Re: Client Certificates - Force a fresh authentication

From: Simon Allen <si.allen@xxxxxxxxx>
Date: Tue, 27 Jan 2009 14:14:53 -0800 (PST)

Following up my own post here. I still can't find a server side way
to cause IE as a client to re-authenticate afresh with IIS. The SSL
State cache of IE seems to keep sending the same client certificate
after it has authenticated once until you kill the browser instance.
I can't see anything I can do server side through IIS or a framework
(ASP.NET for example) to cause a new authentication?

The only thing I've found of use is to clear the client's SSL State
cache using JavaScript from within a web page served by IIS.

<script type="text/javascript">
document.execCommand("ClearAuthenticationCache");
</script>

This works on IE 6 and is IE only I believe.

Cheers,
Simon

On Jan 15, 3:11 pm, Simon Allen <si.al...@xxxxxxxxx> wrote:

Hi,

I have "Requireclientcertificates" enforced over SSL on IIS 6. I
can effectively validate aclientcertificate without issue.

I'm having trouble forcing aclientuser (using IE 6) to authenticate
AGAIN afresh using aclientcertificate once the SSL session is
established. I want to ensure that theclientcertificate used is
still physically on theclientPC. Is there a way to do this with IIS
or by adding some form of HTTP header to get theclientto renew its
session and resend the certificate (not from any form of SSL state
cache)?

I have tried adding ServerCacheTime and ClientCacheTime values to the
registry of both server andclientPCs without effect (in
[HKEY_LOCAL_MACHINE][SYSTEM][CurrentControlSet][Control]
[SecurityProviders][SCHANNEL]).

Thanks for any insight shared.

Simon

References:
- Client Certificates - Force a fresh authentication
  - From: Simon Allen

Prev by Date: Re: SSL vs Windows Integrated Security
Next by Date: One Virtual Directory, Many SSL Certificates?
Previous by thread: Client Certificates - Force a fresh authentication
Next by thread: URLScan for RPC over HTTP
Index(es):
- Date
- Thread

Relevant Pages

Re: Antw: Re: LDAP Authentication Problem
... TLSv1 und wird auf einen SSL Client Hello Request mit TLSv1 nicht ... antworten anstatt ein SSLv3 Server Hello. ... the LDAP PAM module and the shadow package. ...
(de.comp.sys.novell)
RE: 401.2 Errors
... the server name as their proxy server, ... really understand the point in deploying the Firewall Client to all clients. ... I had a look at the log file but it only seems to be ... recording access that the IIS Server itself goes through. ...
(microsoft.public.windows.server.sbs)
SSL and IPS (was RE: ssh and ids)
... How many simultaneous SSL sessions can be tracked?" ... I assume you're talking about a case in which the client constantly ... If you walk the possible session id space and ... The server chooses the session ID, ...
(Focus-IDS)
Re: Connect Computer Problem at 2 Customer Sites
... I understand this issue to be: the client ... please restart the IIS service. ... join the domain has got the valid IP address and DNS server address in the ... Microsoft Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
Re: Problem with connect computer wizard
... You mentioned that you're using Anonymous access with Administrator ... Open ConnectComputer properties in IIS. ... And there is only the DNS server be configured on client ...
(microsoft.public.windows.server.sbs)