IIS Server Security >> Session if using client certificate for authentication

by Cristina » Thu, 16 Oct 2003 16:07:23 GMT


I'm using client authentication with certificates stored
in cryptogrhapic cards. What I want to know is:

1. How to configure IIS 5.0 to be able to recognize that
card has been taken out from the card reader and then log
out from the application.
2. If session with server finishes because of a timeout
and then if you try to use it again you are redirected to
authentication page to log in again, I want card PIN to be
provided by user again. It looks that browser remember PIN
and you are not asked.

Thank you,

Similar Threads

1. client certificate authentication using makecert certificate

Does IIS6.0 require that client certificates be issued by a trusted CA to 
use certificate mapping.  I see a lot of articles showing how to use 
makecert to create a server certificate for use with IIS.  And I am handling 
programmatically the errors generated by using an untrusted server 
certificate in an application that I am developing.  However I am getting 
403 errors when I try to authenticate using a client certificate generated 
by makecert that I have mapped to a user ID on the server.  Or is there some 
specific OID that I need to use for the client certificate?



2. Accept Expired Client Certificates when Certificate Authentication is enabled in IIS - IIS Server Security

3. Web Service security using client certificate and IIS client certi

First, excuses for my English, i am not a native speaker ;-))  here we go 

I have developed a Web Service and configure it (IIS 6.0) to require SSL and 
a Client Certificate to be accessed.

I've generated three certificates (a chain), in order to reproduce the 
process of web authentication with certificates. 

It was generated a root self-signed CA certificate (CN = AC RAIZ NOVO), an 
intermediate CA certificate (CN = AC INTERMEDIARIA NOVO) signed with the root 
certificate and an End Entity certificate (CN = ANDREI NOVO:77777777777777) 
signed with the intermediate certificate. (The generated certificates are 
attached to the .zip file)

I've installed the chain in the Local Computer STORE on the Web Server 
executing the Web Service, so I would be able to present my client 
certificate (CN = ANDREI NOVO:77777777777777)  to establish the trust 

I've have also created the CRL files issued (signed) by the CAs (CN = AC 
RAIZ NOVO and CN = AC INTERMEDIARIA NOVO) certificates, and made them 
available at the address configured on the CRLDistributionPoints extensions 
of the certificates The client End Entity certificate (CN = ANDREI 
NOVO:77777777777777, Serial Number = 33 33) was added to the CA (CN = AC 

Because the client certificate (CN = ANDREI NOVO:77777777777777) is present 
in the certification revocation list issued by its issuer (CN = AC 
INTERMEDIARIA NOVO), and this crl is pointed at the CRLDistributionPoints 
certificate extension, it was expected to be refused when it tries to access 
the resource, but it does not happens. This behavior occurs only with the 
certificates I have generated..

With others client certificates (REVOKED), the IIS Service blocks the access 
to the resource (Web Service) 

I have tried besides, do not publish any crl file at the address configured 
at the CRLDistributionPoints certificate extension, to see if the IIS Service 
blocks this certificate, but I did not have success.

Both situations, it was expected to receive the HTTP 403.13 - Forbidden: 
Client certificate revoked , but the access to the Web Service is granted.

Maybe, I am generating the Certificate or CRL in an incorrect format, I 
don't know .. but i thought that IIS should deny access for invalid 
certificates anyway...

The IIS Web Server, where the accessed Web Service is hosted, is configured 
to check the CRL (Certification Revocation List) and it really does with 
other certificates  

If somebody could help me solve this problem I would be very thankful 

See attachments (OPS ... Is there a way of posting an attachment here ? )

4. IIS requesting certificate : client do not display imported client certificates - IIS Server Security

5. 403.16 Client certificate error BUT no Client Certificate is requi

We have ONE user for a SSL-enabled web application who is encountering the 
following error message:

403.16 - Forbidden: Client certificate is ill-formed or is not trusted by 
the Web server.

User is using MSIE, version unknown.

Application is on a Windows 2003, service pack 1 server using IIS 6.0. 
Wesite does not have a "certificate trust list" enabled.  Our web application 
does require SSL. Our web application does NOT require any client 
certificates, and is in fact set to ignore client certificates.

Any suggestions on what to do to diagnose this issue?

6. Writing client certificates to file during SSL-session...

7. Internet Printing + client certificate authentication

I have a Windows Server 2003 with IIS and Internet Printing (IPP).
Clients: Windows XP.
3 authentication methods, as described in HELP (anonymous, standart, 
Windows) working without problems.
I would like to use client authentication using a client certificate. Is it 
I can surf with the client browser to the server, see the list of printers, 
properties, etc., but when I try to connect the printer, appears a window, 
where you need to select one of the above methods of authentication and, of 
course, no one works.
Certificate authentication is not listed.

8. Cannot establish certificate chain for client authentication