select a cert

5 posts, 0 answers
  1. Jason
    Jason avatar
    3 posts
    Member since:
    Jun 2015

    Posted 28 Jun 2015 Link to this post

    I have a sporadic problem on an HTTPS site that requires a client CAC cert.  Problem started a few months ago.  At any given time, IE will prompt the user (windows security) to select their cert and press OK to continue on.

    Problem is - is just keeps re-prompting for the cert - an endless loop when they press ok. It just keeps them prompting to select the cert again over and over.  They have to kill the browser in task manager and restart IE.  I CANNOT automatically re-create this problem on the fly.  It sporadically happens.  Maybe on the first attempt,   May happen in 5 minutes or may take 2 hours, or maybe not for the whole day as the user works in the site.  When this problem has happened to me, i have opened control panel -> Internet options -> and have cleared the SSL state, but it ignores when I select the cert and press ok.  It just keeps prompting me to select a cert.

    I am trying to figure out if the the SSL state cache is not being cached, getting dumped, corrupted, network issues, etc. - OR if their is something wrong with the Windows security choose certificate GUI box (Wininet) that is causing the problem.

    I have dumped the regular cert that i use for the authentication in the fiddler directory (ClientCertificate.cer), but would like fiddler to allow the windows security GUI to allow me to choose which cert i use (like it does when fiddler isn't running).  Any clues or way i can make fiddler use the windows select cert box (like normal)?

       Thanks,

          Jason

     

  2. Jason
    Jason avatar
    3 posts
    Member since:
    Jun 2015

    Posted 28 Jun 2015 Link to this post

    Wanted to also add:

       This is happening to most clients (hundreds) at sporadic times.  Problem is - their administrators always push windows updates, so i don't know if a windows update caused this a few months ago, network changes, etc.  I have done the obvious by deleting certs and adding them back in the browser, clearing SSL state, but nothing fixes the problem.  Also - the user(s) have very little admin rights on their PC, so they can't go into trusted sites, etc.   I do know that our domain is listed in the trusted sites location.  It has always worked fine for the last 10 years before a few months ago.  We have very little visibility on the network or admin configuration on their PC's......

        Jason

  3. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 29 Jun 2015 Link to this post

    Hello, Jason--

    This sounds like mostly an issue for the WinINET and SChannel teams at Microsoft; getting a packet capture trace of the scenario (without Fiddler involved) may help clarify what specifically is happening on the client side.

    If you put the client certificate in Fiddler's folder, does everything work without any problems at all, or do you find that periodically authentication starts failing completely? If authentication always works in this case, that points to one type of problem; if it periodically fails in the Fiddler configuration, that points to a different type of problem.

    By default, Fiddler doesn't support prompting for client certificates via the UI. However, if you'd like, you can install an extension that does this.

      1. Download http://fiddlerbook.com/dl/ClientCertPicker.zip
      2. In Window Explorer, right-click the file, choose Properties. Click the "Unblock" button at the bottom of the window.
      3. Open the ZIP file and extract ClientCertPicker.dll to the %USERPROFILE%\Documents\Fiddler2\Scripts folder.
      4. Restart Fiddler. Fiddler will now prompt for a certificate.

    If you're interested in the source code for this extension, please see http://fiddler.wikidot.com/certpicker

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  4. Jason
    Jason avatar
    3 posts
    Member since:
    Jun 2015

    Posted 29 Jun 2015 in reply to Eric Lawrence Link to this post

    Thanks for the reply Eric.

    I think fiddler gave me a "hint" of what is happening and I'll let you give your opinion on this.

     I was able to re-create the error after many tries.  Fiddler responded with a "Ignore remote certificate error"GUI telling me that "The remote server (xxx.xxx.xxx.xxx) presented a certificate that did not validate, due to RemoteCertificateNameMismatch."

    The SUBJECT: CN=xxx.xxx.xxx.xxx  is different that the "xxx.xxx.xxx.xxx" above.

    This might tell me that there might be a network "load balancer" or some other server that is switching URL's on me based on the name or IP.  At one time the first xxx.xxx.xxx.xxx use to be what the second xxx.xxx.xxx.xxx was - if that makes sense to you.  This was renamed/re-mapped some years ago.  Odd though that this problem just started a few months ago.  I'll let you take a guess - if you will.

     

       Thanks,

          Jason

     

  5. Eric Lawrence
    Admin
    Eric Lawrence avatar
    833 posts

    Posted 30 Jun 2015 Link to this post

    Hi, Jason--

    Yes, if a server starts presenting a different (and especially an invalid) certificate for new connections, it's entirely possible that could cause the browser to abandon the user's prior selection of a client certificate and force them to choose a new one.

    A properly functioning HTTPS server will never respond with an incorrect certificate, so you'll definitely want to look into that.

    Regards,
    Eric Lawrence
    Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top