1

We use client SSL certificates to secure web-based user communications with our web server (the edit site for a SharePoint site). Certificates are generated internally and sent to users to be installed.

Normally we don't have any issues but lately some users have been unable to access the sites while others can authenticate successfully during the same time period and even using the same certificate.

A network packet capture suggests IE isn't always sending the certificate. At this point, uninstalling and reinstalling the certificate corrects the problem--but isn't desirable.

wzzrd
  • 10,269
  • 2
  • 32
  • 47
Michhes
  • 51
  • 4
  • And after reinstalling once, that client machine never gives you any trouble anymore? Or could the very same client machine stop sending the certificate at some later time again? (Also note that home users will get forced by Windows Update to install IE8, as we speak.) – Arjan Aug 05 '09 at 08:40
  • @Arjan - Uninstalling/reinstalling works initially but eventually stops again after an unknown time period. @Nasko - There should only be the one certificate installed but I'll post our findings. – Michhes Aug 21 '09 at 01:10

2 Answers2

1

Are you actually validating client identity with the SSL certificate rather than just using a server-side certificate and SSL to encrypt the communication? If so, that's not a particularly common scenario (although you may have very valid reasons for doing so). If you don't have a business need to authenticate clients with certificates, you could still encrypt communications while turning off client side certificate-based authentication which would solve your problem :)

According to the IIS Authentication documentation on MSDN:

IIS can also use SSL/TLS to authenticate the client by requiring the client to provide a certificate. When requesting a client certificate, the server provides the client with a list of CAs that the server trusts. This list is derived from the server's Certificate Trust List (CTL). If the client possesses a certificate issued by a CA from the CTL, it sends a copy of that certificate to the server for verification. If the certificate is valid, IIS authenticates the user that maps to the provided certificate. As such, you should limit the CTL on IIS to those CAs you determine to be truly trustworthy.

Is it at all possible that you have multiple CA's generating the client certificates, and for some reason one of them is not on the Server's Certificate Trust List (CTL)?

Sean Earp
  • 7,207
  • 3
  • 34
  • 38
  • Yep, the client certificate is mapped back to a specific AD user through IIS 6.0 and we do this to avoid forcing users to log in manually (we also SSL encrypt the communication channel). Not common but generally works quite well and there was a precedent set by our previous MCMS system. We only have the one CA now and it's on the CTL but we also had a previous, obsolete CA on the list. Deleted the extra one so it'll be interesting to see if that helps! Interestingly, this is sporadic for affected users. The client machine was booted from cold this morning and the problem went away... – Michhes Jun 25 '09 at 04:30
  • Hopefully it helps! Out of curiousity, is there any reason why you wouldn't use Kerberos or NTLM to authenticate the users? All the benefits of Single-sign-on with none of the hassles of certificate-based client authentication. – Sean Earp Jun 25 '09 at 05:01
  • Shall post my findings after a few days of monitoring. The users are internet-based so that's the main reasoning for the client certificates; form authentication in SharePoint would have probably been a suitable alternative as well. Can Kerberos be used across an internet connection? – Michhes Jun 25 '09 at 23:57
  • ...and just confirmed the problem is still occurring after the change – Michhes Jun 25 '09 at 23:59
1

Do you have more than one applicable certificate in the client's personal store? If there is more than one certificate, IE might not be able to choose the right certificate, so it won't send anything. Does the server require client auth when looking at the network sniff?

When the issue is present, can you list the client certificate using certutil.exe? You can use certutil -v -user -store "my" and check for permissions/encryption test passing/other things that might look off. If there is something, you can try to find the root cause of it.

Nasko
  • 727
  • 3
  • 5