Re: Server re-negotiate to request client certificate

"Michelle Lai [MSFT]" <MichelleLaiMSFT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:72A09E54-8508-4547-97FD-5F7F3BC1E15A@xxxxxxxxxxxxxxxx
How can I implement a server application to re-negotiate with the client
get a client certificate (after a successful handshake)?

Hi Michelle,

Generally, the strategy should be to request a client certificate in the
ServerHello, by specifying ASC_REQ_MUTUAL_AUTH when you call
AcceptSecurityContext, and deal with an empty or absent list of certificates
if you're going to allow unauthenticated clients to connect as well as
authenticated ones.

However, if you've set your heart on renegotiating, you should follow the
general instructions in - call
AcceptSecurityContext with a modified fContextReq parameter (with

Bear in mind that many client apps will not have code to detect the
renegotiation, and as a result, they will treat your request as an error in
the SSL communication; the same is probably true, of course, of requesting
client certificates at the start of the communication.



Relevant Pages

  • Re: Unable to authenticate via kerberos to IIS site accepting clie
    ... is it Kerberos over SSL Client Certificate. ... the request being too large. ...
  • Re: IOException whit large request using certificates on IIS 6.0
    ... I used it to set a new size, as the request is ... The note below says that it not recommended for non client certificate ... This is the log from IIS for the specific call, ... When i do a post to this webserver using unsecure http connection, ...
  • Re: How to build a certificate request from a certificate to be renewe
    ... > Does anybody know how to build without GUI a client certificate request from ... create a request using the same keyset on an asp webpage. ... end of the webpage source where a lot of "CAPICOM" is referenced. ...
  • Re: Webserver certificate
    ... I'm trying to request a client certificate from a CA running on Windows ... I have successfully created both a client and server ... This posting is provided "AS IS" with no warranties, and confers no rights. ...
  • Re: Suppressing user prompt for client certificates
    ... is displayed by CryptSignHash() ... every time it needs to access your private key (if it is marked ... > How is the request being created? ... > requests a client certificate. ...