mreiter6
03-20-2001, 07:36 PM
We are in the process of implementing a certificate based authentication for our client. The client is using Internet Explorer on Windows 98 for the end-users; it would be difficult to change this configuration. Multiple users are on a single machine, so we need to protect the certificates with passwords. When the strong protection option is activated for digital certificates, a password popup window appears on most transactions within a single session - very annoying when you have many transactions to carry out. IE is inconsistent - the popup appears about 2 times out of 3 on the machines it affects. It does not affect all machines with the standard configuration, and we have not found a common factor to explain this. Microsoft's response is below:
"It is not possible to configure your clients so that the password would
only prompt once. The option "strong
private key protection" selection prompts for a password continuously.
Your only other option would be to upgrade the clients to Windows 2000.
This behavior you describe is actually by design. When the feature to
password encrypt the certificate locally was implemented, it was done so
that each request would require the password to be retyped. In Windows
2000 the implementation was changed.
The reason it is saved in Windows 2000 is because subsequent calls
(calls after the first request for the cert password) to CryptSignHash
use a cached private key in Windows 2000 and does not in the
down-level clients.
Your only options are to disable the "strong private key encryption" or
upgrade the clients to Windows 2000."
Upgrading to Win2K is impractical, if not impossible. Further, we cannot enforce this beyond our pilot. A possible solution would be smart cards; however, we hope to avoid the expense and logistical problems. Another possible solution would be to migrate to Netscape Navigator, which is configurable in this aspect; again, this would be logistically difficult.
So, here's the question: short of the "fixes" listed above, is there anything we can do so that our clients get the popup window once per session, and don't have to re-authenticate every time they click a link? I'm guessing the fix would be a registry change.
"It is not possible to configure your clients so that the password would
only prompt once. The option "strong
private key protection" selection prompts for a password continuously.
Your only other option would be to upgrade the clients to Windows 2000.
This behavior you describe is actually by design. When the feature to
password encrypt the certificate locally was implemented, it was done so
that each request would require the password to be retyped. In Windows
2000 the implementation was changed.
The reason it is saved in Windows 2000 is because subsequent calls
(calls after the first request for the cert password) to CryptSignHash
use a cached private key in Windows 2000 and does not in the
down-level clients.
Your only options are to disable the "strong private key encryption" or
upgrade the clients to Windows 2000."
Upgrading to Win2K is impractical, if not impossible. Further, we cannot enforce this beyond our pilot. A possible solution would be smart cards; however, we hope to avoid the expense and logistical problems. Another possible solution would be to migrate to Netscape Navigator, which is configurable in this aspect; again, this would be logistically difficult.
So, here's the question: short of the "fixes" listed above, is there anything we can do so that our clients get the popup window once per session, and don't have to re-authenticate every time they click a link? I'm guessing the fix would be a registry change.