Jaa


Client Certificate Selection Prompt

The HTTPS protocol allows a secure server to request that the client verify their identity with a client certificate during the initial secure handshake. By presenting a client certificate, the browser helps further defeat man-in-the-middle attacks and authenticates to the web server more securely than when using just a username and password.

Internet Explorer’s behavior when prompting for a certificate has changed in IE8, and in this post, I’ll quickly summarize what’s new.

When the server requests a certificate, the user may be shown a prompt dialog asking which certificate they would like to send. URLACTION_CLIENT_CERT_PROMPT (0x1A04) controls the browser’s prompting behavior. By default, the URLAction is set to Enable in the Local Machine and Intranet zones, and Disable in the Internet, Trusted, and Restricted zones. 

When set to Enable:

  • If the user has no suitable client certificates, no prompt is shown, and no certificate is sent to the server
  • If the user has only one suitable client certificate, no prompt is shown, and that certificate is sent to the server
  • If the user has multiple suitable client certificates, the certificate selection prompt is shown

When set to Disable:

  • If the user has one or more suitable client certificates, the certificate selection prompt is shown, and

…in IE6 and IE7:

  • If the user has no suitable client certificates, an empty certificate selection prompt is shown

…in IE8:

  • If the user has no suitable client certificates, no prompt is shown, and no certificate is sent to the server

Within the Tools > Internet Options > Security > Custom Level… UI, the explanatory text has been changed. In IE6 and IE7, it reads:

Do not prompt for client certificate selection when no certificates or only one certificate exists.

In IE8,it now reads:

Don't prompt for client certificate selection when only one certificate exists.

So, why was a change made for IE8? It turns out that a lot of servers would like to use a client certificate if available and if not, they would like to have the user log in using HTMLForms/cookie-based authentication. The empty certificate selection dialog confused users and was only useful to indicate (in a very obtuse way) that the server would have liked to have received a client certificate but no certificate was available.

Savvy readers might be wondering “Why does this URLAction need to exist in IE8? Now, the only difference between Enable and Disable is the behavior when the user has only one certificate... Why not just send that certificate?”

The answer is “privacy.” While the server receiving the certificate doesn’t get the user’s private key, it does get all of the other information that is in that certificate. Such information often includes the user’s full name, and might include their phone number, email/physical address and other personally-identifiable information. If the browser automatically sent a certificate to any site that asked for it, a significant privacy breach would occur.

If the user wants to configure their browser to automatically send a certificate to a non-Intranet zone server, they can add the desired site to the Trusted list, and set the URLAction in the Trusted zone to Enable.

-Eric

PS: At some later time, I’ll probably elaborate on what specifically “suitable client certificate” means, because that question comes up a lot.

Comments

  • Anonymous
    September 08, 2009
    I know this isn't the best place to ask, but I don't know where else (can't post anything in MS Connect). Is there any plan for an IE feature that allows you to display two tabs at the same time within the same window? I have a relatively large, wide display and would like to view two webpages at the same time, in order to compare (e.g. compare two similar products). Going back and forth between two tabs is tedious. Launching a second instance of IE seems a bit silly, considering the multi-tab UI. Visual Studio has had such a feature (vertical/horizontal tab groups) for quite some time ... Synchronized scrolling would make it even better ... ;-)

  • Anonymous
    September 08, 2009
    @LookingForSolutions: As a general rule, you will never see pre-release feature announcements on the IEInternals blog. As to your specific question: yes, we've heard this request before, and yes, we know why it would be useful for certain scenarios. I believe there may be a few browser add-ons that offer this feature, but unfortunately I've never tried any of them myself.

  • Anonymous
    September 11, 2009
    We have an issue where an authentication request by the web server results in the IE certificate selection list being presented to the user.  They have two certificates available on their smart card (a signing cert and an authentication/logon cert).  The users don't know which one to choose.  Is there a way to default to the authentication cert based on EKU or something?  

  • Anonymous
    September 14, 2009
    We have a mix of IE6 and IE7 in the shop although IE6 is quickly on the way out. The authentication cert EKUs: Smart Card Logon (1.3.6.1.4.1.311.20.2.2) Client Authentication (1.3.6.1.5.5.7.3.2) All Usages (2.5.29.37.0) The second is a signing cert with key usage of digital signature & non-repudiation It would be a big win if I could default to the auth cert with the client authentication EKU and avoid the selection prompt.

  • Anonymous
    September 15, 2009
    @Greg: These two topics describe the filtering options you have by setting  the Feature_ClientAuthCertFilter registry key. http://support.microsoft.com/kb/890326 http://blogs.msdn.com/askie/archive/2009/06/09/my-expired-client-certificates-no-longer-display-when-connecting-to-my-web-server-using-ie8.aspx

  • Anonymous
    September 16, 2009
    Unfortunately, the filters don't seem to address the use case I'm looking for unless I misread the options.  If I have an application that requires client authentication I don't want to see a prompt that includes things such as digitial signing certs.  I would prefer defaulting to the cert with client authentication EKU thus shielding the end user from yet another decision point which they do not understand well.

  • Anonymous
    November 16, 2009
    Hello, In the past, some MS application displayed the common name of the client certificate in the certificate selection, while others displayed the "friendly name" of the client certificate. It seems that IE under windows 7 would use the friendly name in the client certificate selection. My questions:

  1. Will this be standardized accross MS Office and IE products? If yes, where could I find the detailed information for the various products?
  2. For internet explorer: a.Is the max lenght of the CN effectively displayed by default in the client certificate selection window documented?If yes, where could I find that information? b.Is the max lenght of the Friendly name effectively displayed by default in the client certificate selection window documented? If yes, where could I find that information? thanks in advance for any information. Fred
  • Anonymous
    December 21, 2009
    Thans, but PLEASE do "elaborate on what specifically “suitable client certificate” means". That is a topic I've been waiting to find explained for a long time :-) Regards Wojciech

  • Anonymous
    February 03, 2010
    Thanks for a great post. Can you continue with the "suitable client certificate" definition? Our enterprise certificates appear in the prompt with IE 6/7 over XP and they don't with IE8.

  • Anonymous
    February 03, 2010
    Wojciech/Dennis-- It's on my TODO list, I'll get to it as soon as I can.

  • Anonymous
    May 03, 2010
    I, too, am interested to know what a "suitable client certificate" is and also why the prompt does not appear when, in fact, I just might have my certificate on a USB key or floppy disk. Am I misunderstanding how client certificates work in that they must somehow be imported onto a workstation in order for them to become available? This would see like a bad idea.

  • Anonymous
    May 03, 2010
    Wade: By-default, the certificate-selection prompt is not shown if you do not have a certificate in either the Windows Certificate store, or a currently-inserted SmartCard. As mentioned in the post above: "It turns out that a lot of servers would like to use a client certificate if available and if not, they would like to have the user log in using HTMLForms/cookie-based authentication. The empty certificate selection dialog confused users and was only useful to indicate (in a very obtuse way) that the server would have liked to have received a client certificate but no certificate was available."

  • Anonymous
    June 09, 2010
    Guys, My users access a website from which normally would require a certificate. When I click on the relevant link it would normally prompt me to select the certificate, it doesn't do so and as a result i get the Page Cannot Be Displayed page in IE 6 or 7 . I have tried accessing the site from my home and there are no issues, it does what its supposed to do. I am at a loss why this is happening. Any recommendations?

  • Anonymous
    September 02, 2010
    Hi, When talking about IE certificate selection dialog... Is there a way to customize the bitmap showing a chip? I ask because we have a neat credential provider displaying different bitmaps depending on the issuer/Subject of the client certificates. This feature is visible at logon, for MS VPN-client, when selecting certificate for RDP. But the certificate selction dialog in IE is not affected. So, can we modify this in IE or is it "in the code"? Best regards, /Jonas from Sweden

  • Anonymous
    October 10, 2010
    Hi there The certificate selection dialogue in IE6/7 used a neat 2-column format, which we managed to intercept and make the right certificate selection for the user, improving usability for the user. The new dialogue (Windows 7, IE8) does not seperate out the data and we are struggling to make the auto-selection. Is there anyway to revert to the old dialogue, or replace the prompt with our own dialogue? Thanks,  Simon.

  • Anonymous
    December 07, 2010
    I'm looking for the same as Simon. Basically is there a registry setting to force use of the legacy certificate selection dialogue?

  • Anonymous
    December 14, 2010
    @Mat: The flag CRYPTUI_SELECTCERT_LEGACY is never set by IE or WinINET, so no, I'm not aware of any such registry setting. @Simon: There's no good way to replace this dialog when running in IE. For other hosts of the web browser control, it may be possible to implement IHttpNegotiate3, as described here: msdn.microsoft.com/.../dd433052(VS.85).aspx

  • Anonymous
    December 28, 2010
    The comment has been removed

  • Anonymous
    December 28, 2010
    @Raul: Your IIS server is not configured properly. IE will only show the client certificate prompt if the server is asking for a client certificate. It certainly looks like "Ignore client certificates" is the proper option to set but I'm not an IIS expert. You should ask your question in an IIS newsgroup or on http://serverfault.com/

  • Anonymous
    May 24, 2011
    Hi Eric, Just wanted to let you know that I am also and still interested on the exact definition "suitable client certificate". I gues it has something to do with the issuer of the certificate + what issuers the server regards as creditable, but I could never figure out how this works exactly, especially as I am trying to configure an SAP server - which is rather less user-friendly in regards of configuration option.s Thanks, Oliver

  • Anonymous
    February 11, 2012
    I would like to add my voice to the other users.  What is the definition of a "suitable client certificate".  There must be some sort of protocol where the server tells the client what CAs it recognizes, but this to me seems like a serious security breach.  How does IE determine which client certificates to display in the prompt?

  • Anonymous
    February 11, 2012
    The comment has been removed

  • Anonymous
    September 05, 2013
    Can you explain how tabbed browsing affects IE's behavior related to displaying the client cert selection dialog?  It appears that IE9 will reprompt for client certificate if I open the same page in a new tab.  Is there any way to change this behavior?  If I open a client cert protected page in one tab and then open another tab to the same server, I'd like IE to automatically send the cert that I already chose. [EricLaw]: I think you asked this question and I answered over here.