Re: Disable requesting client certificate when running in SSL

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 03/11/05 

Date: Fri, 11 Mar 2005 10:10:48 -0600

Hm. It would be nice to be able to set some kind of a policy on the DC (or
ADAM instance) to have it automatically disable the client certificate
request. It doesn't look like there would be an easy way to set that option
client side from the higher level APIs (ADSI/SDS).

Regarding getting your client certificate to work, I think it needs to be
all set up so that the DC trusts the certificate and maps it to a user in
the directory so that the LSA will create a logon token for it. However, I
have no what is exactly required to get this to work. I'm sure the DC has
to at least be able to trust the cert and then there has to be some sort of
appropriate mapping back to a user in the store, but I don't know what is
actually required there. Is it sufficient to have the user's UPN as a field
in the cert (as altSubject or whatever) or does altSecurityIdentities need
to be set in AD? This is all very murky to me.

Joe K.

"Lee Flight" <lef@le.ac.uk-nospam> wrote in message
news:uuS1J6iJFHA.3196@TK2MSFTNGP15.phx.gbl...
> According to
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;290483
>
> "When the LDAP API performs the handshake, client authentication is not
> done unless the QUERYCLIENTCERT function is set by using the connection
> options. Typically, the handshake only involves identifying the server"
>
> and MSDN says this is surfaced as the connection option
> LDAP_OPT_CLIENT_CERTIFICATE
> (an option that ldp.exe does not seem to be aware of).
>
> I doubt we would find out the answer to the original poster's question
> without a code review.
>
> [FWIW I planted a cert in my store and ran a connection attempt
> and schannel debugging picked it up, 36875 error went away, but
> I have not yet been able to figure out how to do the EXTERNAL
> SASL bind with ldp.exe to push this on.]
>
> Lee Flight
>
>

Relevant Pages

  • Re: L2TP VPN
    ... Install Certificate Services (the self signed cert that SBS creates isn't the right one for L2TP.) ... I created a connection manually. ...
    (microsoft.public.windows.server.sbs)
  • Re: Changing internet static IP
    ... If the cert was issued to an IP the CEICW should be run again and a new cert ... and not using a router (ie. ISA direct to ISP, change ISP, get new IP, some ... router between SBS and the internet connection, ... This is one of the major bonuses to a two nic SBS configuration - the IP ...
    (microsoft.public.windows.server.sbs)
  • Re: ibm jsse ssl and client authentication
    ... already made the connection and successfully sent your HTTP Request. ... That might mean that some other required authentication has failed. ... 403 response if I dont' have the cert installed in my broswer. ...
    (comp.lang.java.programmer)
  • Re: winsock + Schannel => Expired Intermediate Cert
    ... When you are using TLS for your SSL support (which you almost always are ... chain to the client instead of just the server's cert. ... locally in order to trust a given server cert. ... to create an SSL connection to a well known server. ...
    (microsoft.public.platformsdk.security)
  • Re: winsock + Schannel => Expired Intermediate Cert
    ... the TLS handshake can be found in the certificate store referenced by ... cert chain to the client instead of just the server's cert. ... CA cert stored locally in order to trust a given server cert. ... to create an SSL connection to a well known server. ...
    (microsoft.public.platformsdk.security)