Re: Schannel client authentication problem with optional client certificate

On nov. 20, 13:52, DaveMo <david.mow...@xxxxxxxxx> wrote:
On Nov 20, 12:28 am, el_noir <el_n...@xxxxxxxxxxxx> wrote:

It seems its working, but i still have an issue.
When an e-token was inserted, and I try to authenticate the user
without a certificate (the ISC_REQ_USE_SUPPLIED_CREDS was set), then
the InitalizeSecurityContext still tries to access to the the token.
How can I force the ISC not to use the token?

Hello,

I don't think I understand what problem you are seeing now. What is
this thing you are calling an e-token?

Dave

It is an Aladdin usb eToken, which is used to strong client
authentication. It is used to store private key which cannot be
removed from the usb token. I've generated a keypair on the token,
made a certificate request for the key, and signed it with a test
issuer. So I have a public-private keypair on the token, and a
certificate which is linked to it. When the token is inserted, the
certificate will be copied to the My store, so it can be used for
authentication.
If the token is inserted and I try to establish an schannel
connection, the ISC tries to access the eToken, even when the
ISC_REQ_USE_SUPPLIED_CREDS was set, and I do not pass the certificate
through the SCHANNEL_CRED structure in the when I call the
AcquireCredentialsHandle.
(When the schannel established without the token and without a
certificate, it works fine. And it works, when the certificate which
is use the private key is selected for authentication. In this case
the ISC calls for the eToken's CSP to ask for a token, and a
password.)
My only problem is when I don't want to use the inserted token, the
ISC still tries to access it.

.

Relevant Pages

  • Re: UsernameOverTransportSecurity+SSL Confusion, please help
    ... How come the authentication is not working there? ... you can buy a certificate in one of the well-know certificate ... I will have a private key on the server, and I will give the private key to ... The client will automatically get the public key and negotiate a key to ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Re: Generate/Export PKCS #12 certificate from Win2k3 CA
    ... import/export the issuing CA certificate to the trusted root certificate ... Just clicking a .cer or .pfx file will ... When you export the private key you will need to use a password to protect ... authentication and if your VPN client is l2tp you probably need a "computer" ...
    (microsoft.public.windows.server.general)
  • Re: Generate/Export PKCS #12 certificate from Win2k3 CA
    ... import/export the issuing CA certificate to the trusted root certificate ... Just clicking a .cer or .pfx file will ... When you export the private key you will need to use a password to protect ... authentication and if your VPN client is l2tp you probably need a "computer" ...
    (microsoft.public.windows.server.security)
  • Re: Using certificates from CryptoAPI in custom operations
    ... plain block of data, not the hash. ... "Personal" Windows certificate store. ... For the case of RSA authentication, we have to compose the data block of two ... Of course, we may do this obtaining the corresponding private key directly, ...
    (microsoft.public.platformsdk.security)
  • Re: Need help configuring Wireless Connection profile
    ... Windows authentication for all users,4129,LRG\ryanv,4149,Wireless ... Vaillancourt,4155,1,4154,Use Windows authentication for all ... SMALL BUSINESS SERVER: ... STEP #1 Install Certificate Services ...
    (microsoft.public.windowsxp.general)