Requesting help with Smart Card Client Certificate Authentication issue.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello;

I’m hoping someone can help me with this.

 

Issue: On various systems using Internet Explorer 7 or 8, smart card credentials are not being prompted. Firefox works providing the Security Device for ActivClient is installed.

 

Environment:

Server: Windows Apache 2.2.14 with OpenSSL

Clients: Various (Windows platforms)

                IE 8

                Firefox 3.5.3

                ActivClient Smart Card/Key reader.

 

The issue I am having is as follows.

I have a simple apache install running SSL with a server certificate from a trusted authority. If I use a self-signed, works just as well.

I have enabled SSLClientVerify on my cgi-bin folder

Here is my directive:

<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">

    SSLVerifyClient require

    SSLVerifyDepth 10

    SSLOptions +StdEnvVars

</Directory>

 

This is in extra/httpd-ssl.conf, basically everything is out of the box 2.2.14 so I could eliminate any customizations we made. The only real changes are me pointing to the certificates and adding this directive.

 

What works:

Accessing https://servername (which is running on 443) works and the client trusts the server. I see the infamous apache:  It Works!’

All client browsers IE, Firefox, Windows 7, Windows Vista, 32bit 64bit all work.

 

What doesn’t work (completely)

https://servername/cgi-bin/printenv.tcl

Note: I have a tcl interpreter running a custom printenv.tcl, but the file doesn’t matter, assume we are just trying to access cgi-bin directly, same issue exists there. Same issue exists if I set the directive on the whole webserver (e.g. <location />

Now, here is where gets interesting. What should happen is the client should prompt for a client certificate from the smart card reader and ask the user for their pin.

On firefox 3.5.3 it prompts the user for their smartcard pin as long as the Security Device for ActivClient is installed. Works great!

IE 8.0 on Windows 7 didn’t work, after rebuilding the system it works now.

All the other systems (tested 10) running IE will not work. This is where I am completely baffled. I’ve tried everything I could think of. But where I am stuck now is I can’t seem to get IE 7 or 8 to (via ActivClient) prompt for a pin. Using the same client, same IE browser accessing some of our internal sites where we require a certificate it works fine. Just not to my site on apache. The other two sites that do work are hosted by IIS 6 and Omniture Dc/2.0.0 (at least states the HTTP header)

               

If anyone needs more information from me or has any advice here please let me know. I’m stumped and have been scouring google for hours with no luck.

Thanks

-          Steve

 

 

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux