamom.com)
Date: 06/24/04
- Next message: Jon Skeet [C# MVP]: "Re: How to comvert "20030205195847Z" to DateTime"
- Previous message: news.microsoft.com: "ListView header font"
- In reply to: Brian Combs: "Re: Client certificate private key prompt"
- Next in thread: Brian Combs: "Re: Client certificate private key prompt"
- Reply: Brian Combs: "Re: Client certificate private key prompt"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 24 Jun 2004 08:45:03 +0200
Hi Brian
Thank you for your response. I had a hunch that this was the problem, but
the question still is why Peter was not able to reproduce the behaviour with
the exact same code that I was running (except if I used the extra
authentication header in the initial request). Is there some trick that we
could do to eliminate this problem. Addid the authentication header manually
sure is one, but does it have any other negative effects?
Would upgrading to IIS 6 (W2k3) solve this problem? When I tried to run our
testcode on a W2k3 server I didn't get the double prompting. Does this mean
that the SSL channel is kept between the requests in IIS6 and therefore
there is no need to read the private key again from the certificate?
/Berndt
"Brian Combs" <Brian@online.microsoft.com> wrote in message
news:InXJtoVWEHA.2920@cpmsftngxa10.phx.gbl...
> Hello
> Here is how HttpWebRequest works with client certs, SSL, and Basic auth.
> First when you protect a client cert by installing it with strong private
> key protection and configure it to prompt for each access call to private
> key, then you will get a prompt when anything try's to access this private
> key.
>
> Here is what is happening.
> 1. HttpWebRequest sends anonymous request to IIS using SSL
> 2. IIS tells client it needs client cert.
> 3. Client gets and sends client cert. (first prompt as we need to access
> the private key)
> 4. IIS sees that you need to auth to get to the requested resource
> 5. It sends 401 and closes the connection.
> 6. Client sends new request with authorization header to IIS using SSL
> 7. IIS tells client it needs client cert.
> 8. Client gets and sends client cert. (second prompt as we need to access
> the private key)
> 9. IIS auth the request and returns the data.
>
> Now if you make new requests and PreAuthenticate is not set to true you
> will get a prompt for each new request. If you set PreAuthenticate to true
> then you will not get prompted after the first two prompts if you are
using
> the same connection. If you need to create a new connection then you will
> get a prompt because you must set up a new SSL session for that connection
> which means you need to access the private key.
>
> PreAuthenticate with basic auth works like the following:
> First request goes anonymous
> We get 401 back
> Client then sends next request with credentials.
> If we authenticate then any other request that has PreAuthenticate set to
> true and has the same credentials will send the credentials on the first
> request.
>
> The first request goes anonymous because we don't know if we need to
> authenticate and if so how. So we need to find out first if we can do the
> PreAuthenticate for subsequent requests.
>
> All of this is by design.
>
> Thanks
> Brian [MSFT]
> Microsoft Developer Support
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> --------------------
> | From: "Berndt Johansson" <berndt.johansson@removenospamom.com>
> | References: <ONvpdCgTEHA.1548@TK2MSFTNGP11.phx.gbl>
> <doEgDrrTEHA.2160@cpmsftngxa10.phx.gbl>
> <OJjLDatTEHA.644@tk2msftngp13.phx.gbl>
> <T7Q$$T2TEHA.2160@cpmsftngxa10.phx.gbl>
> <#NkjnpiUEHA.2988@TK2MSFTNGP10.phx.gbl>
> <JShKdWoUEHA.3996@cpmsftngxa10.phx.gbl>
> <OuGEn$pUEHA.2360@TK2MSFTNGP10.phx.gbl>
> <A3a2$F4UEHA.2616@cpmsftngxa10.phx.gbl>
> <u2E8675UEHA.1472@TK2MSFTNGP09.phx.gbl>
> <c1Y87dBVEHA.304@cpmsftngxa10.phx.gbl>
> <op5bPA2VEHA.2980@cpmsftngxa10.phx.gbl>
> | Subject: Re: Client certificate private key prompt
> | Date: Mon, 21 Jun 2004 22:19:47 +0200
> | Lines: 26
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> | Message-ID: <Og2JX08VEHA.2564@TK2MSFTNGP11.phx.gbl>
> | Newsgroups: microsoft.public.dotnet.framework
> | NNTP-Posting-Host: om.omgroup.com 194.213.87.193
> | Path:
>
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTFEED
> 01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
> | Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework:74101
> | X-Tomcat-NG: microsoft.public.dotnet.framework
> |
> | Hi Peter,
> |
> | Thank you. Please let me know if you need any other tests on my side.
> |
> | /Berndt
> |
> | ""Peter Huang"" <v-phuang@online.microsoft.com> wrote in message
> | news:op5bPA2VEHA.2980@cpmsftngxa10.phx.gbl...
> | > Hi Berndt,
> | >
> | > I am sorry for delay. We are working with other engerneer on this
issue,
> | > please pay more patience, we can update you with new information ASAP.
> | >
> | > Thank you for your understanding.
> | >
> | > Best regards,
> | >
> | > Peter Huang
> | > Microsoft Online Partner Support
> | >
> | > Get Secure! - www.microsoft.com/security
> | > This posting is provided "AS IS" with no warranties, and confers no
> | rights.
> | >
> |
> |
> |
>
- Next message: Jon Skeet [C# MVP]: "Re: How to comvert "20030205195847Z" to DateTime"
- Previous message: news.microsoft.com: "ListView header font"
- In reply to: Brian Combs: "Re: Client certificate private key prompt"
- Next in thread: Brian Combs: "Re: Client certificate private key prompt"
- Reply: Brian Combs: "Re: Client certificate private key prompt"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
