M
Martin Johnson
Hi,
I know this a subject that comes up from time to time. I should know, I've
just been reading the archives.
Though would you believe it I cannot get the dreaded IE "Client
Authentication" dialog to display a single cert when trying to connect to my
Tomcat 5.x standalone install.
I have my CA cert installed and trusted on both Tomcat keystore and IE. My
server cert is signed by this CA. Also the CN matches the DNS/URL entry for
the server. So when using only server authentication the critreon of CA
known and trusted, Date valid and Server name valid, there is complete trust
by the client of the server.
Yet when I apply clientauth=true to server.xml and install a client cert
into the Personal tab of IE using pfx, p12 format. A certificate that has
been signed by the same CA as the server cert, the attempt to connect
results with "Client Authentication" dialog STILL empty of any available
certificate.
I have read that removing an email address from the CA may help with the
bypassing of caparison algorthms in use within tomcat and IE that don't
agree on email address. This has had no effect for me. Please see the
following link for details on this
http://groups.google.com.au/groups?q=ie++tomcat+"Client+authentication+"
&hl=en&lr=&ie=UTF-8&oe=UTF-8&scoring=d&selm=039c01c0b2de%24c5f31560%2496e62e
cf%40tkmsftngxs03&rnum=20 .
I have a client in java that manages to client authenticate correctly, so it
works for one style of client only. I really need it to work with
IE. Have you done this. Have you sucessfully had Tomcat client
authenticating IE client? What have I done wrong. I should have posted a
week ago instead of going mad over this.
Regards
Martin Johnson
I know this a subject that comes up from time to time. I should know, I've
just been reading the archives.
Though would you believe it I cannot get the dreaded IE "Client
Authentication" dialog to display a single cert when trying to connect to my
Tomcat 5.x standalone install.
I have my CA cert installed and trusted on both Tomcat keystore and IE. My
server cert is signed by this CA. Also the CN matches the DNS/URL entry for
the server. So when using only server authentication the critreon of CA
known and trusted, Date valid and Server name valid, there is complete trust
by the client of the server.
Yet when I apply clientauth=true to server.xml and install a client cert
into the Personal tab of IE using pfx, p12 format. A certificate that has
been signed by the same CA as the server cert, the attempt to connect
results with "Client Authentication" dialog STILL empty of any available
certificate.
I have read that removing an email address from the CA may help with the
bypassing of caparison algorthms in use within tomcat and IE that don't
agree on email address. This has had no effect for me. Please see the
following link for details on this
http://groups.google.com.au/groups?q=ie++tomcat+"Client+authentication+"
&hl=en&lr=&ie=UTF-8&oe=UTF-8&scoring=d&selm=039c01c0b2de%24c5f31560%2496e62e
cf%40tkmsftngxs03&rnum=20 .
I have a client in java that manages to client authenticate correctly, so it
works for one style of client only. I really need it to work with
IE. Have you done this. Have you sucessfully had Tomcat client
authenticating IE client? What have I done wrong. I should have posted a
week ago instead of going mad over this.
Regards
Martin Johnson