Guest Ryan Hanisco Posted September 10, 2008 Posted September 10, 2008 Hello everyone, I have a web site that uses Certificate Authentication for user identity. My CA issues certificates to the end users and the web site inspects the certificate properties to allow users into the site. The CA is a private CA that uses a self-signed cert at the top level. On all non-Vista operating systems, everything works well. When Vista requests the cert, it prompts me that it needs to add the Trusted Root Cert for the CA.. I do this and make sure that it places the Root Cert in the Trusted Root Cert area. Then the personal cert installs correctly. I can use the Cert MMC to see that the root is there and that the client cert is in the right place. When I load the web site, I do hit it with SSL and I get the "Choose a Digital Certificate" dialog box that I expect. Unfortunately, in the Identification box, there are no certificates listed at all -- so the authentication fails. I have seen a number of other complaining about this very issue on other sites in my search for an answer, but I have yet to see a working response. I have tried: - Manually importing the Root Cert - Adding the site to a security zone with settings on low or making the site a trusted site - In IE, turning off the Revocation status for the cert and the CA - Removing the IE check for signatures on downloads I am running out of options and am looking for additional direction. Anyone?? -- Ryan Hanisco MCSE, MCTS: SQL 2005, Server 2008, Project+ http://www.techsterity.com Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. Quote
Guest Ryan Hanisco Posted October 4, 2008 Posted October 4, 2008 Hi Everyone, The answer to this eventually came down to the fact that Windows Vista requests certificates using a different cryptography provider than previous operating systems. If you just leave the default options, the certificates cannot be used for web authentication. I have posted the full resolution steps with screen shots on my blog at: http://techsterity.com/blogs/ad/archive/20...dows-vista.aspx Thanks! -- Ryan Hanisco MCSE, MCTS: SQL 2005, Server 2008, Project+ http://www.techsterity.com Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "Ryan Hanisco" wrote: <span style="color:blue"> > Hello everyone, > > I have a web site that uses Certificate Authentication for user identity. > My CA issues certificates to the end users and the web site inspects the > certificate properties to allow users into the site. > > The CA is a private CA that uses a self-signed cert at the top level. On > all non-Vista operating systems, everything works well. When Vista requests > the cert, it prompts me that it needs to add the Trusted Root Cert for the > CA.. I do this and make sure that it places the Root Cert in the Trusted > Root Cert area. Then the personal cert installs correctly. I can use the > Cert MMC to see that the root is there and that the client cert is in the > right place. > > When I load the web site, I do hit it with SSL and I get the "Choose a > Digital Certificate" dialog box that I expect. Unfortunately, in the > Identification box, there are no certificates listed at all -- so the > authentication fails. > > I have seen a number of other complaining about this very issue on other > sites in my search for an answer, but I have yet to see a working response. > > I have tried: > - Manually importing the Root Cert > - Adding the site to a security zone with settings on low or making the site > a trusted site > - In IE, turning off the Revocation status for the cert and the CA > - Removing the IE check for signatures on downloads > > I am running out of options and am looking for additional direction. Anyone?? > -- > Ryan Hanisco > MCSE, MCTS: SQL 2005, Server 2008, Project+ > http://www.techsterity.com > Chicago, IL > > Remember: Marking helpful answers helps everyone find the info they need > quickly.</span> Quote
Guest chembuchira Posted October 23, 2008 Posted October 23, 2008 Hi Ryan, Thanks a lot for you post, Could you please give me some more input on our issue, We are using scripting and customized web enrollment pages for installing the client certificate in IE7(vista).i am not able to find out the option to configure the cryptographic changes and key size in the asp code. Can you please help me on this piece? Thanks and Regards, Chembu -- chembuchira Quote
Guest Ryan Hanisco Posted October 24, 2008 Posted October 24, 2008 Hi chembuchira, To do this, you will need to use the advanced pages rather than the basic ones. I played around a bit with automatically specifying the cryptographic provider, but this is pulled live when the page is rendered and isn't just an easy hardcoding of a value. I'd direct you to the link in my post for the screen shots of where I've left it. Other than those settings, most everything else is hard-code-able. -- Ryan Hanisco MCSE, MCTS: SQL 2005, Server 2008, Project+ http://www.techsterity.com Chicago, IL Remember: Marking helpful answers helps everyone find the info they need quickly. "chembuchira" wrote: <span style="color:blue"> > > Hi Ryan, > > Thanks a lot for you post, Could you please give me some > more input on our issue, > We are using scripting and customized web enrollment pages > for installing the client certificate in IE7(vista).i am not able to > find out the option to configure the cryptographic changes and key size > in the asp code. > > Can you please help me on this piece? > > Thanks and Regards, > Chembu > > > -- > chembuchira > </span> Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.