Re: Client certificate private key prompt

From: Brian Combs (Brian_at_online.microsoft.com)
Date: 06/24/04 

Date: Thu, 24 Jun 2004 22:23:03 GMT

Hello
As you stated the trick is to add your the authentication header manually.
The only issue with this is that you are now in charge of making sure it is
there for each request and that the header is correct. Many folks have used
this when they need to make sure that no request every goes as anonymous.
Upgrading the client to W2K3 will not solve the two prompt issue. I tested
my code on W2k3 and I still got the two prompts. However upgrading your
server to IIS 6.0 may keep the client from giving you two prompts. This is
because IIS 6.0 does not close the connection after the 401 for basic auth
like IIS 5.0 does. Which means that if the TCP connection is not closed
then we may be able to keep the same SSL session so we don't need to access
the private key. Remember you may not always have control over how the web
server is configured. The key for the customer to understand is that they
wanted this security, so they should not complain when it works! IE is a
different product and does not share any code base with managed code
classses. So you can't compare how IE works to how managed code classes
work. IE also cashes a lot of client info in the process like the private
key for the client cert.

Thanks
Brian [MS]
Microsoft Developer Support
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "Berndt Johansson" <berndt.johansson@removenospamom.com>
| References: <ONvpdCgTEHA.1548@TK2MSFTNGP11.phx.gbl>
<doEgDrrTEHA.2160@cpmsftngxa10.phx.gbl>
<OJjLDatTEHA.644@tk2msftngp13.phx.gbl>
<T7Q$$T2TEHA.2160@cpmsftngxa10.phx.gbl>
<#NkjnpiUEHA.2988@TK2MSFTNGP10.phx.gbl>
<JShKdWoUEHA.3996@cpmsftngxa10.phx.gbl>
<OuGEn$pUEHA.2360@TK2MSFTNGP10.phx.gbl>
<A3a2$F4UEHA.2616@cpmsftngxa10.phx.gbl>
<u2E8675UEHA.1472@TK2MSFTNGP09.phx.gbl>
<c1Y87dBVEHA.304@cpmsftngxa10.phx.gbl>
<op5bPA2VEHA.2980@cpmsftngxa10.phx.gbl>
<Og2JX08VEHA.2564@TK2MSFTNGP11.phx.gbl>
<InXJtoVWEHA.2920@cpmsftngxa10.phx.gbl>
| Subject: Re: Client certificate private key prompt
| Date: Thu, 24 Jun 2004 08:45:03 +0200
| Lines: 125
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| Message-ID: <#$yYJbbWEHA.3716@TK2MSFTNGP11.phx.gbl>
| Newsgroups: microsoft.public.dotnet.framework
| NNTP-Posting-Host: om.omgroup.com 194.213.87.193
| Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
phx.gbl
| Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework:74296
| X-Tomcat-NG: microsoft.public.dotnet.framework
|
| Hi Brian
|
| Thank you for your response. I had a hunch that this was the problem, but
| the question still is why Peter was not able to reproduce the behaviour
with
| the exact same code that I was running (except if I used the extra
| authentication header in the initial request). Is there some trick that we
| could do to eliminate this problem. Addid the authentication header
manually
| sure is one, but does it have any other negative effects?
| Would upgrading to IIS 6 (W2k3) solve this problem? When I tried to run
our
| testcode on a W2k3 server I didn't get the double prompting. Does this
mean
| that the SSL channel is kept between the requests in IIS6 and therefore
| there is no need to read the private key again from the certificate?
|
| /Berndt
|
| "Brian Combs" <Brian@online.microsoft.com> wrote in message
| news:InXJtoVWEHA.2920@cpmsftngxa10.phx.gbl...
| > Hello
| > Here is how HttpWebRequest works with client certs, SSL, and Basic auth.
| > First when you protect a client cert by installing it with strong
private
| > key protection and configure it to prompt for each access call to
private
| > key, then you will get a prompt when anything try's to access this
private
| > key.
| >
| > Here is what is happening.
| > 1. HttpWebRequest sends anonymous request to IIS using SSL
| > 2. IIS tells client it needs client cert.
| > 3. Client gets and sends client cert. (first prompt as we need to access
| > the private key)
| > 4. IIS sees that you need to auth to get to the requested resource
| > 5. It sends 401 and closes the connection.
| > 6. Client sends new request with authorization header to IIS using SSL
| > 7. IIS tells client it needs client cert.
| > 8. Client gets and sends client cert. (second prompt as we need to
access
| > the private key)
| > 9. IIS auth the request and returns the data.
| >
| > Now if you make new requests and PreAuthenticate is not set to true you
| > will get a prompt for each new request. If you set PreAuthenticate to
true
| > then you will not get prompted after the first two prompts if you are
| using
| > the same connection. If you need to create a new connection then you
will
| > get a prompt because you must set up a new SSL session for that
connection
| > which means you need to access the private key.
| >
| > PreAuthenticate with basic auth works like the following:
| > First request goes anonymous
| > We get 401 back
| > Client then sends next request with credentials.
| > If we authenticate then any other request that has PreAuthenticate set
to
| > true and has the same credentials will send the credentials on the first
| > request.
| >
| > The first request goes anonymous because we don't know if we need to
| > authenticate and if so how. So we need to find out first if we can do
the
| > PreAuthenticate for subsequent requests.
| >
| > All of this is by design.
| >
| > Thanks
| > Brian [MSFT]
| > Microsoft Developer Support
| > This posting is provided "AS IS" with no warranties, and confers no
| rights.
| > --------------------
| > | From: "Berndt Johansson" <berndt.johansson@removenospamom.com>
| > | References: <ONvpdCgTEHA.1548@TK2MSFTNGP11.phx.gbl>
| > <doEgDrrTEHA.2160@cpmsftngxa10.phx.gbl>
| > <OJjLDatTEHA.644@tk2msftngp13.phx.gbl>
| > <T7Q$$T2TEHA.2160@cpmsftngxa10.phx.gbl>
| > <#NkjnpiUEHA.2988@TK2MSFTNGP10.phx.gbl>
| > <JShKdWoUEHA.3996@cpmsftngxa10.phx.gbl>
| > <OuGEn$pUEHA.2360@TK2MSFTNGP10.phx.gbl>
| > <A3a2$F4UEHA.2616@cpmsftngxa10.phx.gbl>
| > <u2E8675UEHA.1472@TK2MSFTNGP09.phx.gbl>
| > <c1Y87dBVEHA.304@cpmsftngxa10.phx.gbl>
| > <op5bPA2VEHA.2980@cpmsftngxa10.phx.gbl>
| > | Subject: Re: Client certificate private key prompt
| > | Date: Mon, 21 Jun 2004 22:19:47 +0200
| > | Lines: 26
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
| > | Message-ID: <Og2JX08VEHA.2564@TK2MSFTNGP11.phx.gbl>
| > | Newsgroups: microsoft.public.dotnet.framework
| > | NNTP-Posting-Host: om.omgroup.com 194.213.87.193
| > | Path:
| >
|
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTFEED
| > 01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
| > | Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework:74101
| > | X-Tomcat-NG: microsoft.public.dotnet.framework
| > |
| > | Hi Peter,
| > |
| > | Thank you. Please let me know if you need any other tests on my side.
| > |
| > | /Berndt
| > |
| > | ""Peter Huang"" <v-phuang@online.microsoft.com> wrote in message
| > | news:op5bPA2VEHA.2980@cpmsftngxa10.phx.gbl...
| > | > Hi Berndt,
| > | >
| > | > I am sorry for delay. We are working with other engerneer on this
| issue,
| > | > please pay more patience, we can update you with new information
ASAP.
| > | >
| > | > Thank you for your understanding.
| > | >
| > | > Best regards,
| > | >
| > | > Peter Huang
| > | > Microsoft Online Partner Support
| > | >
| > | > Get Secure! - www.microsoft.com/security
| > | > This posting is provided "AS IS" with no warranties, and confers no
| > | rights.
| > | >
| > |
| > |
| > |
| >
|
|
|

Relevant Pages

  • Re: how can we restrict what certificate WSE will use?
    ... > X509SecurityTokenManager to verify the request is from a trusted client. ... >> decrypte and signature validation process. ... >> in a request signed with his valid private key, ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Client Certificate not reaching server
    ... being sent in the actual request. ... I do have a private key installed. ... certificate is in the Local Computer/Personal store on the client machine. ...
    (microsoft.public.dotnet.security)
  • Re: Client certificate private key prompt
    ... there is no need to read the private key again from the certificate? ... then you will get a prompt when anything try's to access this private ... HttpWebRequest sends anonymous request to IIS using SSL ... IIS tells client it needs client cert. ...
    (microsoft.public.dotnet.framework)
  • Re: breaking the model
    ... > The forms data then is in the Request object. ... HTTP Request; in this case, the form POST Request from the Page. ... client and server. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Resolving record with enumerated type
    ... In a CPU BFM package, ... because data goes in two directions (request from the ... from the server to the client), you'll need some way to orchestrate ...
    (comp.lang.vhdl)