Internet Explorer not sending Client Certificate when using Certificate Realm Authentication

book

Article ID: 169126

calendar_today

Updated On:

Products

Asset Management Solution Data Center Security Monitoring Edition ProxySG Software - SGOS

Issue/Introduction

Notes:

Please make sure you follow articles KB4144 and KB1195 before applying the change provided in this article, especially the configuration changes required for Internet Explorer in particular. For more information regarding Certificate Realm Authentication, please refer to KB1593 .

Issue:

When accessing a website that requires Certificate Realm Authentication, the browser prompts the user to select a Client Certificate from its local store. After clicking "OK", the client receives "This page can't be displayed" error, while the address bar contains the virtual URL and port used for authentication. The same issue occurs when the Client Certificate is selected automatically. A packet capture reveals that the browser does not send the Client Certificate and sends a FIN-ACK message to the ProxySG instead, as displayed in the picture attached to this article.

Specifications:

This article was written using the following software for testing:

  • SGOS 6.5.9.8 and 6.6.4.2
  • Windows 2008 Enterprise Server SP2 PKI.
  • Internet Explorer 11

Cause

By default, the browser attempts to start a TLS 1.2 connection with the ProxySG for client certificate authentication on the specified virtual URL and port. The ProxySG provides its configured certificate and sends a Certificate Request message to the client, as expected.

However, according to a Microsoft article (provided below), within Internet Explorer, SSL 2.0 and TLS 1.2 are not compatible with each other when used with client certificates in Windows 7 and later operating systems.

Resolution

To use client-side certificates to establish an HTTPS connection over TLS 1.2, you must disable SSL 2.0 in Internet Explorer.

This option can be found in Internet Options > Advanced > Use SSL 2.0.