Discussion:
Schannel client authentication problem with optional client certificate
(too old to reply)
el_noir
2008-11-19 15:23:06 UTC
Permalink
I'm developing an application with Schannel secure connection, where
the server may ask for a client to authenticate itself with a
certificate.
My goal is the following: The user may have an etoken to authenticate
with, but it should not be requied.
When the InitalizeSecurityContext see the certificate request respond
from the server during the handshake, it tries to access the
certificate which was copied in the certificate store by the e-token
driver. How can I bypass this default behaviour?
When I set a certificate in the SCHANNEL_CRED struct it will be used
as intended, but when I leave it empty, the InitalizedSecurityContext
still try to access the certificate.
Has anyone got ideas or workarounds what to do?
DaveMo
2008-11-19 16:15:53 UTC
Permalink
Post by el_noir
I'm developing an application with Schannel secure connection, where
the server may ask for a client to authenticate itself with a
certificate.
My goal is the following: The user may have an etoken to authenticate
with, but it should not be requied.
When the InitalizeSecurityContext see the certificate request respond
from the server during the handshake, it tries to access the
certificate which was copied in the certificate store by the e-token
driver. How can I bypass this default behaviour?
When I set a certificate in the SCHANNEL_CRED struct it will be used
as intended, but when I leave it empty, the InitalizedSecurityContext
still try to access the certificate.
Has anyone got ideas or workarounds what to do?
From MSDN: InitializeSecurityContext

ISC_REQ_USE_SUPPLIED_CREDS
Schannel must not attempt to supply credentials for the client
automatically.

HTH,
Dave
el_noir
2008-11-19 16:55:15 UTC
Permalink
Post by DaveMo
From MSDN: InitializeSecurityContext
ISC_REQ_USE_SUPPLIED_CREDS
 Schannel must not attempt to supply credentials for the client
automatically.
HTH,
Dave
Thanks for the help, it solved my problem!
(It seems I was to tired today, when I read the docs :) )
el_noir
2008-11-20 08:28:45 UTC
Permalink
It seems its working, but i still have an issue.
When an e-token was inserted, and I try to authenticate the user
without a certificate (the ISC_REQ_USE_SUPPLIED_CREDS was set), then
the InitalizeSecurityContext still tries to access to the the token.
How can I force the ISC not to use the token?
DaveMo
2008-11-20 12:52:27 UTC
Permalink
Post by el_noir
It seems its working, but i still have an issue.
When an e-token was inserted, and I try to authenticate the user
without a certificate (the ISC_REQ_USE_SUPPLIED_CREDS was set), then
the InitalizeSecurityContext still tries to access to the the token.
How can I force the ISC not to use the token?
Hello,

I don't think I understand what problem you are seeing now. What is
this thing you are calling an e-token?

Dave
el_noir
2008-11-20 14:00:13 UTC
Permalink
Post by DaveMo
Post by el_noir
It seems its working, but i still have an issue.
When an e-token was inserted, and I try to authenticate the user
without a certificate (the ISC_REQ_USE_SUPPLIED_CREDS was set), then
the InitalizeSecurityContext still tries to access to the the token.
How can I force the ISC not to use the token?
Hello,
I don't think I understand what problem you are seeing now. What is
this thing you are calling an e-token?
Dave
It is an Aladdin usb eToken, which is used to strong client
authentication. It is used to store private key which cannot be
removed from the usb token. I've generated a keypair on the token,
made a certificate request for the key, and signed it with a test
issuer. So I have a public-private keypair on the token, and a
certificate which is linked to it. When the token is inserted, the
certificate will be copied to the My store, so it can be used for
authentication.
If the token is inserted and I try to establish an schannel
connection, the ISC tries to access the eToken, even when the
ISC_REQ_USE_SUPPLIED_CREDS was set, and I do not pass the certificate
through the SCHANNEL_CRED structure in the when I call the
AcquireCredentialsHandle.
(When the schannel established without the token and without a
certificate, it works fine. And it works, when the certificate which
is use the private key is selected for authentication. In this case
the ISC calls for the eToken's CSP to ask for a token, and a
password.)
My only problem is when I don't want to use the inserted token, the
ISC still tries to access it.
el_noir
2008-11-20 14:45:55 UTC
Permalink
Hello,

I solved my problem!
When I call AcquireCredentialsHandle and I don't want to use a
certificate I had to specify the SCH_CRED_NO_DEFAULT_CREDS, so no
default cretification chain is made when the server ask for the client
certificate, and combined with the ISC_REQ_USE_SUPPLIED_CREDS flag in
the ISC call, it works fine!

Thanks for your help Dave!
DaveMo
2008-11-21 13:14:39 UTC
Permalink
Post by DaveMo
Hello,
I solved my problem!
When I call AcquireCredentialsHandle and I don't want to use a
certificate I had to specify the SCH_CRED_NO_DEFAULT_CREDS, so no
default cretification chain is made when the server ask for the client
certificate, and combined with the ISC_REQ_USE_SUPPLIED_CREDS flag in
the ISC call, it works fine!
Thanks for your help Dave!
I'm glad you solved your problem!

Dave

Loading...