RE: Certs on smart card, re-prompting for PIN (Internet Explorer 6)
- From: lelteto <lelteto@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 21 Jan 2007 12:52:01 -0800
You would need to ask the card vendor's software / tech support.
1. If the CERTIFICATE is protected with PIN (unlikely), then caching it will
help. However, normally the PIN is needed only when the PRIVATE KEY is used
(to sign the request which goes to the server).
2. Most Smart Card software allows the caching of the PIN (ie. won't prompt
it if it's entered in the last N minutes). Check with the vendor if such
setting is available. Note, however, that some SIGNING private key is
purposefully configured that EACH signing act requires the PIN. This is good
security practice, as eg. in a banking environment if you sign only one
transaction, another (initiated by a rogue program running on the same
computer) would result another PIN prompt and the user would notice that
something is wrong.
3. You may have the issue because of the way you set up your Web server. If
the server requires authentication of EACH request then the smart card has to
sign each request. You should check the server configuration. Normally you
would establish an SSL connection between client and server - and the
connection setup would require that both side use certs and signatures. In
that case you would have only one PIN prompt (for the SSL connection) and all
other communication would be flowing normally (but protected).
First of all, I'm not quite sure what the most appropriate newsgroup for
this post is, so hopefully I guessed correctly. If not, my apologies in
advance, and I'd appreciate a pointer to a more appropriate group.
We are testing IE6 with client certificates stored on smart cards, and
we are browsing to an Apache webserver that is configured for SSL client
authentication. The Apache webserver is actually just proxying for a
WebLogic server "behind" it.
The problem that we're encountering is that when we do the above, we are
seeing the popup window asking for the smart card PIN, but this window
is appearing multiple times, sometimes 10-20 times (we enter the PIN
each time) before we start seeing the initial partial webpage. Then,
when we enter the PIN again, "pieces" of the webpage appear, e.g., an
image, then another image, etc., until the page is fully displayed.
I notice that the smart card "middleware" has settings for either
caching the PIN, or for the middleware temporarily copying the client
cert ("auto-registering") into the Certificate Store (until the smart
card is removed), and I'm pretty sure if we enabled either or both of
these settings, that we'd avoid the multiple popup PIN windows (right
now, both PIN caching and auto-registering the cert to the Certificate
Store are disabled).
From my research, IE will either create 2 or 4 simultaneous
connections, depending on whether HTTP 1.0 or HTTP 1.1 is used, so I'm
guessing that what is happening is that each time IE tries to establish
a new client-authenticated connection to the Apache server, it is going
through the SSL handshake, and thus retrieving the client cert from the
smart card, and this is causing the popup PIN window to appear each time.
As mentioned above, the smart card middleware appears to have some
settings that would also prevent the re-prompting for the PIN, but the
workstations are locked down (i.e., we can't change the smart card
middleware settings), and even if we could it would be a major process
to get approval to change the settings, so I'm wondering if there is
possibly something else that we can do to avoid the popup PIN windows
What I'm thinking of is either:
- Somehow configure IE or crypto to automatically cache the client cert,
but without having to change the setting in the smart card middleware, or
- Somehow configure IE to use just a single connection that is
persistent, i.e., so that IE doesn't keep dropping and then creating new
The other thing that I'm wondering if maybe there's something 'wrong'
about the client certs that we have, i.e., maybe there's something like
a basic constraint in the certs that is causing something (e.g., the
smart card middleware) to force it (again the middleware) to re-prompt
for the PIN (e.g., maybe the certs are configured in such a way that the
middleware thinks that we're doing something like signing email, rather
than just doing SSL client authentication)?
Again, my apologies. I have some experience with smart cards, but not
much of it has been "practical", so I'm hoping that someone here who has
more experience with IE, MS crypto, smart cards, and smart card
middleware might shed some light on all of this.
Thanks in advance!!
- Prev by Date: Re: Running signtool
- Next by Date: RE: Vista Undeletable File Problem
- Previous by thread: Certs on smart card, re-prompting for PIN (Internet Explorer 6)
- Next by thread: Re: Certs on smart card, re-prompting for PIN (Internet Explorer 6)