Client Certificate Selection Prompt


The HTTPS protocol allows a secure server to request that the client verify their identity with a client certificate during the initial secure handshake. By presenting a client certificate, the browser helps further defeat man-in-the-middle attacks and authenticates to the web server more securely than when using just a username and password.


Internet Explorer’s behavior when prompting for a certificate has changed in IE8, and in this post, I’ll quickly summarize what’s new.


When the server requests a certificate, the user may be shown a prompt dialog asking which certificate they would like to send. URLACTION_CLIENT_CERT_PROMPT (0x1A04) controls the browser’s prompting behavior. By default, the URLAction is set to Enable in the Local Machine and Intranet zones, and Disable in the Internet, Trusted, and Restricted zones. 


When set to Enable:



  • If the user has no suitable client certificates, no prompt is shown, and no certificate is sent to the server

  • If the user has only one suitable client certificate, no prompt is shown, and that certificate is sent to the server

  • If the user has multiple suitable client certificates, the certificate selection prompt is shown

When set to Disable:



  • If the user has one or more suitable client certificates, the certificate selection prompt is shown, and

…in IE6 and IE7:



  • If the user has no suitable client certificates, an empty certificate selection prompt is shown

…in IE8:



  • If the user has no suitable client certificates, no prompt is shown, and no certificate is sent to the server

Within the Tools > Internet Options > Security > Custom Level… UI, the explanatory text has been changed. In IE6 and IE7, it reads:



Do not prompt for client certificate selection when no certificates or only one certificate exists.


In IE8, it now reads:



Don’t prompt for client certificate selection when only one certificate exists.


So, why was a change made for IE8? It turns out that a lot of servers would like to use a client certificate if available and if not, they would like to have the user log in using HTMLForms/cookie-based authentication. The empty certificate selection dialog confused users and was only useful to indicate (in a very obtuse way) that the server would have liked to have received a client certificate but no certificate was available.


Savvy readers might be wondering “Why does this URLAction need to exist in IE8?  Now, the only difference between Enable and Disable is the behavior when the user has only one certificate… Why not just send that certificate?”


The answer is “privacy.” While the server receiving the certificate doesn’t get the user’s private key, it does get all of the other information that is in that certificate. Such information often includes the user’s full name, and might include their phone number, email/physical address and other personally-identifiable information. If the browser automatically sent a certificate to any site that asked for it, a significant privacy breach would occur.


If the user wants to configure their browser to automatically send a certificate to a non-Intranet zone server, they can add the desired site to the Trusted list, and set the URLAction in the Trusted zone to Enable.


-Eric


PS: At some later time, I’ll probably elaborate on what specifically “suitable client certificate” means, because that question comes up a lot.

Comments (23)

  1. LookingForSolutions says:

    I know this isn’t the best place to ask, but I don’t know where else (can’t post anything in MS Connect).

    Is there any plan for an IE feature that allows you to display two tabs at the same time within the same window? I have a relatively large, wide display and would like to view two webpages at the same time, in order to compare (e.g. compare two similar products). Going back and forth between two tabs is tedious. Launching a second instance of IE seems a bit silly, considering the multi-tab UI.

    Visual Studio has had such a feature (vertical/horizontal tab groups) for quite some time … Synchronized scrolling would make it even better … 😉

  2. EricLaw [MSFT] says:

    @LookingForSolutions: As a general rule, you will never see pre-release feature announcements on the IEInternals blog. As to your specific question: yes, we’ve heard this request before, and yes, we know why it would be useful for certain scenarios. I believe there may be a few browser add-ons that offer this feature, but unfortunately I’ve never tried any of them myself.

  3. greg says:

    We have an issue where an authentication request by the web server results in the IE certificate selection list being presented to the user.  They have two certificates available on their smart card (a signing cert and an authentication/logon cert).  The users don’t know which one to choose.  Is there a way to default to the authentication cert based on EKU or something?  

  4. greg says:

    We have a mix of IE6 and IE7 in the shop although IE6 is quickly on the way out.

    The authentication cert EKUs:

    Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

    Client Authentication (1.3.6.1.5.5.7.3.2)

    All Usages (2.5.29.37.0)

    The second is a signing cert with key usage of digital signature & non-repudiation

    It would be a big win if I could default to the auth cert with the client authentication EKU and avoid the selection prompt.

  5. greg says:

    Unfortunately, the filters don’t seem to address the use case I’m looking for unless I misread the options.  If I have an application that requires client authentication I don’t want to see a prompt that includes things such as digitial signing certs.  I would prefer defaulting to the cert with client authentication EKU thus shielding the end user from yet another decision point which they do not understand well.

  6. Fred says:

    Hello,

    In the past, some MS application displayed the common name of the client certificate in the certificate selection, while others displayed the "friendly name" of the client certificate.

    It seems that IE under windows 7 would use the friendly name in the client certificate selection.

    My questions:

    1. Will this be standardized accross MS Office and IE products? If yes, where could I find the detailed information for the various products?

    2. For internet explorer:

    a.Is the max lenght of the CN effectively displayed by default in the client certificate selection window documented?If yes, where could I find that information?

    b.Is the max lenght of the Friendly name effectively displayed by default in the client certificate selection window documented? If yes, where could I find that information?

    thanks in advance for any information.

    Fred

  7. woj says:

    Thans, but PLEASE do "elaborate on what specifically “suitable client certificate” means". That is a topic I’ve been waiting to find explained for a long time 🙂

    Regards

    Wojciech

  8. Dennis Glendenning says:

    Thanks for a great post. Can you continue with the "suitable client certificate" definition? Our enterprise certificates appear in the prompt with IE 6/7 over XP and they don’t with IE8.

  9. EricLaw [MSFT] says:

    Wojciech/Dennis– It’s on my TODO list, I’ll get to it as soon as I can.

  10. Wade says:

    I, too, am interested to know what a "suitable client certificate" is and also why the prompt does not appear when, in fact, I just might have my certificate on a USB key or floppy disk. Am I misunderstanding how client certificates work in that they must somehow be imported onto a workstation in order for them to become available? This would see like a bad idea.

  11. EricLaw [MSFT] says:

    Wade: By-default, the certificate-selection prompt is not shown if you do not have a certificate in either the Windows Certificate store, or a currently-inserted SmartCard.

    As mentioned in the post above: "It turns out that a lot of servers would like to use a client certificate if available and if not, they would like to have the user log in using HTMLForms/cookie-based authentication. The empty certificate selection dialog confused users and was only useful to indicate (in a very obtuse way) that the server would have liked to have received a client certificate but no certificate was available."

  12. Imran says:

    Guys,

    My users access a website from which normally would require a certificate. When I click on the relevant link it would normally prompt me to select the certificate, it doesn't do so and as a result i get the Page Cannot Be Displayed page in IE 6 or 7 . I have tried accessing the site from my home and there are no issues, it does what its supposed to do.

    I am at a loss why this is happening. Any recommendations?

  13. Jonas Oholm says:

    Hi,

    When talking about IE certificate selection dialog… Is there a way to customize the bitmap showing a chip? I ask because we have a neat credential provider displaying different bitmaps depending on the issuer/Subject of the client certificates. This feature is visible at logon, for MS VPN-client, when selecting certificate for RDP. But the certificate selction dialog in IE is not affected. So, can we modify this in IE or is it "in the code"?

    Best regards,

    /Jonas from Sweden

  14. Simon Gordon says:

    Hi there

    The certificate selection dialogue in IE6/7 used a neat 2-column format, which we managed to intercept and make the right certificate selection for the user, improving usability for the user. The new dialogue (Windows 7, IE8) does not seperate out the data and we are struggling to make the auto-selection. Is there anyway to revert to the old dialogue, or replace the prompt with our own dialogue?

    Thanks,

     Simon.

  15. Mat Raynor says:

    I'm looking for the same as Simon. Basically is there a registry setting to force use of the legacy certificate selection dialogue?

  16. @Mat: The flag CRYPTUI_SELECTCERT_LEGACY is never set by IE or WinINET, so no, I'm not aware of any such registry setting.

    @Simon: There's no good way to replace this dialog when running in IE. For other hosts of the web browser control, it may be possible to implement IHttpNegotiate3, as described here: msdn.microsoft.com/…/dd433052(VS.85).aspx

  17. Raul says:

    I am not sure if my question is answered above…

    I have Windows 2003 server, IIS 6 and I have 3 sites, only one with https enabled (the only I care), in Site properties => Directory Security => Secure communications => Edit => Client Certificates => I have the "Ignore client certificates" option selected

    (I don't use client certificate at all)

    In IE 6 & 7 if the "Do not prompt for client certificate selection when no certificates or only one certificate exists." option is on "Disable" the empty certificate window is displayed, in IE 8 is not displayed.

    What I want is the empty certificate box don't be displayed in IE6/7, Is there an option in IIS to setup this?(instead of each client computer)

    Thank you in advance

  18. EricLaw [MSFT] says:

    @Raul: Your IIS server is not configured properly. IE will only show the client certificate prompt if the server is asking for a client certificate. It certainly looks like "Ignore client certificates" is the proper option to set but I'm not an IIS expert. You should ask your question in an IIS newsgroup or on http://serverfault.com/

  19. Oliver says:

    Hi Eric,

    Just wanted to let you know that I am also and still interested on the exact definition "suitable client certificate". I gues it has something to do with the issuer of the certificate + what issuers the server regards as creditable, but I could never figure out how this works exactly, especially as I am trying to configure an SAP server – which is rather less user-friendly in regards of configuration option.s

    Thanks,

    Oliver

  20. Donald Roy Airey says:

    I would like to add my voice to the other users.  What is the definition of a "suitable client certificate".  There must be some sort of protocol where the server tells the client what CAs it recognizes, but this to me seems like a serious security breach.  How does IE determine which client certificates to display in the prompt?

  21. It's really not that complicated: The server returns a list of acceptable CAs in its HTTPS handshake, and the client also filters (by default) out those client certificates which are expired or otherwise invalid. I'm not sure what "breach" you're concened about?

  22. Tom says:

    Can you explain how tabbed browsing affects IE's behavior related to displaying the client cert selection dialog?  It appears that IE9 will reprompt for client certificate if I open the same page in a new tab.  Is there any way to change this behavior?  If I open a client cert protected page in one tab and then open another tab to the same server, I'd like IE to automatically send the cert that I already chose.

    [EricLaw]: I think you asked this question and I answered over here.