Re: Client certificate private key prompt
From: Berndt Johansson (berndt.johansson_at_removenospamom.com)
Date: 06/28/04
- Next message: Marc Scheuner [MVP ADSI]: "Using regular expressions to parse INI file"
- Previous message: z. f.: "Re: convert from unicode to ascii (hebrew)"
- In reply to: Brian Combs: "Re: Client certificate private key prompt"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 28 Jun 2004 13:30:44 +0200
Hi
Okej, so upgrading to IIS6 will make the problem a bit smaller, but not
completely gone...
We saw the difference in TCP behaviour between IIS5 and IIS6 using Ethereal
and the TCP connections are kept.
I can only agree with you on the fact that, if they setup certificates to
use the prompting they, that is also what they get, for good and for bad. I
have been trying to convince the customer about this all the time, but I
need a solid proof to convince them :-) I think that I have that now.
Tank you for your help.
/Berndt
"Brian Combs" <Brian@online.microsoft.com> wrote in message
news:SnMpWnjWEHA.328@cpmsftngxa10.phx.gbl...
> Hello
> As you stated the trick is to add your the authentication header manually.
> The only issue with this is that you are now in charge of making sure it
is
> there for each request and that the header is correct. Many folks have
used
> this when they need to make sure that no request every goes as anonymous.
> Upgrading the client to W2K3 will not solve the two prompt issue. I tested
> my code on W2k3 and I still got the two prompts. However upgrading your
> server to IIS 6.0 may keep the client from giving you two prompts. This is
> because IIS 6.0 does not close the connection after the 401 for basic auth
> like IIS 5.0 does. Which means that if the TCP connection is not closed
> then we may be able to keep the same SSL session so we don't need to
access
> the private key. Remember you may not always have control over how the
web
> server is configured. The key for the customer to understand is that they
> wanted this security, so they should not complain when it works! IE is a
> different product and does not share any code base with managed code
> classses. So you can't compare how IE works to how managed code classes
> work. IE also cashes a lot of client info in the process like the private
> key for the client cert.
>
>
> Thanks
> Brian [MS]
> Microsoft Developer Support
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> --------------------
> | From: "Berndt Johansson" <berndt.johansson@removenospamom.com>
> | References: <ONvpdCgTEHA.1548@TK2MSFTNGP11.phx.gbl>
> <doEgDrrTEHA.2160@cpmsftngxa10.phx.gbl>
> <OJjLDatTEHA.644@tk2msftngp13.phx.gbl>
> <T7Q$$T2TEHA.2160@cpmsftngxa10.phx.gbl>
> <#NkjnpiUEHA.2988@TK2MSFTNGP10.phx.gbl>
> <JShKdWoUEHA.3996@cpmsftngxa10.phx.gbl>
> <OuGEn$pUEHA.2360@TK2MSFTNGP10.phx.gbl>
> <A3a2$F4UEHA.2616@cpmsftngxa10.phx.gbl>
> <u2E8675UEHA.1472@TK2MSFTNGP09.phx.gbl>
> <c1Y87dBVEHA.304@cpmsftngxa10.phx.gbl>
> <op5bPA2VEHA.2980@cpmsftngxa10.phx.gbl>
> <Og2JX08VEHA.2564@TK2MSFTNGP11.phx.gbl>
> <InXJtoVWEHA.2920@cpmsftngxa10.phx.gbl>
> | Subject: Re: Client certificate private key prompt
> | Date: Thu, 24 Jun 2004 08:45:03 +0200
> | Lines: 125
> | X-Priority: 3
> | X-MSMail-Priority: Normal
> | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> | Message-ID: <#$yYJbbWEHA.3716@TK2MSFTNGP11.phx.gbl>
> | Newsgroups: microsoft.public.dotnet.framework
> | NNTP-Posting-Host: om.omgroup.com 194.213.87.193
> | Path:
>
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11
> phx.gbl
> | Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework:74296
> | X-Tomcat-NG: microsoft.public.dotnet.framework
> |
> | Hi Brian
> |
> | Thank you for your response. I had a hunch that this was the problem,
but
> | the question still is why Peter was not able to reproduce the behaviour
> with
> | the exact same code that I was running (except if I used the extra
> | authentication header in the initial request). Is there some trick that
we
> | could do to eliminate this problem. Addid the authentication header
> manually
> | sure is one, but does it have any other negative effects?
> | Would upgrading to IIS 6 (W2k3) solve this problem? When I tried to run
> our
> | testcode on a W2k3 server I didn't get the double prompting. Does this
> mean
> | that the SSL channel is kept between the requests in IIS6 and therefore
> | there is no need to read the private key again from the certificate?
> |
> | /Berndt
> |
> | "Brian Combs" <Brian@online.microsoft.com> wrote in message
> | news:InXJtoVWEHA.2920@cpmsftngxa10.phx.gbl...
> | > Hello
> | > Here is how HttpWebRequest works with client certs, SSL, and Basic
auth.
> | > First when you protect a client cert by installing it with strong
> private
> | > key protection and configure it to prompt for each access call to
> private
> | > key, then you will get a prompt when anything try's to access this
> private
> | > key.
> | >
> | > Here is what is happening.
> | > 1. HttpWebRequest sends anonymous request to IIS using SSL
> | > 2. IIS tells client it needs client cert.
> | > 3. Client gets and sends client cert. (first prompt as we need to
access
> | > the private key)
> | > 4. IIS sees that you need to auth to get to the requested resource
> | > 5. It sends 401 and closes the connection.
> | > 6. Client sends new request with authorization header to IIS using SSL
> | > 7. IIS tells client it needs client cert.
> | > 8. Client gets and sends client cert. (second prompt as we need to
> access
> | > the private key)
> | > 9. IIS auth the request and returns the data.
> | >
> | > Now if you make new requests and PreAuthenticate is not set to true
you
> | > will get a prompt for each new request. If you set PreAuthenticate to
> true
> | > then you will not get prompted after the first two prompts if you are
> | using
> | > the same connection. If you need to create a new connection then you
> will
> | > get a prompt because you must set up a new SSL session for that
> connection
> | > which means you need to access the private key.
> | >
> | > PreAuthenticate with basic auth works like the following:
> | > First request goes anonymous
> | > We get 401 back
> | > Client then sends next request with credentials.
> | > If we authenticate then any other request that has PreAuthenticate set
> to
> | > true and has the same credentials will send the credentials on the
first
> | > request.
> | >
> | > The first request goes anonymous because we don't know if we need to
> | > authenticate and if so how. So we need to find out first if we can do
> the
> | > PreAuthenticate for subsequent requests.
> | >
> | > All of this is by design.
> | >
> | > Thanks
> | > Brian [MSFT]
> | > Microsoft Developer Support
> | > This posting is provided "AS IS" with no warranties, and confers no
> | rights.
> | > --------------------
> | > | From: "Berndt Johansson" <berndt.johansson@removenospamom.com>
> | > | References: <ONvpdCgTEHA.1548@TK2MSFTNGP11.phx.gbl>
> | > <doEgDrrTEHA.2160@cpmsftngxa10.phx.gbl>
> | > <OJjLDatTEHA.644@tk2msftngp13.phx.gbl>
> | > <T7Q$$T2TEHA.2160@cpmsftngxa10.phx.gbl>
> | > <#NkjnpiUEHA.2988@TK2MSFTNGP10.phx.gbl>
> | > <JShKdWoUEHA.3996@cpmsftngxa10.phx.gbl>
> | > <OuGEn$pUEHA.2360@TK2MSFTNGP10.phx.gbl>
> | > <A3a2$F4UEHA.2616@cpmsftngxa10.phx.gbl>
> | > <u2E8675UEHA.1472@TK2MSFTNGP09.phx.gbl>
> | > <c1Y87dBVEHA.304@cpmsftngxa10.phx.gbl>
> | > <op5bPA2VEHA.2980@cpmsftngxa10.phx.gbl>
> | > | Subject: Re: Client certificate private key prompt
> | > | Date: Mon, 21 Jun 2004 22:19:47 +0200
> | > | Lines: 26
> | > | X-Priority: 3
> | > | X-MSMail-Priority: Normal
> | > | X-Newsreader: Microsoft Outlook Express 6.00.2800.1409
> | > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
> | > | Message-ID: <Og2JX08VEHA.2564@TK2MSFTNGP11.phx.gbl>
> | > | Newsgroups: microsoft.public.dotnet.framework
> | > | NNTP-Posting-Host: om.omgroup.com 194.213.87.193
> | > | Path:
> | >
> |
>
cpmsftngxa10.phx.gbl!TK2MSFTFEED02.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTFEED
> | > 01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11.phx.gbl
> | > | Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.framework:74101
> | > | X-Tomcat-NG: microsoft.public.dotnet.framework
> | > |
> | > | Hi Peter,
> | > |
> | > | Thank you. Please let me know if you need any other tests on my
side.
> | > |
> | > | /Berndt
> | > |
> | > | ""Peter Huang"" <v-phuang@online.microsoft.com> wrote in message
> | > | news:op5bPA2VEHA.2980@cpmsftngxa10.phx.gbl...
> | > | > Hi Berndt,
> | > | >
> | > | > I am sorry for delay. We are working with other engerneer on this
> | issue,
> | > | > please pay more patience, we can update you with new information
> ASAP.
> | > | >
> | > | > Thank you for your understanding.
> | > | >
> | > | > Best regards,
> | > | >
> | > | > Peter Huang
> | > | > Microsoft Online Partner Support
> | > | >
> | > | > Get Secure! - www.microsoft.com/security
> | > | > This posting is provided "AS IS" with no warranties, and confers
no
> | > | rights.
> | > | >
> | > |
> | > |
> | > |
> | >
> |
> |
> |
>
- Next message: Marc Scheuner [MVP ADSI]: "Using regular expressions to parse INI file"
- Previous message: z. f.: "Re: convert from unicode to ascii (hebrew)"
- In reply to: Brian Combs: "Re: Client certificate private key prompt"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
