narkive is for sale. Interested? (dismiss)
Discussion:
Client certificate authentication
(too old to reply)
Timothy Jewett
2007-02-12 20:43:01 UTC
Permalink
I have written a web server using sspi and now have a requirement for mutual
authentication. If I set the ASC_REQ_MUTUAL_AUTH bit in the request flags the
client does get prompted for the certificate to use but at the completion of
the negotiation I do not have the ASC_RET_MUTUAL_AUTH bit set in the returned
context. What is this telling me and how do I get it to work ?
--
Timothy Jewett
***@online.nospam
Jeffrey Tan[MSFT]
2007-02-13 12:19:16 UTC
Permalink
Hi Jewett,

Can you tell me what version of OS you are experiencing this problem? And
what type of security protocol you are using with SSPI, SSL or kerberos?

I assume you mean the AcceptSecurityContext() does not return
ASC_REQ_MUTUAL_AUTH.

This problem looks like the symptom talked about in the link below, can you
check if they are the same problems?
"SSPI Mutual Authentication Is Indicated on the Client Side But Not on the
Server Side"
http://support.microsoft.com/kb/304161/en-us

I have seen an known issue of AcceptSecurityContext() not return
ASC_REQ_MUTUAL_AUTH when using SSPI with SSL(Schannel). Below is some
details information:

The AcceptSecurityContext function will return ASC_RET_MUTUAL_AUTH if a
client certificate was received from the client and schannel was
successfully able to map the certificate to a user account in AD. This is
the mandatory requirement for Schannel mutual authentication design.

Mapping Certificates requirement is documented in "Authenticating the
client" at:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/se
curity/performing_authentication_using_schannel.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/se
curity/mapping_certificates.asp

Windows Schannel implementation will attempt to map the certificate to a
user account in AD in order for AcceptSecurityContext() to return
ASC_RET_MUTUAL_AUTH. This is performed so that the server can perform
authorization decisions based on the impersonation access token.

The Certificate Mapping process is documented at:
http://www.microsoft.com/windows2000/en/advanced/help/sag_CS_CertMapAccounts
.htm
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windo
ws2000/en/advanced/help/sag_CSprocs_CertMapAD.htm

Certificate Mapping is the process of mapping a client authentication
certificate to a domain user account in AD. This operation is done on the
domain controller of the AD domain either manually or programmatically
during installation. This step is required for AcceptSecurityContext to
return ASC_RET_MUTUAL_AUTH.

However, this is really not required, if you want to simply check/validate
the client authentication certificate in the server code. But,
AcceptSecurityContext() will not return ASC_RET_MUTUAL_AUTH unless schannel
was successfully able to map the client authentication certificate to a
user account in AD. This is the mandatory requirement for Schannel mutual
authentication design on the server side.

I will wait for your further feedback and information. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Timothy Jewett
2007-02-13 13:31:00 UTC
Permalink
Yes I'm on an x64 w2k3 box and using SSL.
--
Timothy Jewett
Post by Jeffrey Tan[MSFT]
Hi Jewett,
Can you tell me what version of OS you are experiencing this problem? And
what type of security protocol you are using with SSPI, SSL or kerberos?
I assume you mean the AcceptSecurityContext() does not return
ASC_REQ_MUTUAL_AUTH.
This problem looks like the symptom talked about in the link below, can you
check if they are the same problems?
"SSPI Mutual Authentication Is Indicated on the Client Side But Not on the
Server Side"
http://support.microsoft.com/kb/304161/en-us
I have seen an known issue of AcceptSecurityContext() not return
ASC_REQ_MUTUAL_AUTH when using SSPI with SSL(Schannel). Below is some
The AcceptSecurityContext function will return ASC_RET_MUTUAL_AUTH if a
client certificate was received from the client and schannel was
successfully able to map the certificate to a user account in AD. This is
the mandatory requirement for Schannel mutual authentication design.
Mapping Certificates requirement is documented in "Authenticating the
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/se
curity/performing_authentication_using_schannel.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/secauthn/se
curity/mapping_certificates.asp
Windows Schannel implementation will attempt to map the certificate to a
user account in AD in order for AcceptSecurityContext() to return
ASC_RET_MUTUAL_AUTH. This is performed so that the server can perform
authorization decisions based on the impersonation access token.
http://www.microsoft.com/windows2000/en/advanced/help/sag_CS_CertMapAccounts
.htm
http://www.microsoft.com/windows2000/en/advanced/help/default.asp?url=/windo
ws2000/en/advanced/help/sag_CSprocs_CertMapAD.htm
Certificate Mapping is the process of mapping a client authentication
certificate to a domain user account in AD. This operation is done on the
domain controller of the AD domain either manually or programmatically
during installation. This step is required for AcceptSecurityContext to
return ASC_RET_MUTUAL_AUTH.
However, this is really not required, if you want to simply check/validate
the client authentication certificate in the server code. But,
AcceptSecurityContext() will not return ASC_RET_MUTUAL_AUTH unless schannel
was successfully able to map the client authentication certificate to a
user account in AD. This is the mandatory requirement for Schannel mutual
authentication design on the server side.
I will wait for your further feedback and information. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2007-02-14 08:40:46 UTC
Permalink
Hi Jewett,

Thanks for your feedback!

Yes, this is issue I talked about in the first reply. I have discussed this
issue with SSL expert and the original issue owner. They confirmed that
they are the same issue.

AcceptSecurityContext will set ASC_RET_MUTUAL_AUTH if a client certificate
was received from the client and schannel was successfully able to map the
certificate to a user account in AD. For this to occur, Certificate
Mapping must be performed by domain admin before.

Certificate Mapping is the process of mapping a client authentication
certificate to a domain user account in AD. This operation is done on the
domain controller of the AD domain either manually or programmatically
during installation by domain admin:
http://technet2.microsoft.com/WindowsServer/en/library/3f98fdd9-ed64-49f7-9c
20-a2d4581dfbea1033.mspx?mfr=true (Look for "How Schannel Uses Certificate
Mapping").

Mapping Certificates requirement is documented in "Authenticating the
client" in MSDN.
http://msdn2.microsoft.com/en-us/library/aa378819.aspx

The Certificate Mapping process is documented at [Section Using the Active
Directory for One-to-One Mapping]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac
tivedirectory/howto/mapcerts.mspx

The handshake succeeds even though cert mapping has failed. The return
value of QueryContextAttributes with SECPKG_ATTR_ACCESS_TOKEN will indicate
the reason for cert mapping failure.

Note: this also applies to x64 Win2003.

There are also 2 WebClient and WebServer samples in the PlatformSDK at
%MSSDK%\Samples\Security\SSPI\SSL. This is the folder structure if you have
Windows Server 2003 SP1 Platform SDK installed.

If you still have anything unclear, please feel free to tell me, thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Timothy Jewett
2007-02-14 13:46:06 UTC
Permalink
I understand that I can still validate manually and that is all I need to do.
I would have liked the quick check to make sure the certificate was
available. Can this information be made available to the documentaion for the
ASC_RET_MUTUAL_AUTH flag ? Is there a quick check that can be used to confirm
a certificate is available ?
--
Timothy Jewett
Post by Jeffrey Tan[MSFT]
Hi Jewett,
Thanks for your feedback!
Yes, this is issue I talked about in the first reply. I have discussed this
issue with SSL expert and the original issue owner. They confirmed that
they are the same issue.
AcceptSecurityContext will set ASC_RET_MUTUAL_AUTH if a client certificate
was received from the client and schannel was successfully able to map the
certificate to a user account in AD. For this to occur, Certificate
Mapping must be performed by domain admin before.
Certificate Mapping is the process of mapping a client authentication
certificate to a domain user account in AD. This operation is done on the
domain controller of the AD domain either manually or programmatically
http://technet2.microsoft.com/WindowsServer/en/library/3f98fdd9-ed64-49f7-9c
20-a2d4581dfbea1033.mspx?mfr=true (Look for "How Schannel Uses Certificate
Mapping").
Mapping Certificates requirement is documented in "Authenticating the
client" in MSDN.
http://msdn2.microsoft.com/en-us/library/aa378819.aspx
The Certificate Mapping process is documented at [Section Using the Active
Directory for One-to-One Mapping]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac
tivedirectory/howto/mapcerts.mspx
The handshake succeeds even though cert mapping has failed. The return
value of QueryContextAttributes with SECPKG_ATTR_ACCESS_TOKEN will indicate
the reason for cert mapping failure.
Note: this also applies to x64 Win2003.
There are also 2 WebClient and WebServer samples in the PlatformSDK at
%MSSDK%\Samples\Security\SSPI\SSL. This is the folder structure if you have
Windows Server 2003 SP1 Platform SDK installed.
If you still have anything unclear, please feel free to tell me, thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Timothy Jewett
2007-02-14 15:05:17 UTC
Permalink
Jeffrey, You stated in the 1st reply that I should be able to validate the
the clients certificate. How do I do that ? When I called
QueryContextAttribute specifing SECPKG_ATTR_REMOTE_CERT_CONTEXT I get
SEC_E_NO_CREDENTIALS.
--
Timothy Jewett
Post by Jeffrey Tan[MSFT]
Hi Jewett,
Thanks for your feedback!
Yes, this is issue I talked about in the first reply. I have discussed this
issue with SSL expert and the original issue owner. They confirmed that
they are the same issue.
AcceptSecurityContext will set ASC_RET_MUTUAL_AUTH if a client certificate
was received from the client and schannel was successfully able to map the
certificate to a user account in AD. For this to occur, Certificate
Mapping must be performed by domain admin before.
Certificate Mapping is the process of mapping a client authentication
certificate to a domain user account in AD. This operation is done on the
domain controller of the AD domain either manually or programmatically
http://technet2.microsoft.com/WindowsServer/en/library/3f98fdd9-ed64-49f7-9c
20-a2d4581dfbea1033.mspx?mfr=true (Look for "How Schannel Uses Certificate
Mapping").
Mapping Certificates requirement is documented in "Authenticating the
client" in MSDN.
http://msdn2.microsoft.com/en-us/library/aa378819.aspx
The Certificate Mapping process is documented at [Section Using the Active
Directory for One-to-One Mapping]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/ac
tivedirectory/howto/mapcerts.mspx
The handshake succeeds even though cert mapping has failed. The return
value of QueryContextAttributes with SECPKG_ATTR_ACCESS_TOKEN will indicate
the reason for cert mapping failure.
Note: this also applies to x64 Win2003.
There are also 2 WebClient and WebServer samples in the PlatformSDK at
%MSSDK%\Samples\Security\SSPI\SSL. This is the folder structure if you have
Windows Server 2003 SP1 Platform SDK installed.
If you still have anything unclear, please feel free to tell me, thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2007-02-15 09:53:01 UTC
Permalink
Hi Jewett,

I will perform some research over your further question and reply to you
ASAP. Thanks for your understanding.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2007-02-16 05:52:08 UTC
Permalink
Hi Jewett,

Sorry for letting you wait. I have discussed this issue with one SSL
developer, below is his comment:

"That means the client did not even send a certificate. The protocol allows
this:

SSL3: The client sends a no certificate alert.
TLS: The client sends a certficate message with 0 length (i.e, no
certificates).

The handshake will succeed in this case but cert mapping will obviously
fail.

If you have a sniff, then I'd be happy to take a look to confirm.

I agree that the documentation is somewhat lacking and will open a doc bug
to address this."

So, can you provide the network sniff of this issue? Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2007-02-19 04:31:51 UTC
Permalink
Hi Jewett,

Additionally, you have to call QueryContextAttributes() only after the
authentication loop is completed.

If QueryContextAttributes SECPKG_ATTR_REMOTE_CERT_CONTEXT fails on the
server with SEC_E_NO_CREDENTIALS it means that the client didn't supply a
client authentication certificate. The problem is in the client side code.

You can use this to check if the client supplied a certificate or not as
shown in WebServer sample.

You can look at WebServer and WebClient SDK samples as a reference.

Hope this helps.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Timothy Jewett
2007-02-20 20:17:19 UTC
Permalink
Here is one for you. I did wait until I returned SEC_E_OK from
AcceptSecurityContext, the certificate was sent. However here is something to
ponder, I had to install the Root Certificate Authority into the
LOCAL_MACHINE store. Once installed the request to the browser for those
certificates allowed the certificate to be shown/selected. However it wasn't
until I rebooted the server that the certificate was considered sent. That is
the only thing that changed from before (when no credentials error) and now.
Not sure why the reboot was needed.
--
Timothy Jewett
Post by Jeffrey Tan[MSFT]
Hi Jewett,
Additionally, you have to call QueryContextAttributes() only after the
authentication loop is completed.
If QueryContextAttributes SECPKG_ATTR_REMOTE_CERT_CONTEXT fails on the
server with SEC_E_NO_CREDENTIALS it means that the client didn't supply a
client authentication certificate. The problem is in the client side code.
You can use this to check if the client supplied a certificate or not as
shown in WebServer sample.
You can look at WebServer and WebClient SDK samples as a reference.
Hope this helps.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2007-02-22 05:40:46 UTC
Permalink
Hi Jewett,

Sorry for the late response, I am out of office yesterday.

I will perform some research on this issue and let you know the result
ASAP. Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Timothy Jewett
2007-02-22 13:20:25 UTC
Permalink
Thanks, I'll wait to hear from you.
--
Timothy Jewett
Post by Jeffrey Tan[MSFT]
Hi Jewett,
Sorry for the late response, I am out of office yesterday.
I will perform some research on this issue and let you know the result
ASAP. Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2007-02-23 02:02:38 UTC
Permalink
Hi Jewett,

Sorry for letting you wait.

I have consulted this issue with the SSL dev team. Based on their feedback,
we do update our internal list in schannel if new root's are added. So, a
reboot is not necessary. They are not sure what's going on here.

Can you help to give a recheck? In this scenario, the behavior is different
from our design spec, so is it possible for you to provide sample reproduce
projects with detailed steps to help me give it a local repro?

Thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Timothy Jewett
2007-02-26 14:16:19 UTC
Permalink
Jeffrey, I am unable to reproduce this problem again. I tried removing and
rebooting then reinstalling the CA again. But I no longer receive the no
credentials error. I have a few more things to try again but I need to get
this into production quickly, so please bear with me a few more days.

Thanks,
--
Timothy Jewett
Post by Jeffrey Tan[MSFT]
Hi Jewett,
Sorry for letting you wait.
I have consulted this issue with the SSL dev team. Based on their feedback,
we do update our internal list in schannel if new root's are added. So, a
reboot is not necessary. They are not sure what's going on here.
Can you help to give a recheck? In this scenario, the behavior is different
from our design spec, so is it possible for you to provide sample reproduce
projects with detailed steps to help me give it a local repro?
Thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Jeffrey Tan[MSFT]
2007-02-27 02:48:29 UTC
Permalink
Hi Jewett,

Yes, I understand it. If you need further help, please feel free to post,
thanks.

Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
i***@gmail.com
2013-02-22 11:00:33 UTC
Permalink
Post by Jeffrey Tan[MSFT]
Hi Jewett,
Yes, I understand it. If you need further help, please feel free to post,
thanks.
Best regards,
Jeffrey Tan
Microsoft Online Community Support
==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.
Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
Hi all,
I am having a similar problem. On the client side I want to set only server-auth and not mutual-auth. How to achieve this situation. What should be value of input and output context flags on server side AcceptSecurityContext().
Loading...