IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Client Certificate Selection Prompt

Client Certificate Selection Prompt

Rate This
  • Comments 23

The HTTPS protocol allows a secure server to request that the client verify their identity with a client certificate during the initial secure handshake. By presenting a client certificate, the browser helps further defeat man-in-the-middle attacks and authenticates to the web server more securely than when using just a username and password.

Internet Explorer’s behavior when prompting for a certificate has changed in IE8, and in this post, I’ll quickly summarize what’s new.

When the server requests a certificate, the user may be shown a prompt dialog asking which certificate they would like to send. URLACTION_CLIENT_CERT_PROMPT (0x1A04) controls the browser’s prompting behavior. By default, the URLAction is set to Enable in the Local Machine and Intranet zones, and Disable in the Internet, Trusted, and Restricted zones. 

When set to Enable:

  • If the user has no suitable client certificates, no prompt is shown, and no certificate is sent to the server
  • If the user has only one suitable client certificate, no prompt is shown, and that certificate is sent to the server
  • If the user has multiple suitable client certificates, the certificate selection prompt is shown

When set to Disable:

  • If the user has one or more suitable client certificates, the certificate selection prompt is shown, and

…in IE6 and IE7:

  • If the user has no suitable client certificates, an empty certificate selection prompt is shown

…in IE8:

  • If the user has no suitable client certificates, no prompt is shown, and no certificate is sent to the server

Within the Tools > Internet Options > Security > Custom Level… UI, the explanatory text has been changed. In IE6 and IE7, it reads:

Do not prompt for client certificate selection when no certificates or only one certificate exists.

In IE8, it now reads:

Don't prompt for client certificate selection when only one certificate exists.

So, why was a change made for IE8? It turns out that a lot of servers would like to use a client certificate if available and if not, they would like to have the user log in using HTMLForms/cookie-based authentication. The empty certificate selection dialog confused users and was only useful to indicate (in a very obtuse way) that the server would have liked to have received a client certificate but no certificate was available.

Savvy readers might be wondering “Why does this URLAction need to exist in IE8?  Now, the only difference between Enable and Disable is the behavior when the user has only one certificate... Why not just send that certificate?”

The answer is “privacy.” While the server receiving the certificate doesn’t get the user’s private key, it does get all of the other information that is in that certificate. Such information often includes the user’s full name, and might include their phone number, email/physical address and other personally-identifiable information. If the browser automatically sent a certificate to any site that asked for it, a significant privacy breach would occur.

If the user wants to configure their browser to automatically send a certificate to a non-Intranet zone server, they can add the desired site to the Trusted list, and set the URLAction in the Trusted zone to Enable.

-Eric

PS: At some later time, I’ll probably elaborate on what specifically “suitable client certificate” means, because that question comes up a lot.

  • I know this isn't the best place to ask, but I don't know where else (can't post anything in MS Connect).

    Is there any plan for an IE feature that allows you to display two tabs at the same time within the same window? I have a relatively large, wide display and would like to view two webpages at the same time, in order to compare (e.g. compare two similar products). Going back and forth between two tabs is tedious. Launching a second instance of IE seems a bit silly, considering the multi-tab UI.

    Visual Studio has had such a feature (vertical/horizontal tab groups) for quite some time ... Synchronized scrolling would make it even better ... ;-)

  • @LookingForSolutions: As a general rule, you will never see pre-release feature announcements on the IEInternals blog. As to your specific question: yes, we've heard this request before, and yes, we know why it would be useful for certain scenarios. I believe there may be a few browser add-ons that offer this feature, but unfortunately I've never tried any of them myself.

  • We have an issue where an authentication request by the web server results in the IE certificate selection list being presented to the user.  They have two certificates available on their smart card (a signing cert and an authentication/logon cert).  The users don't know which one to choose.  Is there a way to default to the authentication cert based on EKU or something?  

  • We have a mix of IE6 and IE7 in the shop although IE6 is quickly on the way out.

    The authentication cert EKUs:

    Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

    Client Authentication (1.3.6.1.5.5.7.3.2)

    All Usages (2.5.29.37.0)

    The second is a signing cert with key usage of digital signature & non-repudiation

    It would be a big win if I could default to the auth cert with the client authentication EKU and avoid the selection prompt.

  • @Greg: These two topics describe the filtering options you have by setting  the Feature_ClientAuthCertFilter registry key.

    http://support.microsoft.com/kb/890326

    http://blogs.msdn.com/askie/archive/2009/06/09/my-expired-client-certificates-no-longer-display-when-connecting-to-my-web-server-using-ie8.aspx

  • Unfortunately, the filters don't seem to address the use case I'm looking for unless I misread the options.  If I have an application that requires client authentication I don't want to see a prompt that includes things such as digitial signing certs.  I would prefer defaulting to the cert with client authentication EKU thus shielding the end user from yet another decision point which they do not understand well.

  • Hello,

    In the past, some MS application displayed the common name of the client certificate in the certificate selection, while others displayed the "friendly name" of the client certificate.

    It seems that IE under windows 7 would use the friendly name in the client certificate selection.

    My questions:

    1. Will this be standardized accross MS Office and IE products? If yes, where could I find the detailed information for the various products?

    2. For internet explorer:

    a.Is the max lenght of the CN effectively displayed by default in the client certificate selection window documented?If yes, where could I find that information?

    b.Is the max lenght of the Friendly name effectively displayed by default in the client certificate selection window documented? If yes, where could I find that information?

    thanks in advance for any information.

    Fred

  • Thans, but PLEASE do "elaborate on what specifically “suitable client certificate” means". That is a topic I've been waiting to find explained for a long time :-)

    Regards

    Wojciech

  • Thanks for a great post. Can you continue with the "suitable client certificate" definition? Our enterprise certificates appear in the prompt with IE 6/7 over XP and they don't with IE8.

  • Wojciech/Dennis-- It's on my TODO list, I'll get to it as soon as I can.

  • I, too, am interested to know what a "suitable client certificate" is and also why the prompt does not appear when, in fact, I just might have my certificate on a USB key or floppy disk. Am I misunderstanding how client certificates work in that they must somehow be imported onto a workstation in order for them to become available? This would see like a bad idea.

  • Wade: By-default, the certificate-selection prompt is not shown if you do not have a certificate in either the Windows Certificate store, or a currently-inserted SmartCard.

    As mentioned in the post above: "It turns out that a lot of servers would like to use a client certificate if available and if not, they would like to have the user log in using HTMLForms/cookie-based authentication. The empty certificate selection dialog confused users and was only useful to indicate (in a very obtuse way) that the server would have liked to have received a client certificate but no certificate was available."

  • Guys,

    My users access a website from which normally would require a certificate. When I click on the relevant link it would normally prompt me to select the certificate, it doesn't do so and as a result i get the Page Cannot Be Displayed page in IE 6 or 7 . I have tried accessing the site from my home and there are no issues, it does what its supposed to do.

    I am at a loss why this is happening. Any recommendations?

  • Hi,

    When talking about IE certificate selection dialog... Is there a way to customize the bitmap showing a chip? I ask because we have a neat credential provider displaying different bitmaps depending on the issuer/Subject of the client certificates. This feature is visible at logon, for MS VPN-client, when selecting certificate for RDP. But the certificate selction dialog in IE is not affected. So, can we modify this in IE or is it "in the code"?

    Best regards,

    /Jonas from Sweden

  • Hi there

    The certificate selection dialogue in IE6/7 used a neat 2-column format, which we managed to intercept and make the right certificate selection for the user, improving usability for the user. The new dialogue (Windows 7, IE8) does not seperate out the data and we are struggling to make the auto-selection. Is there anyway to revert to the old dialogue, or replace the prompt with our own dialogue?

    Thanks,

     Simon.

Page 1 of 2 (23 items) 12
Leave a Comment
  • Please add 3 and 1 and type the answer here:
  • Post