IEInternals

A look at Internet Explorer from the inside out. @EricLaw left Microsoft in 2012, but was named an IE MVP in '13 & an IE userAgent (http://useragents.ie) in '14

Client Certificate Selection Prompt

Client Certificate Selection Prompt

Rate This
  • Comments 23

The HTTPS protocol allows a secure server to request that the client verify their identity with a client certificate during the initial secure handshake. By presenting a client certificate, the browser helps further defeat man-in-the-middle attacks and authenticates to the web server more securely than when using just a username and password.

Internet Explorer’s behavior when prompting for a certificate has changed in IE8, and in this post, I’ll quickly summarize what’s new.

When the server requests a certificate, the user may be shown a prompt dialog asking which certificate they would like to send. URLACTION_CLIENT_CERT_PROMPT (0x1A04) controls the browser’s prompting behavior. By default, the URLAction is set to Enable in the Local Machine and Intranet zones, and Disable in the Internet, Trusted, and Restricted zones. 

When set to Enable:

  • If the user has no suitable client certificates, no prompt is shown, and no certificate is sent to the server
  • If the user has only one suitable client certificate, no prompt is shown, and that certificate is sent to the server
  • If the user has multiple suitable client certificates, the certificate selection prompt is shown

When set to Disable:

  • If the user has one or more suitable client certificates, the certificate selection prompt is shown, and

…in IE6 and IE7:

  • If the user has no suitable client certificates, an empty certificate selection prompt is shown

…in IE8:

  • If the user has no suitable client certificates, no prompt is shown, and no certificate is sent to the server

Within the Tools > Internet Options > Security > Custom Level… UI, the explanatory text has been changed. In IE6 and IE7, it reads:

Do not prompt for client certificate selection when no certificates or only one certificate exists.

In IE8, it now reads:

Don't prompt for client certificate selection when only one certificate exists.

So, why was a change made for IE8? It turns out that a lot of servers would like to use a client certificate if available and if not, they would like to have the user log in using HTMLForms/cookie-based authentication. The empty certificate selection dialog confused users and was only useful to indicate (in a very obtuse way) that the server would have liked to have received a client certificate but no certificate was available.

Savvy readers might be wondering “Why does this URLAction need to exist in IE8?  Now, the only difference between Enable and Disable is the behavior when the user has only one certificate... Why not just send that certificate?”

The answer is “privacy.” While the server receiving the certificate doesn’t get the user’s private key, it does get all of the other information that is in that certificate. Such information often includes the user’s full name, and might include their phone number, email/physical address and other personally-identifiable information. If the browser automatically sent a certificate to any site that asked for it, a significant privacy breach would occur.

If the user wants to configure their browser to automatically send a certificate to a non-Intranet zone server, they can add the desired site to the Trusted list, and set the URLAction in the Trusted zone to Enable.

-Eric

PS: At some later time, I’ll probably elaborate on what specifically “suitable client certificate” means, because that question comes up a lot.

  • I'm looking for the same as Simon. Basically is there a registry setting to force use of the legacy certificate selection dialogue?

  • @Mat: The flag CRYPTUI_SELECTCERT_LEGACY is never set by IE or WinINET, so no, I'm not aware of any such registry setting.

    @Simon: There's no good way to replace this dialog when running in IE. For other hosts of the web browser control, it may be possible to implement IHttpNegotiate3, as described here: msdn.microsoft.com/.../dd433052(VS.85).aspx

  • I am not sure if my question is answered above...

    I have Windows 2003 server, IIS 6 and I have 3 sites, only one with https enabled (the only I care), in Site properties => Directory Security => Secure communications => Edit => Client Certificates => I have the "Ignore client certificates" option selected

    (I don't use client certificate at all)

    In IE 6 & 7 if the "Do not prompt for client certificate selection when no certificates or only one certificate exists." option is on "Disable" the empty certificate window is displayed, in IE 8 is not displayed.

    What I want is the empty certificate box don't be displayed in IE6/7, Is there an option in IIS to setup this?(instead of each client computer)

    Thank you in advance

  • @Raul: Your IIS server is not configured properly. IE will only show the client certificate prompt if the server is asking for a client certificate. It certainly looks like "Ignore client certificates" is the proper option to set but I'm not an IIS expert. You should ask your question in an IIS newsgroup or on http://serverfault.com/

  • Hi Eric,

    Just wanted to let you know that I am also and still interested on the exact definition "suitable client certificate". I gues it has something to do with the issuer of the certificate + what issuers the server regards as creditable, but I could never figure out how this works exactly, especially as I am trying to configure an SAP server - which is rather less user-friendly in regards of configuration option.s

    Thanks,

    Oliver

  • I would like to add my voice to the other users.  What is the definition of a "suitable client certificate".  There must be some sort of protocol where the server tells the client what CAs it recognizes, but this to me seems like a serious security breach.  How does IE determine which client certificates to display in the prompt?

  • It's really not that complicated: The server returns a list of acceptable CAs in its HTTPS handshake, and the client also filters (by default) out those client certificates which are expired or otherwise invalid. I'm not sure what "breach" you're concened about?

  • Can you explain how tabbed browsing affects IE's behavior related to displaying the client cert selection dialog?  It appears that IE9 will reprompt for client certificate if I open the same page in a new tab.  Is there any way to change this behavior?  If I open a client cert protected page in one tab and then open another tab to the same server, I'd like IE to automatically send the cert that I already chose.

    [EricLaw]: I think you asked this question and I answered over here.

Page 2 of 2 (23 items) 12
Leave a Comment
  • Please add 4 and 8 and type the answer here:
  • Post