This is a migrated thread and some comments may be shown as answers.

Fiddler 'fixes' client certificate prompt - why?

1 Answer 352 Views
Windows
This is a migrated thread and some comments may be shown as answers.
Jimmy
Top achievements
Rank 1
Jimmy asked on 29 Sep 2017, 12:49 PM

Hi everyone...

I'm posting here partly out of desperation and partly because I've hit the upper limit of my knowledge and need to understand the issue I'm facing.

I have several users at my company who are based in Luxembourg and access a banking application that authenticates them via client certificates loaded from a smart card. A couple of weeks ago, Internet Explorer stopped prompting them for their client certificate when they navigate to the login page for the application.

Users at our London office who use the same application are not seeing this issue.

After a couple of days of troubleshooting using various methods I installed Fiddler to attempt to gain some insight into the https transaction/ssl handshake to try and see where the problem is.

Prior to this, using Wireshark to analyse the transaction I can tell that the Certificate Request is making it through to the workstation, along with the list of CAs trusted by the server. The client certificate is valid and present, as is the Root CA and Intermediate CA that issued the client Cert.

However, Internet Explorer 11 refuses to prompt the user to select the valid certificate and therefore they are unable to access the application.

Where it gets interesting is that as soon as I run Fiddler and fire up the login page again, it behaves exactly as I would expect, and the client certificate prompt appears. Note that this behaviour is exhibited without a client certificate specified in Fiddler and with HTTPS decryption turned off. I feel like if I can get to the bottom of why exactly this works, I might be able to solve the main issue - but I'm at a dead end.

I would greatly appreciate any advice on what to look for next. When Fiddler is proxying the traffic, the issue goes away and IE prompts for the client cert. As soon as I turn it off, it stops again.

I have read nearly every post online I can find about client certificate prompts, etc, including many written by Eric. However I just cannot seem to get to the bottom of why it's not happening.

Many thanks in advance. 

1 Answer, 1 is accepted

Sort by
0
Ricardo
Top achievements
Rank 1
answered on 13 Feb 2018, 11:15 AM

Hi Jimmy,

 

I hope I am not too late,

 

Could this be related to the following link:

https://support.microsoft.com/en-us/help/2988411/client-certificate-request-fails-when-tls-1-2-and-1-1-secure-protocols

 

BR,

 

Ricardo

Tags
Windows
Asked by
Jimmy
Top achievements
Rank 1
Answers by
Ricardo
Top achievements
Rank 1
Share this question
or