Hi all,

A customer of mine was using some web pages to enroll certificates. When using them on Windows 7 and IE8/IE9, they got a popup dialog with a message like the following:

---------------------------
Web Access Confirmation
---------------------------
This Web site is attempting to perform a digital certificate operation on your behalf:

https://myserver/certsrv/certrqma.asp

You should only allow known Web sites to perform digital certificate operations on your behalf.

Do you want to allow this operation?
---------------------------
Yes   No  
---------------------------

They were wondering if there was a way to get rid of this security warning, in order to get a seamless certificate enrollment experience. They managed to do this on Vista SP2 with IE7/IE8 by adding the site to the trusted sites zone and, for that zone, enabling “Initialize and script ActiveX controls not marked as safe for scripting”. If they changed it back to Disabled, the popup returned. But that didn't work on Windows 7.

And the answer is NO, we cannot disable this security warning on Windows 7. The enrollment is done by CertEnroll control. This control will always show the security warning when running within a browser. This is by design.

Actually, if CertEnroll cannot show that warning for some reason, it will just stop working. That is what happened in this bug I worked on some time ago:

The CertEnroll control does not work in Internet Explorer 8 on a computer that is running Windows 7 or Windows Server 2008 R2

The only way to get rid of this warning is to use CertEnroll out of the browser, in e.g. a WinForms app. I've seen some people in the past using ClickOnce apps to enroll certs without user interaction. And those apps were accessed via web. But CertEnroll itself was not running in the browser itself.

And why do those settings work on Vista SP2? I debugged CertEnroll in both Vista SP2 and Win7, and saw that the code is different. Vista shows the warning in a different place/function. That function is affected by the configuration of Internet Explorer. When we enable “Initialize and script ActiveX controls not marked as safe for scripting”, that function thinks we are not in a web environment, and it won’t show the dialog.

But wait, that is what happens on Vista SP2 RTM. I checked the latest source code for Vista, the one that includes the hotfixes we released recently, and I could see that we have updated CertEnroll code! Now on newer versions of CertEnroll for Vista, we will always show the security warning too regardless of IE configuration!

Certenroll version for Vista SP2 RTM is 6.0.6002.18005. So I installed in my environment this newer version I found:

983557 Error message when you try to request a certificate in Windows Vista or in Windows Server 2008: "The filename or extension is too long. (0x800700CE)"
"
Certenroll.dll  6.0.6002.22401
"

And with that new version it doesn't matter if I enable or not “Initialize and script ActiveX controls not marked as safe for scripting”. I will always see the security warning!

So summing up, we cannot get rid of the security warning on Windows 7, and we have updated Windows Vista to behave in the same way.

I hope this helps.

Regards,

 

Alex (Alejandro Campos Magencio)