Certs on smart card, re-prompting for PIN (Internet Explorer 6)
- From: ohaya <ohaya@xxxxxxx>
- Date: Fri, 19 Jan 2007 21:44:10 -0500
First of all, I'm not quite sure what the most appropriate newsgroup for this post is, so hopefully I guessed correctly. If not, my apologies in advance, and I'd appreciate a pointer to a more appropriate group.
We are testing IE6 with client certificates stored on smart cards, and we are browsing to an Apache webserver that is configured for SSL client authentication. The Apache webserver is actually just proxying for a WebLogic server "behind" it.
The problem that we're encountering is that when we do the above, we are seeing the popup window asking for the smart card PIN, but this window is appearing multiple times, sometimes 10-20 times (we enter the PIN each time) before we start seeing the initial partial webpage. Then, when we enter the PIN again, "pieces" of the webpage appear, e.g., an image, then another image, etc., until the page is fully displayed.
I notice that the smart card "middleware" has settings for either caching the PIN, or for the middleware temporarily copying the client cert ("auto-registering") into the Certificate Store (until the smart card is removed), and I'm pretty sure if we enabled either or both of these settings, that we'd avoid the multiple popup PIN windows (right now, both PIN caching and auto-registering the cert to the Certificate Store are disabled).
From my research, IE will either create 2 or 4 simultaneous connections, depending on whether HTTP 1.0 or HTTP 1.1 is used, so I'm guessing that what is happening is that each time IE tries to establish a new client-authenticated connection to the Apache server, it is going through the SSL handshake, and thus retrieving the client cert from the smart card, and this is causing the popup PIN window to appear each time.
As mentioned above, the smart card middleware appears to have some settings that would also prevent the re-prompting for the PIN, but the workstations are locked down (i.e., we can't change the smart card middleware settings), and even if we could it would be a major process to get approval to change the settings, so I'm wondering if there is possibly something else that we can do to avoid the popup PIN windows from re-appearing.
What I'm thinking of is either:
- Somehow configure IE or crypto to automatically cache the client cert, but without having to change the setting in the smart card middleware, or
- Somehow configure IE to use just a single connection that is persistent, i.e., so that IE doesn't keep dropping and then creating new SSL connections.
The other thing that I'm wondering if maybe there's something 'wrong' about the client certs that we have, i.e., maybe there's something like a basic constraint in the certs that is causing something (e.g., the smart card middleware) to force it (again the middleware) to re-prompt for the PIN (e.g., maybe the certs are configured in such a way that the middleware thinks that we're doing something like signing email, rather than just doing SSL client authentication)?
Again, my apologies. I have some experience with smart cards, but not much of it has been "practical", so I'm hoping that someone here who has more experience with IE, MS crypto, smart cards, and smart card middleware might shed some light on all of this.
Thanks in advance!!