Windows – IE7 stops sending client SSL certificate

certificateinternet-explorer-7Securitysslwindows

We use client SSL certificates to secure web-based user communications with our web server (the edit site for a SharePoint site). Certificates are generated internally and sent to users to be installed.

Normally we don't have any issues but lately some users have been unable to access the sites while others can authenticate successfully during the same time period and even using the same certificate.

A network packet capture suggests IE isn't always sending the certificate. At this point, uninstalling and reinstalling the certificate corrects the problem–but isn't desirable.

Best Answer

Are you actually validating client identity with the SSL certificate rather than just using a server-side certificate and SSL to encrypt the communication? If so, that's not a particularly common scenario (although you may have very valid reasons for doing so). If you don't have a business need to authenticate clients with certificates, you could still encrypt communications while turning off client side certificate-based authentication which would solve your problem :)

According to the IIS Authentication documentation on MSDN:

IIS can also use SSL/TLS to authenticate the client by requiring the client to provide a certificate. When requesting a client certificate, the server provides the client with a list of CAs that the server trusts. This list is derived from the server's Certificate Trust List (CTL). If the client possesses a certificate issued by a CA from the CTL, it sends a copy of that certificate to the server for verification. If the certificate is valid, IIS authenticates the user that maps to the provided certificate. As such, you should limit the CTL on IIS to those CAs you determine to be truly trustworthy.

Is it at all possible that you have multiple CA's generating the client certificates, and for some reason one of them is not on the Server's Certificate Trust List (CTL)?

Related Topic