Choose a Digital Certificate Blank!!

  • Thread starter Thread starter Ryan Hanisco
  • Start date Start date
R

Ryan Hanisco

Hello everyone,

I have a web site that uses Certificate Authentication for user identity.
My CA issues certificates to the end users and the web site inspects the
certificate properties to allow users into the site.

The CA is a private CA that uses a self-signed cert at the top level. On
all non-Vista operating systems, everything works well. When Vista requests
the cert, it prompts me that it needs to add the Trusted Root Cert for the
CA.. I do this and make sure that it places the Root Cert in the Trusted
Root Cert area. Then the personal cert installs correctly. I can use the
Cert MMC to see that the root is there and that the client cert is in the
right place.

When I load the web site, I do hit it with SSL and I get the "Choose a
Digital Certificate" dialog box that I expect. Unfortunately, in the
Identification box, there are no certificates listed at all -- so the
authentication fails.

I have seen a number of other complaining about this very issue on other
sites in my search for an answer, but I have yet to see a working response.

I have tried:
- Manually importing the Root Cert
- Adding the site to a security zone with settings on low or making the site
a trusted site
- In IE, turning off the Revocation status for the cert and the CA
- Removing the IE check for signatures on downloads

I am running out of options and am looking for additional direction. Anyone??
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Server 2008, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.
 
Hi Everyone,

The answer to this eventually came down to the fact that Windows Vista
requests certificates using a different cryptography provider than previous
operating systems. If you just leave the default options, the certificates
cannot be used for web authentication.

I have posted the full resolution steps with screen shots on my blog at:

http://techsterity.com/blogs/ad/arc...ificate-authentication-for-windows-vista.aspx

Thanks!
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Server 2008, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.
 
Hi chembuchira,

To do this, you will need to use the advanced pages rather than the basic
ones. I played around a bit with automatically specifying the cryptographic
provider, but this is pulled live when the page is rendered and isn't just an
easy hardcoding of a value.

I'd direct you to the link in my post for the screen shots of where I've
left it. Other than those settings, most everything else is hard-code-able.
--
Ryan Hanisco
MCSE, MCTS: SQL 2005, Server 2008, Project+
http://www.techsterity.com
Chicago, IL

Remember: Marking helpful answers helps everyone find the info they need
quickly.
 
Back
Top