Certs on smart card, re-prompting for PIN (Internet Explorer 6)



Hi,

First of all, I'm not quite sure what the most appropriate newsgroup for this post is, so hopefully I guessed correctly. If not, my apologies in advance, and I'd appreciate a pointer to a more appropriate group.

Some background:

We are testing IE6 with client certificates stored on smart cards, and we are browsing to an Apache webserver that is configured for SSL client authentication. The Apache webserver is actually just proxying for a WebLogic server "behind" it.

The problem that we're encountering is that when we do the above, we are seeing the popup window asking for the smart card PIN, but this window is appearing multiple times, sometimes 10-20 times (we enter the PIN each time) before we start seeing the initial partial webpage. Then, when we enter the PIN again, "pieces" of the webpage appear, e.g., an image, then another image, etc., until the page is fully displayed.

I notice that the smart card "middleware" has settings for either caching the PIN, or for the middleware temporarily copying the client cert ("auto-registering") into the Certificate Store (until the smart card is removed), and I'm pretty sure if we enabled either or both of these settings, that we'd avoid the multiple popup PIN windows (right now, both PIN caching and auto-registering the cert to the Certificate Store are disabled).

From my research, IE will either create 2 or 4 simultaneous connections, depending on whether HTTP 1.0 or HTTP 1.1 is used, so I'm guessing that what is happening is that each time IE tries to establish a new client-authenticated connection to the Apache server, it is going through the SSL handshake, and thus retrieving the client cert from the smart card, and this is causing the popup PIN window to appear each time.

As mentioned above, the smart card middleware appears to have some settings that would also prevent the re-prompting for the PIN, but the workstations are locked down (i.e., we can't change the smart card middleware settings), and even if we could it would be a major process to get approval to change the settings, so I'm wondering if there is possibly something else that we can do to avoid the popup PIN windows from re-appearing.

What I'm thinking of is either:

- Somehow configure IE or crypto to automatically cache the client cert, but without having to change the setting in the smart card middleware, or

- Somehow configure IE to use just a single connection that is persistent, i.e., so that IE doesn't keep dropping and then creating new SSL connections.


The other thing that I'm wondering if maybe there's something 'wrong' about the client certs that we have, i.e., maybe there's something like a basic constraint in the certs that is causing something (e.g., the smart card middleware) to force it (again the middleware) to re-prompt for the PIN (e.g., maybe the certs are configured in such a way that the middleware thinks that we're doing something like signing email, rather than just doing SSL client authentication)?


Again, my apologies. I have some experience with smart cards, but not much of it has been "practical", so I'm hoping that someone here who has more experience with IE, MS crypto, smart cards, and smart card middleware might shed some light on all of this.

Thanks in advance!!

Jim
.



Relevant Pages

  • RE: Certs on smart card, re-prompting for PIN (Internet Explorer 6)
    ... If the CERTIFICATE is protected with PIN, ... Most Smart Card software allows the caching of the PIN (ie. won't prompt ... would establish an SSL connection between client and server - and the ... I notice that the smart card "middleware" has settings for either ...
    (microsoft.public.platformsdk.security)
  • Re: Certs on smart card, re-prompting for PIN (Internet Explorer 6)
    ... Its purely a sign of poor card handling of your middleware. ... As mentioned we're using Apache as the webserver. ... normally the PIN is needed only when the PRIVATE KEY ... If the server requires authentication of EACH request then the smart card ...
    (microsoft.public.platformsdk.security)
  • Re: Certs on smart card, re-prompting for PIN (Internet Explorer 6)
    ... I'm aware of what you explained in #1 and #2, and we are checking with the middleware manufacturer, but as mentioned, there's a desire not to change the settings on the middleware. ... normally the PIN is needed only when the PRIVATE KEY is used. ... Most Smart Card software allows the caching of the PIN. ... Normally you would establish an SSL connection between client and server - and the connection setup would require that both side use certs and signatures. ...
    (microsoft.public.platformsdk.security)
  • Re: PIN, smart cards, and multiple files
    ... you could have a look at Aloahas Smart Card API. ... group of files using an arbitrary certificate, ... However when i choose certificate from smart card, the PIN dialog ... phase of first signature? ...
    (microsoft.public.platformsdk.security)
  • Re: GPO To Delete Certificates at Logoff?
    ... registry search for "certificate" and stumbled into a software key for the ... smart card middleware called, AutoUnRegOnRemove, and it was set =0. ... desired effect on not saving the certificates once the smart card was ...
    (microsoft.public.windows.group_policy)