Re: Disable requesting client certificate when running in SSL
From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 03/10/05
- Next message: Chriss3 [MVP]: "Re: User Default Attributes"
- Previous message: Bill Nitz: "Re: Disable Kerberos?"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Disable requesting client certificate when running in SSL"
- Next in thread: Dmitri Gavrilov [MSFT]: "Re: Disable requesting client certificate when running in SSL"
- Reply: Dmitri Gavrilov [MSFT]: "Re: Disable requesting client certificate when running in SSL"
- Messages sorted by: [ date ] [ thread ]
Date: Thu, 10 Mar 2005 12:27:53 -0700
I have no clue. I'll ask the people who know.
-- Dmitri Gavrilov SDE, Active Directory Core This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote in message news:e2#97RaJFHA.3204@TK2MSFTNGP10.phx.gbl... > I actually do have a client cert, so I should be able to find a way to test > this. I realize that the schannel SSP should be able to create a Windows > security context for me. However, I don't see how that would interop with > the LDAP Bind mechanism as there doesn't seem to be a SASL mechanism to > support this. > > So basically, I don't really know what I'm talking about here and want > Dmitri to drop in explain it. :) > > Joe K. > > "Lee Flight" <lef@le.ac.uk-nospam> wrote in message > news:OnquXmYJFHA.3376@TK2MSFTNGP14.phx.gbl... > > Hi Joe, > > > > I spent some time looking at this but failed to make much progress > > as Ethereal did not seem able to pull the SSL/TLS handshake apart > > far enough for me to be able to see the client certificate request > > [RFC 2246 Sec7.4.4] I'm not sure why. According to the RFC, > > the client certificate request is optional for the cipher suite involved. > > Where IIS makes use of SSL I thought the options for request client > > certificate were configurable. I'll post back if I make any further > > progress. > > > > As to " I don't think you can use it to authenticate" and at the risk of > > "getting you started" on PKI :), what about the Schannel UPN mapping > > of client certificates to AD users, is that not basically what it does? > > [I don't know as we do not use client certs.] > > > > Thanks > > Lee Flight > > > > > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote > > in message news:OwBZo8SJFHA.2980@TK2MSFTNGP10.phx.gbl... > >> I've been in instances where I've wanted to defeat this too and haven't > >> been able to. The thing I don't understand is why AD (or ADAM) want my > >> client certificate. I don't think you can use it to authenticate, so why > >> bother requesting it? > >> > >> I'd love to know more. > >> > >> Joe K. > >> > >> "Lee Flight" <lef@le.ac.uk-nospam> wrote in message > >> news:OvYZyqQJFHA.588@TK2MSFTNGP15.phx.gbl... > >>> Hi > >>> > >>> I have seen that when running with Schannel debugging on. > >>> > >>> Schannel Event Id 36875 > >>> > >>> The remote server has requested SSL client > >>> authentication, but no suitable client > >>> certificate could be found. An anonymous > >>> connection will be attempted. This SSL > >>> connection request may succeed or fail, > >>> depending on the server's policy settings. > >>> > >>> I think I tried tweaking most of the policy settings around LDAP and > >>> Schannel but seeing no change in the behaviour. I came to the conclusion > >>> that the DSA was calling Schannel with the client callback > >>> (QUERYCLIENTCERT ?) always. > >>> > >>> The absence of the client cert does not seem to cause a problem when > >>> using the Microsoft LDAP client library. > >>> > >>> Lee Flight > >>> > >>> <vichoty@hotmail.com> wrote in message > >>> news:1110402291.031725.51110@z14g2000cwz.googlegroups.com... > >>>> Hi, > >>>> > >>>> We have an ADAM instance setup running SSL at port 636. Our observation > >>>> is that, by default, it requests a ssl client for a client certificate. > >>>> > >>>> Does anyone know a way to disable requesting/requiring of client > >>>> certificates? > >>>> > >>>> Thanks > >>>> Victor > >>>> > >>> > >>> > >> > >> > > > > > >
- Next message: Chriss3 [MVP]: "Re: User Default Attributes"
- Previous message: Bill Nitz: "Re: Disable Kerberos?"
- In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Disable requesting client certificate when running in SSL"
- Next in thread: Dmitri Gavrilov [MSFT]: "Re: Disable requesting client certificate when running in SSL"
- Reply: Dmitri Gavrilov [MSFT]: "Re: Disable requesting client certificate when running in SSL"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
