Client cert password asked twice when requested in ie 6.X, 7

Similar Messages

• CLIENT-CERT - UserNameMapper problem

  Hi,
  I have a client, wich sends a soap-message, containing a username, to a
  webservice, that responds with "hello, <username>". The communication
  is over ssl. The webservice is running in a weblogic server 7.0 sp1.
  I have 2-way ssl working. Now I'm trying to restrict access to the
  web-service.
  I changed the web.xml of the web-service to require BASIC as
  auth-method. This works fine.
  Then I changed BASIC to CLIENT-CERT in the web.xml.
  I changed the active type of the defaultIdentityAsserter to X.509.
  I implemented a UserNameMapper class, which prints data of the presented
  certificate, and returns a username, that exists in the
  embedded-ldap-realm of weblogic server, and that has the right to
  execute the webservice (it works with BASIC auth).
  I put the name of the UserNameMapper class in the
  defaultIdentityAsserter, and I included it in my classpath.
  The UserNameMapper is working, because the data of the certificate is
  printed on stdout. But I get a 401 (Unauthorized)-error code when trying
  to access the web-service.
  Can someone give me a hint on what I'm mising?
  Thanks,
  Noella
  ************* code of UserNameMapper *********************
  import java.security.cert.*;
  public class VZNUserNameMapper implements
  weblogic.security.providers.authentication.UserNameMapper{
  public VZNUserNameMapper() {
  public String mapCertificateToUserName(X509Certificate[] certs,
  boolean ssl) {
  System.out.println(certs[0].getSubjectDN().toString());
  return "noella";
  public String mapDistinguishedNameToUserName(byte[]
  distinguishedName) {
  return null;

  Thanks it worked. Somehow I missed in documentation this x.509 setting.
  I've also had a problem with setting "Client Certificate Requested But Not Enforced"
  in WLS 7.0.0 but it seems to be working fine in SP1.
  Thanks again
  Greg
  "kirann" <[email protected]> wrote:
  hi,
  I believe you need to turn on x.509 Identity Assertion in the server
  console..
  Please check the documention.
  thanks
  kiran
  "Greg" <[email protected]> wrote in message
  news:3e243a25$[email protected]..
  Hi!
  I'm trying to set up my web application to use client-cert
  authentication. I've set in web.xml login config to
  <auth-method>CLIENT-CERT</auth-method>. When I'm accessing my
  application I'm always getting 401 Unauthorized. If I set
  login to BASIC, browser pops up login dialog and everything works
  fine.
  I've done following:
  - created and installed in WLS trusted CA certificate
  - created and installed client certificate signed by that CA in
  IE 5.5
  - configured WLS to use ssl and set "Client Certificate Enforced"
  - managed to connect to document root or console application
  using https://localhost:7002/console and verified that accually client
  certificate
  is used (not able to connect without one)
  Now I'm really stuck and have no ideas.
  Please help. Thanks in advance.
  Greg

• When I start m/ff browser, the pop-up prompt asking for the master security password appears twice. It was not doing this before. What is wrong?

  When I start the m/ff 3.6.3 browser, the pop-up prompt asking for the master security password appears twice. It was not doing this for the 1st month i had it, and it just started doing it all of a sudden. What could be wrong? O/S = Vista Home Prem.
  == This happened ==
  Every time Firefox opened
  == Afew days ago

  It could be this bug: https://bugzilla.mozilla.org/show_bug.cgi?id=499233 - - multiple master password prompts triggered by filling form logins in multiple tabs
  If you have multiple tabs with form logins restoring when you restart Firefox, that could cause multiple master password prompts.
  There may be other bug(s) causing multiple master password prompts. One way to make the master password a little more usable is the [https://addons.mozilla.org/en-US/firefox/addon/9808/ StartupMaster] add-on, which prompts once for the password at startup, then never bothers you.

• Problems setting up 2way SSL with option Client certs requested Not Enfor

  Hi,
  Iam having problems trying to set up 2 way SSL with the option "Clients Certs Requested But Not Enforced". I am using DefaultIdentityAsserter with my own implementation of UserNameMapper. And I have the login-config set to CLIENT-CERT in web.xml. I have tested this setup and it works when I have "Client Certs Requested and Enforced" but when I change it to "Requested and not enforced" it gives an 401 unauthorized exception.
  Any help with this will be greatly appreciated.
  Thanks
  Praveena.

  Hi Peter,
  I'm afraid not, I turned to Apple support forums, followed their advice for troubleshooting Mac Mail (obviously not relevant to you using Outlook) but It involved scanning ports checking firewalls etc, all of this was clear and I just cannot see the problem.
  I even got one of the Livechat BC guys to look into it, by setting up a dummy email address on the client's account, I think he was rather intrigued, but I'm not sure he's had much luck as he still hasn't got back to and that was over 20 hours ago.
  Can your client receive emails? I can only get my client's account receiving emails, when I try to send an email I just keep receiving an message telling me that it cannot connect to smtp!
  According to the BC fact sheet for sending and receiving emails: "By Default, email software will set the SMTP port to 25, which is the standard port for the smtp protocol. However our mail service has two alternative ports available that you can send through. 8025 or 587.
  However it's not blocked and those port settings didn't work either.
  The Apple fact sheet made mention to firewall settings possibly also blocking, but it's not relevant to me using my version of OS.
  Good luck, and please repost if you get any further.
  I am now just looking for a reason that my client's mail WONT work on Mac Mail, just so I can sound professional when I tell them the answer is "no".
  Penny

• Asking for Transport Request while editing DTP in Quality - Client Open

  Hi Guru's,
  We have opened the client and trying to edit the DTP, but it is asking for transport request.
  Is there any other setting that we need to do in order not to prompt for transport request?
  Thanks & Regards.

  Hi Ganesh,
  One of the options would be to save it in a DUMMY request ,incase you do not want to transport such that you make changes next time it will by default get saved in that DUMMY request i.e it will not ask for a request next time.
  We usually save it in Dummy request,when we change a DTP in Quality or in Production.
  Rgds
  SVU123

• HT5622 I had to change my iTunes password. Now, when I try to download a song, it repeatedly asks me for my password. This is frustrating! Can anyone tell me what I can do about this??

  I had to change my iTunes password. Now, when I try to buy a song, it repeatedly asks me for the password and doesn't seem to register it and go to the next step. It's becoming very frustrating. And, equally, if not more frustrating, is the fact that there is no simple way to contact Apple to find out how to fix the problem. I hope someone here has the solution.
  Thank you!

  After you changed the PW did you go to Settings>iTunes and App stores and sign out and sign back in?

• HT5622 When updating my apps am being asked several times for my appleId password and even when providing it, it keeps asking and still doesn't update anything, any suggestions?

  When updating my apps am being asked several times for my appleId password and even when providing it, it keeps asking and still doesn't update anything, any suggestions?

  Does the username and password you try to use have administrator privileges? You must input an admin username and password to install. 

• IMac is asking for admin login password upon startup when it never did before, settings are still on auto login. Why is it doing this out of the blue?

  iMac is asking for admin login password upon startup when it never did before, settings are still on auto login. Why is it doing this out of the blue?

  Is sounds like it might for some reason booting into Safe Mode, which does prompt for a password.
  Try a PRAM reset:
  Shut down the computer.
  Locate the following keys on the keyboard: Command, Option, P, and R. You will need to hold these keys down simultaneously in step 4.
  Turn on the computer.
  Press and hold the Command-Option-P-R keys. You must press this key combination before the gray screen appears.
  Hold the keys down until the computer restarts and you hear the startup sound for the second time.
  Release the keys.
  If that doesn't help, restart holding down the option key which should take you to the startup manager. Select Macintosh HD (you may need to use the arrows on the keyboard if the kb is Bluetooth), tap 'enter'. Does it boot normally now?

• Where do i find the password itunes asking for when i want to restore my iphone?

  where do i find the password itunes asking for when i want to restore the contens on my iphone?

  Encrypted iPhone backup password or the passcode on your phone? If you can't remember your encrypted backup password, you won't be able to use your iPhone backup, & there is no way to retrive it.

• Only client cert in Sun One App server

  Hi,
  Is this possible to configure an application for Sun One Application Server 8 Update 1
  to use only Client Cert auth without login with id and password ?
  I configured whole 1043 port to use Client Auth. It works when I enter https://localhost:1043. I provide client cert. But when I enter my app I got 'access denied'.
  The app contains only one jsp page and no roles at all.
  The following is my web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <web-app xmlns="http://java.sun.com/xml/ns/j2ee" version="2.4" mlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
  <display-name xml:lang="pl">secure</display-name>
  <servlet>
  <display-name xml:lang="pl">secured</display-name>
  <servlet-name>secured</servlet-name>
  <jsp-file>/secured.jsp</jsp-file>
  </servlet>
  <jsp-config/>
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>WRCollection</web-resource-name>
  <url-pattern>/secured.jsp</url-pattern>
  <http-method>POST</http-method>
  <http-method>GET</http-method>
  </web-resource-collection>
  <auth-constraint/>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  </login-config>
  </web-app>
  sun-web.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Application Server 8.0 Servlet 2.4//EN" "http://www.sun.com/software/appserver/dtds/sun-web-app_2_4-0.dtd">
  <sun-web-app>
  <context-root>/secure</context-root>
  <session-config>
  <session-manager persistence-type="memory">
  <manager-properties/>
  <store-properties/>
  </session-manager>
  <session-properties/>
  <cookie-properties/>
  </session-config>
  <cache enabled="false" max-entries="4096" timeout-in-seconds="30">
  <default-helper/>
  </cache>
  </sun-web-app>
  Thank You.

  Hello again.
  I would like to refrain my question.
  In admin console on port 4848 in Http Service node is a http-listener-2 defined.
  In particular there is "Client Authentication" setting.
  This is global setting for all request coming to that port.
  Can I achive the same functionality using web.xml in one of the apps server on the same port without resorting to setting this global option to true ?
  Thank You.

• Client-cert auth impl in web.xml does not work in Oracle Application Server

  Hi,
  I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.
  My server details are:
  Oracle Application Server 10g Release 2 (10.1.2)
  Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.
  I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
  <security-constraint>
  <display-name>SecurityConstraint</display-name>
  <web-resource-collection>
  <web-resource-name>WSCollection</web-resource-name>
  <url-pattern>/*</url-pattern>
  </web-resource-collection>
  <user-data-constraint>
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
  </user-data-constraint>
  </security-constraint>
  <login-config>
  <auth-method>CLIENT-CERT</auth-method>
  <realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
  </login-config>
  It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.
  I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?
  Thanks,
  Ms

  I am having the same problem with doc and xsl. I have added this
  <mime-mapping>
  <extension>xls</extension>
  <mime-type>application/vnd.ms-excel</mime-type>
  </mime-mapping>
  <mime-mapping>
  <extension>doc</extension>
  <mime-type>application/msword</mime-type>
  </mime-mapping>
  to my web.xml. I even restarted the server. I still see doc and xsl in binary.
  Is there some other setting that needs to take place?
  I am using WL6.1 with fixpack 1.
  I can see the doc and excel files in the browser if I don't go through the weblogic
  server. That just confirms it's not my browser.
  Kumar Allamraju <[email protected]> wrote:
  <!doctype html public "-//w3c//dtd html 4.0 transitional//en">
  <html>
  It works fine for me in 6.1 SP1.
  <br><br>
  If the following doesn't work , can you
  <br>try application/winword instead of application/msword?
  <p>--
  <br>Kumar
  <p>Siming Mu wrote:
  <blockquote TYPE=CITE>Hi,
  <p>I setup in my web.xml a mime mapping as follows,
  <p><mime-mapping>
  <br><extension>doc</extension><mime-type>application/msword</mime-type>
  <br></mime-mapping>
  <p>When I specify a test.doc url, the doc file appears in my browser
  as
  binary data
  <br>instead of download.
  <p>Please reference change request 055002, which decribes this problem. 
  According
  <br>to edocs, it has been fixed in wls6.1sp1.
  <p>But I am seeing it fixed.  Am I doing anything wrong? Thanks.
  <p>Siming</blockquote>
  </html>

• Enabling CLIENT-CERT and FORM authentication in same web-app

  Hi!
  I try to enable same behaviour in WLS 8.1 SP4 as is available in WLS 9.2 (one can define in web.xml to have many <auth-method>s, for example <auth-method>CLIENT-CERT,FORM<auth-method>, which states that first one tries authentication with token (Single Sign On case, for example) and if it is not successful then go to log-in page.
  My steps are as follows in my custom Servlet. We are using IE 6.0 as our web-client. We have configured our auth-method to be FORM, and in the <form-login-page> we have direction to that custom Servlet, which does the handling described below.
  1. If client does not send tokens in request, then set response header:
  response.setHeader("WWW-Authenticate", "Negotiate");
  response.sendError(response.SC_UNAUTHORIZED);
  This works fine and client starts to send his tokens
  2. Now check token, if it is valid, let user in, if not forward him to custom log-in page, for example:
  RequestDispatcher dispatcher = request.getRequestDispatcher("/login/login.html");
  dispatcher.forward(request, response);
  3. Client is forwarded to a log-in page as requested and he gives his credentials. Pushes OK
  log-in page is as defined in edocs:
  <form method="POST" action="j_security_check">
       <table border=1>
            <tr>
                 <td>Username:</td>
                 <td><input type="text" name="j_username"></td>
            </tr>
            <tr>
                 <td>Password:</td>
                 <td><input type="password" name="j_password"></td>
            </tr>
            <tr>
                 <td colspan=2 align=right><input type=submit value="Submit"></td>
            </tr>
       </table>
  </form>
  Now the interesting thing happens (I have investigated TCP traffic at server machine): client (in this case IE) seems to override somehow the credentials (j_password and j_username for HTTP headers, does not send them at all) but keeps on sending this 'Authorize'-field with invalid token instead.
  I have tried a Servlet that does not request WWW-Authenticate at all (in which case client does not start to send 'Authorize'-field). In this case those values are put to HTTP header OK and authentication is able to take place.
  Anyone has any ideas how can I force my clients to send those values from the HTML FORM described above? SHould I set something at response while I do the forward to the custom log-in page. I have tried virtually everything I can imagine (which seems to be not too much :-))...

  Solution found:
  The trick is to return "401" in response if ticket is not valid (do nothing else). This will end the negotiate between client and server
  In your web.xml, forward your 401 code to login page:
  <error-page>
  <error-code>401</error-code>
  <location>/form_login_page.html</location>
  </error-page>
  There might be a more straightforward way to do this (have all the page management within servlet), but I did not have time to investigate it further. This one at least works

• Business Catalyst email clients forgot password

  Client using Business Catalyst as CMS and email client DNS was moved, then when email access to the former Business Catalyst mail (mail.hostedemail.com) was not available DNS was reverted back.
  We need to determine if the following process steps are correct
  1) A recovery email needs to be sent from the Business Catalyst CMS
  with the DNS records and CNAME records INTACT reverted back to Business Catalyst CMS and mail
  2) That password will be used to log in https://mail.hostedemail.com/?_task=login
  3) Mail migration and archive can begin. Username password resets will be performed for
  each user.
  Question: Archive (mail up to the DNS and MX change of a day ago) mail is still on the server (worldsecuresystems.com) hostedemail.com

  Hi Cornelius
  When DNS was removed from the BC Site Admin, if the MX record was deleted then the e-mails (the entire mail account) were deleted from OpenSRS (our email provider). When the DNS was re-added, the account at SRS was re-created, but from scratch. So what needs to happen here in order to recover lost e-mail is to have this issue raised to our provider. What I'll kindly ask you to do is raise a ticket with our Support Channel, and we'll pick up from there.
  Kind Regards,
  Alex

• IBCM on non domain computers - Client Cert: None

  I have IBCM up and running for my domain joined computers, but I have problems with our DMZ and workgroup computers. I have imported the client certificate with the computer name in the subject and SAN, I imported the root and sub cert into the local store
  and the client actually installs. But it seems like there is no real communication.  When checking in the control panel, one thing that sticks out is "Client Cert: None" on the first tab. I'm lost.

  "I have imported the client certificate with the computer name in the subject and SAN"
  What exactly does this mean? Where did you get this cert from? Why are you using a SAN for the client auth cert? Is this a even a client auth cert? Is it unique to this client?
  Also, posting, single lines from a log file is useless and meaningless. Log files are about context and flow which are completely lost when you post a single line. Additionally, single lines rarely contain the actual issue and just reflect what happened
  previously which can not be discerned without the lines before and after it. Thus, please post the entire relevant and unedited snippet of the log files requested by Nash showing the problem areas.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• CLIENT-CERT authentication in WL7

  Hi,
  I'm trying to enforce two-way authentication for clients (java applications) accessing
  a web service running on WL7.
  Web service is configured to accept requests over https only. With BASIC authentication
  it works. When I
  switch it to use CLIENT-CERT authentication I cannot connect to the web service.
  I've set the
  "javax.net.debug" directive to "ssl" and noticed that during the handshake procedure
  the server doesn't
  produce client certificate request. May it be the cause of the problem? If so,
  how can I make the server to
  generate client cert request?

  Exactly, it was the reason. Thanks.
  Marcin
  On 14 Nov 2003 10:29:39 -0700, Pavel <[email protected]> wrote:
  >
  You must have been accessing the server over one-way SSL. Make sure the
  two-way
  ssl server attribute is set to: Client Certificate Enforced, or Client
  Certificate
  Requested But Not Enforced.
  This should be all that is needed to make the server send the
  certificate request.
  With Client Certificate Enforced option you should be getting ssl
  handshake failure
  unless the client sends its certificate.
  Pavel.
  yazzva <[email protected]> wrote:
  Yes, I have. If I had not done it, I couldn't have accessed the service
  via https using basic authentication, and of course ssl debugging
  information and server configuration show that ssl is configured
  properly.
  The problem is that WL7 doesn't generate client cert request. Thanks
  for
  an attempt to help.
  Have you configured the server for two way ssl?
  See
  http://e-docs.bea.com/wls/docs70/security/SSL_client.html#1029705
  http://e-docs.bea.com/wls/docs70/secmanage/ssl.html#1168174
  for information on this.
  Pavel.
  "yazzva" <[email protected]> wrote:
  Hi,
  I'm trying to enforce two-way authentication for clients (java
  applications)
  accessing
  a web service running on WL7.
  Web service is configured to accept requests over https only. With
  BASIC
  authentication
  it works. When I
  switch it to use CLIENT-CERT authentication I cannot connect to theweb
  service.
  I've set the
  "javax.net.debug" directive to "ssl" and noticed that during the
  handshake
  procedure
  the server doesn't
  produce client certificate request. May it be the cause of the
  problem?
  If so,
  how can I make the server to
  generate client cert request?--
  Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/