Fiddler stripped out client auth cert during Modern Auth testing

4 posts, 0 answers
  1. Dave
    Dave avatar
    2 posts
    Member since:
    Mar 2019

    Posted 20 Mar Link to this post

         I'm trying to trace a client issue with Modern Auth using Certificate Based authentication for office 365 and I've set up Fiddler to intercept traffic between the device and the ADFS server. However it seems that fiddler is stripping the client cert when the ADFS server requests it. Is there any way around this or is just a side effect of doing SSL interception?
  2. Simeon
    Admin
    Simeon avatar
    228 posts

    Posted 27 Mar Link to this post

    Hi,

    When using Client Certificate authentication, the client sends a certificate to the server to cryptographically prove the identity of the user. One of the key design goals of Client Certificate authentication is to prevent network intermediaries (like Fiddler) from abusing the client’s credentials. Even if the client application sent its certificate to Fiddler, Fiddler cannot successfully reuse that certificate to respond to the server’s demand, because the client never provides Fiddler with its private key.

    To resolve this limitation, you can supply any necessary client certificates and private keys directly for Fiddler to use when handshaking with the server. By default, if a server prompts the client for a certificate, Fiddler will look inside the %USERPROFILE%\Documents\Fiddler2\ folder for a file named ClientCertificate.cer and will use that certificate when responding to the server’s certificate demand.

    In some cases, you may want to use a different client certificate for each secure connection. To do so, specify the location of the certificate using the https-Client-Certificate property on the CONNECT tunnel to the secure server. For instance, you can write code like this:

    static function OnBeforeRequest(oSession: Session)
    {
      if (oSession.HTTPMethodIs("CONNECT"))
      {
        if (oSession.HostnameIs("exampleA"))
        {
          oSession["https-Client-Certificate"] = "C:\\certs\\CertA.cer";
        }
        else if (oSession.HostnameIs("exampleB"))
        {
          oSession["https-Client-Certificate"] = "C:\\test\\CertB.cer";
        }
      }
     
      //...
    }

    The .CER file does not contain the private key associated with the certificate’s public key. Instead, the .CER file merely acts as reference to Windows’ Personal Certificates store. The Windows certificate store holds the private key associated with the certificate and releases it only as needed.

    If the desired certificate isn't yet installed in the Personal Certificates store (e.g. you only have a .pfx file) you must first import it into the certificate store, then export a .CER file. After your certificate is installed, simply right-click the certificate and choose All Tasks > Export…. Save the .CER file to either the default ClientCertificate.cer location or the location you specify in the https-Client-Certificate flag.

    Regards,
    Simeon
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
  3. Dave
    Dave avatar
    2 posts
    Member since:
    Mar 2019

    Posted 27 Mar in reply to Simeon Link to this post

    Thank you Simeon, very informative. One question, do I need to have the cert/private key in the personal store of the user account running Fiddler, or on the computer cert store?
  4. Simeon
    Admin
    Simeon avatar
    228 posts

    Posted 27 Mar Link to this post

    In the personal store is better in general but it depends on your needs.

    Regards,
    Simeon
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top