Click here to get back home

Choose a Digital Certificate Blank!!
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Choose a Digital Certificate Blank!! Ryan Hanisco 09-10-2008
Get Chitika Premium
Posted by Ryan Hanisco on September 10, 2008, 12:14 pm
Please log in for more thread options

Hello everyone,

I have a web site that uses Certificate Authentication for user identity.
My CA issues certificates to the end users and the web site inspects the
certificate properties to allow users into the site.

The CA is a private CA that uses a self-signed cert at the top level. On
all non-Vista operating systems, everything works well. When Vista requests
the cert, it prompts me that it needs to add the Trusted Root Cert for the
CA.. I do this and make sure that it places the Root Cert in the Trusted
Root Cert area. Then the personal cert installs correctly. I can use the
Cert MMC to see that the root is there and that the client cert is in the
right place.

When I load the web site, I do hit it with SSL and I get the "Choose a
Digital Certificate" dialog box that I expect. Unfortunately, in the
Identification box, there are no certificates listed at all -- so the
authentication fails.

I have seen a number of other complaining about this very issue on other
sites in my search for an answer, but I have yet to see a working response.

I have tried:
- Manually importing the Root Cert
- Adding the site to a security zone with settings on low or making the site
a trusted site
- In IE, turning off the Revocation status for the cert and the CA
- Removing the IE check for signatures on downloads

I am running out of options and am looking for additional direction. Anyone??
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Server 2008, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.

Posted by Ryan Hanisco on October 4, 2008, 3:08 pm
Please log in for more thread options

Hi Everyone,

The answer to this eventually came down to the fact that Windows Vista
requests certificates using a different cryptography provider than previous
operating systems. If you just leave the default options, the certificates
cannot be used for web authentication.

I have posted the full resolution steps with screen shots on my blog at:

http://techsterity.com/blogs/ad/archive/2008/09/29/iis-certificate-authentication-for-windows-vista.aspx

Thanks!
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Server 2008, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.


"Ryan Hanisco" wrote:

> Hello everyone,
>
> I have a web site that uses Certificate Authentication for user identity.
> My CA issues certificates to the end users and the web site inspects the
> certificate properties to allow users into the site.
>
> The CA is a private CA that uses a self-signed cert at the top level. On
> all non-Vista operating systems, everything works well. When Vista requests
> the cert, it prompts me that it needs to add the Trusted Root Cert for the
> CA.. I do this and make sure that it places the Root Cert in the Trusted
> Root Cert area. Then the personal cert installs correctly. I can use the
> Cert MMC to see that the root is there and that the client cert is in the
> right place.
>
> When I load the web site, I do hit it with SSL and I get the "Choose a
> Digital Certificate" dialog box that I expect. Unfortunately, in the
> Identification box, there are no certificates listed at all -- so the
> authentication fails.
>
> I have seen a number of other complaining about this very issue on other
> sites in my search for an answer, but I have yet to see a working response.
>
> I have tried:
> - Manually importing the Root Cert
> - Adding the site to a security zone with settings on low or making the site
> a trusted site
> - In IE, turning off the Revocation status for the cert and the CA
> - Removing the IE check for signatures on downloads
>
> I am running out of options and am looking for additional direction. Anyone??
> --
> Ryan Hanisco
> MCSE, MCTS: SQL 2005, Server 2008, Project+
> http://www.techsterity.com
> Chicago, IL
>
> Remember: Marking helpful answers helps everyone find the info they need
> quickly.

Similar ThreadsPosted
Kerberos - kerbtray shows blank tickets August 22, 2007, 11:46 am
Digital signature, USB tokens and terminal services September 25, 2006, 9:16 am
Microsoft Executive Circle Webcast: Security360 with Mike Nash: Building a Secure, Connected Infrastructure with Digital Certificates April 18, 2006, 7:25 am
"No Certificate Templates Could Be Found" Error Message When User Requests Certificate from CA Web Enrollment Pages September 21, 2006, 1:31 pm
Create Certificate Request for Windows2003 certificate authority without using website March 22, 2006, 8:07 am
Problem when requesting a certificate to IIS server (certificate web enrollment) October 4, 2005, 9:50 am
Restrict AD-User to one X509 Certificate per Certificate template? July 12, 2007, 12:18 pm
Problem when requesting a certificate with IIS (certificate web enrollment) October 4, 2005, 9:45 am
Certificate FQDN example.local domain using example.com certificate October 31, 2006, 7:40 am
Using Self-Issued Certificate in lieu of 3rd Party Certificate July 20, 2007, 10:24 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap