httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Berube, Steve (HP Software)" <>
Subject [users@httpd] Requesting help with Smart Card Client Certificate Authentication issue.
Date Tue, 27 Oct 2009 02:36:44 GMT
I'm hoping someone can help me with this.

Issue: On various systems using Internet Explorer 7 or 8, smart card credentials are not being
prompted. Firefox works providing the Security Device for ActivClient is installed.

Server: Windows Apache 2.2.14 with OpenSSL
Clients: Various (Windows platforms)
                IE 8
                Firefox 3.5.3
                ActivClient Smart Card/Key reader.

The issue I am having is as follows.
I have a simple apache install running SSL with a server certificate from a trusted authority.
If I use a self-signed, works just as well.
I have enabled SSLClientVerify on my cgi-bin folder
Here is my directive:
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
    SSLVerifyClient require
    SSLVerifyDepth 10
    SSLOptions +StdEnvVars

This is in extra/httpd-ssl.conf, basically everything is out of the box 2.2.14 so I could
eliminate any customizations we made. The only real changes are me pointing to the certificates
and adding this directive.

What works:
Accessing https://servername (which is running on 443) works and the client trusts the server.
I see the infamous apache:  It Works!'
All client browsers IE, Firefox, Windows 7, Windows Vista, 32bit 64bit all work.

What doesn't work (completely)
Note: I have a tcl interpreter running a custom printenv.tcl, but the file doesn't matter,
assume we are just trying to access cgi-bin directly, same issue exists there. Same issue
exists if I set the directive on the whole webserver (e.g. <location />
Now, here is where gets interesting. What should happen is the client should prompt for a
client certificate from the smart card reader and ask the user for their pin.
On firefox 3.5.3 it prompts the user for their smartcard pin as long as the Security Device
for ActivClient is installed. Works great!
IE 8.0 on Windows 7 didn't work, after rebuilding the system it works now.
All the other systems (tested 10) running IE will not work. This is where I am completely
baffled. I've tried everything I could think of. But where I am stuck now is I can't seem
to get IE 7 or 8 to (via ActivClient) prompt for a pin. Using the same client, same IE browser
accessing some of our internal sites where we require a certificate it works fine. Just not
to my site on apache. The other two sites that do work are hosted by IIS 6 and Omniture Dc/2.0.0
(at least states the HTTP header)

If anyone needs more information from me or has any advice here please let me know. I'm stumped
and have been scouring google for hours with no luck.

-          Steve

View raw message