Client certificate based authentication

Similar Messages

• Problem with client certificate based authentication

  Hello.
  We are developing an AIR application that uses client
  certificates for authentication. We have written a simple test case
  to show the problem.
  <?xml version="1.0" encoding="utf-8"?>
  <mx:WindowedApplication xmlns:mx="
  http://www.adobe.com/2006/mxml"
  layout="absolute">
  <mx:Script>
  <![CDATA[
  import mx.controls.Alert;
  private function responseHandler(): void {
  Alert.show("Response received");
  ]]>
  </mx:Script>
  <mx:HTTPService id="exampleService"
  url="https://www1.aeat.es/pymes1/pacargoi.html"
  showBusyCursor="true"
  result="responseHandler()">
  </mx:HTTPService>
  <mx:Button label="Send"
  click="exampleService.send()"/>
  </mx:WindowedApplication>
  When we click on the button, it sends the request to the
  protected page and then (if you have CA emitted certificates) the
  dialog appears requesting the client certificate. And it works
  fine.
  But next time we click on the button, the dialog requesting
  the client certificate appears again.
  Is there a way to stop showing the dialog every time?
  Any help would be very appreciated.
  Thanks a lot for your support.
  Paco.

  I have just sent a Feature Request/Bug Report with the
  following text:
  "We are experiencing a problem using AIR with a server that
  requires authentication via client certificate.
  The dialog for selecting the client certificate appears every
  time that the AIR application interacts with the server (not only
  the first time).
  Steps to reproduce bug:
  1. Install Apache HTTP Server with SSL and require client
  certificate in order to authenticate.
  2. Develop an AIR Application that connects to this server
  (HTTPService or RemoteObject have been tested with the same
  result).
  3. Every time that the AIR application connect to the
  server, the dialog appears in order the user to select the client
  certificate.
  Results: This makes the AIR application unusable.
  Expected results: The dialog requesting the client
  certificate should appear the first time only."
  Thanks,
  Paco.

• NetMail,Netlet,NetFile stop after enabling certificate based authentication

  I use SunONE Portal6.1+SRA. I have installed the gateway and portal on the same machine and have installed the sample portal also. Everithing works fine (Netlet,NetMail,NetFile) untill I enabled the gateway to use certificate based client authentication. After this step the applications (NetFile,Netlet,NetMail) stopped working. It seems that they can't connect to the gateway after the initial applet download because of the client certificate based authentication.
  Is there some workaround or configuration change that I can do in order to allow the applets to communicate with the gateway?

  At last I have found my mistake. I was using the JPI 1.4.1. If I use JPI 1.3.1 there is no problem because this version of java usesthe browser libraries in order to make the ssl connection and then the certificate that is imported in to the browser is used. Finally I have found the way to tell the JPI 1.4 which certificate to use and how.
  Look here if you want more information:
  http://java.sun.com/j2se/1.4.1/docs/guide/security/jsse/JSSERefGuide.html#Customization
  http://java.sun.com/j2se/1.4.1/docs/tooldocs/tools.html#security
  see also:
  http://forum.java.sun.com/thread.jsp?forum=2&thread=361995

• Certificate based authentication with iOS Client

  Hello experts,
  I have a question regarding the certificate based authentication in SAP Mobile Documents. With the Android Client it is "easy" possible to use certificate based authentication by just sending the user certificate to the Android device (using mail, MDM or whatever).
  For the iOS App it is written that the user has to sync the certificate to the device using iTunes sync. Is this really the only possibility to bring the certificate to the iOS device so that the App can use it? I have successfully tested by adding the certificate using iTunes, but I cannot make it working using MDM to push the certificate to the device. SAP Mobile Documents just cant see the installed certificate.
  Am I doing something wrong here?
  Thanks for your help.
  Ernst

  Hi, I don't think this is supported on iOS right now. Something for future ....

• Client Certificate Mapping authentication using Active Directory across trusted forests

  Hi,
  We currently have a setup where the on-premises environment and the cloud environment are based on two separate forests linked by a 1-way trust, i.e., the exist in the on-premises AD and the 1-way trust allows them to use their
  credentials to login to a cloud domain joined server. This works fine with the Windows authentication.
  We are now looking at implementing a 2-Factor authentication using Certificate. The PKI infrastructure exists in the On-Premises Forest. The users are able to successfully login to on-premise servers configured with "AD CLient Certificate
  Mapping".
  However, we are unable to achieve the same functionality on the cloud domain joined servers. I would like to know
  1. Is this possible?
  2. If yes, what do we need to do to make this work.
  Just to clarify, we are able to authenticate using certificates by enabling anonymous authentication. However, we are unable to do the same after turning on "Client Certificate Mapping authentication using Active Directory"

  1. Yes!
  2. Before answering this I need to know if your are trying to perform a smart card logon on a desktop/console or if you just want to use certificate based authentication in an application like using a web application with client certificate requirements
  and mapping?
  /Hasain
  We will eventually need it for smartcard logon on to desktop/console. However, at present, I am trying to use this for certificate based authentication on a web application.
  To simulate the scenario, I setup up two separate forests and established a trust between them.
  I then setup a Windows PKI in one of the forests and issued a client certificate to a user.
  I then setup a web server in both the forests and configured them for anonymous authentication with Client SSL requirement configured.
  I setup a test ASP page to capture the Login Info on both the servers.
  With the client and the server in the same forest, I got the following results
  Login Info
  LOGON_USER: CORP\ASmith
  AUTH_USER: CORP\ASmith
  AUTH_TYPE: SSL/PCT
  With the client in the domain with the PKI and the server in the other Forest, I got the following response
  Login Info
  LOGON_USER:
  AUTH_USER:
  AUTH_TYPE: 
  I tried the configuration with the Anonymous Authentication turned off and the AD CLient Certificate mapping turned on.
  With the client and the server in the same forest, I am able to login to the default page. However, with the server in a trusted forest, I get the following error.
  401 - Unauthorized: Access is denied due to invalid credentials.
  You do not have permission to view this directory or page using the credentials that you supplied

• Certificate based authentication for Exchange ActiveSync in Windows 8.* Mail app

  I have a Surface Pro and want to setup access to my company's Exchange server that accepts only Exchange ActiveSync certificate-based authentication.
  I've installed server certificates to trusted pool and my certificate as personal.
  Then I can connect thru Internet Explorer, but this is not comfortable to use.
  I don't have a password because of security politics of our company. When I'm setting up this account on my Android phone I'm using any digit for password and it works perfectly.
  Can someone help to setup Windows 8 metro-style Mail application? Does it supports this type of auth? When I'm trying to add account with type Outlook, entering server name, domain name, username, 1 as a password then I've got a message like "Can't
  connect. Check your settings."
  Is there any plans to implement this feature?

  For what it's worth we have CBA working with Windows 8.1 Pro.  In our case we have a MobileIron Sentry server acting as an ActiveSync reverse-proxy, so it verifies the client cert then uses Kerberos Constrained Delegation back to the Exchange CAS, however
  it should work exactly the same to the Exchange server directly.  I just used the CA to issue a User Certificate, exported the cert, private key and root CA cert, copied to the WinPro8.1 device and into the Personal Store.  Configured the Mail app
  to point at the ActiveSync gateway, Mail asked if I would like to allow it access the certificate (it chose it automatically) and mail synced down immediately...
  So it definitely works with Windows Pro 8.1.

• Certificate based authentication with sender SOAP adapter. Please help!

  Hi Experts,
     I have a scenario where first a .Net application makes a webservice call to XI via SOAP Adapter. Then the input from the .Net application is sent to the R/3 system via RFC adapter.
  .Net --->SOAP -
  >XI -
  >RFC -
  R/3 System
  Now as per client requirement I have to implement certificate based authentication in the sender side for the webservice call. In this case the .Net application is the "client" and XI is the "server". In other words the client has to be authenticated by XI server. In order to accomplish this I have setup the security level in the SOAP sender channel as "HTTPS  with client authentication". Additionally I have assigned a .Net userid in the sender agreement under "Assigned users" tab.
  I have also installed the SSL certificate in the client side. Then generated the public key and loaded it into the XI server's keystore.
  When I test the webservice via SOAPUI tool I am always getting the "401 Unauthorized" error. However if I give the userid/password for XI login in the properties option in the SOAPUI tool then it works fine. But my understanding is that in certificate based authentication, the authentication should happen based on the certificate and hence there is no need for the user to enter userid/password. Is my understanding correct? How to exactly test  certificate based authentication?
  Am I missing any steps for certificate based authentication?
  Please help
  Thanks
  Gopal
  Edited by: gopalkrishna baliga on Feb 5, 2008 10:51 AM

  Hi!
  Although soapUI is a very goot SOAP testing tool, you can't test certificate based authentication with it. There is no way (since I know) how to import certificat into soapUI.
  So, try to find other tool, which can use certificates or tey it directly with the sender system.
  Peter

• Certificate based authentication

  I have a client application that requires certificate based authentication.
  I could not find any instructions on how to set this up in the 11g manuals. So I reverted to the 5.2 manual (http://docs.oracle.com/cd/E19850-01/816-6698-10/ssl.html#18500), and followed some instructions found online.
  I have completed the setup, and the client is able to authenticate using his certificate, and I have verified this in the logs.
  [22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuing,DC=corp,DC=company,DC=lan
  [22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
  [22/Mar/2012:13:13:33 -0500] conn=34347 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
  When adding the usercertificate attribute to the ID I used the following LDIF:
  version: 1
  dn: uid=userid,ou=employees,o=company
  changetype: modify
  replace: userCertificate
  usercertificate: < file:///home/user/Certs/usercert.bin
  the file was a binary encoded certificate file.
  Here is the part that I don't understand when I do a search (or LDIF export) of the user object with the certificate it just returns a short base64 encoded string. when I decode this string, it is just the literal string of "< file:///home/user/Certs/usercert.bin".
  So it appears that the certificate has not been stored on the user object in binary, and yet the certificate authentication still works. The file mentioned, does not exist on the LDAP server (the cert was loaded from another server), so there is no way that it is reading the cert from the file.
  Anyone have any idea what is going on here? And why certificate auth works, when there appears to be not cert stored in LDAP?
  If by chance this is how it is all suppose to work, then how do I go about backing up the usercertificate attribute when I do my LDAP data backups?
  Thanks
  Brian

  Cyril,
  Thanks for the reply.
  I believe I am doing both types of certificate authentication, you are describing. My issue is that when I perform the steps to store the PEM formatted cert into the directory server, rather than storing a binary value of the cert, it appears to be storing the path to the file I attempted to import. The odd part is that I can still authenticate even after this is done.
  I tried to post as much info as I could before without posting any sensitive data, I'll try and expand on that below.
  Here is my documentation of the steps taken to configure the server and setup a user, for what I believe to be certificate based authentication, where the user is authenticated solely on the certificate that they provide (no password is sent).
  1. Server must be running SSL, all connections for Certificate Auth are done over SSL (just a note)
  2. From the DSCC
  ----a. Directory Servers Tab -> Servers Tab -> Click Server Name
  ----b. Security Tab -> General Tab
  ----c. In "Client Authentication" section, select:
  --------i. LDAP Settings: "Allow Certificate-Based Client Authentication"
  --------ii. This should be the default setting.
  3. On the directory server setup the /ldap/dsInst/alias/certmap.conf file:
  ----a. certmap default default
  ----default:DNComps
  ----default:FilterComps uid,cn
  4. restart the directory server
  5. Do the following to setup the user who will be connecting. On their unix account (or similar)
  ----a. Create a directory to hold the certDB
  --------i. mkdir certdb
  ----b. Create a CertDB
  --------i. /ldap/dsee7/bin/certutil -N -d certdb
  ------------1) Enter a password when prompted
  ----c. Import the CA cert
  --------i. /ldap/dsee7/bin/certutil -A -n "OurRootCA" -t "C,," -a -I ~/OurRootCA.cer -d certdb
  ----d. Create a cert request
  --------i. /ldap/dsee7/bin/certutil -R -s "cn=userid,ou=company,l=city,st=state,c=US" -a -g 2048 -d certdb
  ----e. Send the cert request to the PKI Team to generate a user cert
  ----f. Take the text of the generated cert & save it to a file
  ----g. Import the new cert into your certdb
  --------i. /ldap/dsee7/bin/certutil -A -n "certname" -t "u,," -a -i certfile.cer -d certdb
  ----h. Create a binary version of cert
  --------i. /ldap/dsee7/bin/certutil -L -n "certname" -d certdb -r > userid.bin
  ----i. Add the binary cert to the user's LDAP entry (version: 1 must be included - I read this in a doc somewhere, but it doesn't seem to matter)
  --------i. ldapmodify
  ------------1) ldapmodify -h host -D "cn=directory manager" -w password -ac
  ------------2)
  ------------version: 1
  ------------dn: uid=userid,ou=employees,o=company
  ------------sn: Service Account
  ------------givenName: userid
  ------------uid: userid
  ------------description: Service Account for LDAP
  ------------objectClass: top
  ------------objectClass: person
  ------------objectClass: organizationalPerson
  ------------objectClass: inetorgperson
  ------------cn: Service Account
  ------------userpassword: password
  ------------usercertificate: < file:///home/userid/Certs/userid.bin
  ------------nsLookThroughLimit: -1
  ------------nsSizeLimit: -1
  ------------nsTimeLimit: 180
  After doing this setup I am able to perform a search using the certificate:
  ldapsearch -h host -p 1636 -b "o=company" -N "certname" -Z -W CERTDBPASSWORD -P certdb/cert8.db "(uid=anotherID)"
  This search is successful, and I can see it logged, as having been a certificate based authentication:
  [23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - fd=136 slot=136 LDAPS connection from x.x.x.x:53574 to x.x.x.x
  [23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuer,DC=corp,DC=company,DC=lan
  [23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
  [23/Mar/2012:13:25:20 -0500] conn=44605 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
  If I understand correctly that would be using the part 2 of your explanation as using the binary encoded PEM to authenticate the user. If I am not understanding that corretly please let me know.
  Now the part that I am really not getting is that the usercertificate that is stored on the ID is as below:
  dn: uid=userid,ou=employees,o=company
  usercertificate;binary:: PCBmaWxlOi8vL2hvbWUvdXNlcmlkL0NlcnRzL3VzZXJpZC5iaW4
  which decodes as: < file:///home/userid/Certs/userid.bin
  So I'm still unclear as to what is going on here, or what I've done wrong. Have I set this up incorrectly such that Part 2 as you described it is not what I have setup above? Or am I missunderstanding part 2 entirely?
  Thanks
  Brian
  Edited by: BrianS on Mar 23, 2012 12:14 PM
  Just adding ---- to keep my instruction steps indented.

• Certificate based authentication with SSL load balancer

  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

  I think the simplest and most secure way is to have the servers configured for
  2-way ssl, since this would ensure that the certificate they receive and use for
  authentication has been validated during the ssl handshake. In this case the load
  balancer itself does not need to and cannot do the handshaking, and would need
  to pass the entire SSL connection through to the WLS server (ie: act similar to
  a router)
  Pavel.
  "George Coller" <[email protected]> wrote:
  >
  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

• Certificate Based Authentication - Questions and Authentication Modules

  Hi Everyone
  I'm trying to achieve a specific configuration using AM . I've installed the AM Server 7.1 on a AS9.1EE container and have another AS91EE container on another machine that has the agent configured.
  The AM server is using a DS rep for configurations and dynamic profiles and using a AD rep for authentication.
  What I now need to achieve is authentication base on one of these two way :
  - user and password authentication (which is working)
  - Certificate based authentication ( working on it )
  To configure the Cert. Auth I've started reconfiguring the containers and agent to work in SSL, as said in the manuals. The manuals also say that the containers must have "Client Authentication Enabled", they don't say which ( either the server or agent container or both ) . Also I assume that "Client Authentication Enabled" is refering to the Http Listener configuration of that container.
  When I enable it ( the Client Authentication ) on the http listener for either containers the https connection to that container stops working. In Firefox it simply prompts an error saying that the connection was "interrupted while the page was loading." . On IE, it prompts for a Certificate to be sent to the container and when I provide none, then it gives me the same error as Firefox. In both cases no page was presented.
  Basically what I need is for both authentication methods described before to work! So, asking the certificate ( specially if it wasn't the AM asking for it ) without giving the user a chance to use a user/password combination isn't what is wanted.
  From what I gathered the "Client Authentication" makes this http listener need a certificate to be presented always .
  So, my first question is : is the documentation correct? Does this "Client Authentication" thingy need to be enabled at the listener level?
  2- I'll probably need to code a costum module for this scenario I'm working in because of client requisits, but if possible I would like to use the provided module. Still, in case I need to make on, has anyone made a cert. auth module that they can provide me with so I have a working base to start with?
  3- Is there a tested how-to anywhere on how to configure Cert. Based Authentication?
  All for now,
  Thank you all for your help
  Rp

  Hi Rp,
  We are using AM 7.1 with Certificate Authentication and LDAP Authentication. To answer your question, yes it is possible to use both method at the same time i.e. Use certificate first and then fallback to LDAP.
  First you need to configure AM's webcontainer to accept the certificate. From your message it is clear that you have done that. The only mistake that you did is "made the Client Authentication required". I have done this in Sun WebServer 7.0 and Sun Application Server 7.0 (yeah that is old!!). You need to make the Client Authentication as optional. It means that Certificate will be transferred only when it is available otherwise Web Container will not ask for the Certificate. You will have to search Glassfish website or ASEE 9.1 manual to learn how to make the Client-Authentication Optional. You definitely need this authentication optional as Web Agent will be connecting to this AM and as far as I know they do not have any mechanism to do the Client Authentication.
  Secondly, In AM 7.1, you will have to Set up the Authentication chaining. Where you can make Certificate Module as Sufficient and LDAP module as REQUIRED.
  Thirdly, if you are using an non ocsp based certificate then change the ocsp checking in AMConfig.properties to false.
  Fourth, You may have to write a small custom code to get the profile from your external sources. (if you need to then I can tell you how).
  HTH,
  Vivek

• C4C to CRM integration using HCI Certificate-based Authentication - 403 Forbidden

  Hi Experts,
  In reference from the discussion in this link (Quick Guide on using Certificates for Integrating C4C and ECC using HCI), we need suggestions on why we're getting 403-Forbidden error, what steps did we miss for our communication from C4C to CRM using HCI. 
  We already imported the necessary certificates in the iFlows/SSL Server/Client PSEs signed by Entrust (which is one of the supported CAs and our communication from CRM to C4C certificate-based authentication configuration is working fine) for HCI. We also mapped the HCI client certificate to the CRM user that we created (CODINTEG). Service IDOC is also registered and activated (SICF and SRTIDOC).
  Below are the roles assigned to the user CODINTEG, and the mapping of HCI client certificate in SM30 and also the certificates imported in our SSL Server PSE. Just a note that we're not using SAP webdispatcher as a reverse proxy here for our C4C to CRM connection.
  Thanks in advance.
  Regards,
  Rajiv

  Hello Rajiv,
  for test purpose and for eliminating error reasosns caused by user authorization rights you could assign first SAP_ALL to your communication user. If this works, you should reduce the rights again to a minimum...
  Goto SU01 and edit the user CODINTEG. Goto Tab Profiles and within F4 help tab "Composite Profiles" search for SAP_ALL.
  Best regards,
  Berthold

• Transition to Certificate Based Authentication

  Hello,
  I was hoping someone could help provide some insight into a question I have. We are in the process of rolling out a new Mobile Device Management system that will give us the ability to insert User Certificates on the mobile devices. 
  My question is: While we are in transition to this system, is it possible to have both Digest AND Certificate Based authentication working on Exchange (2010) without causing service disruption to the devices that have not yet been migrated to the new MDM
  system?
  Thank you in advance,
  Ryan

  Hi,
  Reporting Services uses the HTTP SSL (Secure Sockets Layer) service to establish encrypted connections to a report server. If you have certificate (.cer) file installed in a local certificate store on the report server computer, you can bind the certificate
  to a Reporting Services URL reservation to support report server connections through an encrypted channel.
  Server certificates are installed on the Web server and typically require no additional configuration on the clients. Server certificates allow the clients to verify the identity of the server.
  Because, some Web sites and applications might require client certificates. Client certificates are installed on the client and allow the server to authenticate the clients. For more information about configuring client certificates, see
  Enabling Client Certificates in IIS 6.0 . But Client certificates is not supported in the SSRS 2005 later version. So SSRS 2008 R2 will not allow the server to authenticate the clients.
  More details information in article below for your reference:
  Configuring a Report Server for Secure Sockets Layer (SSL) Connections
  If you still have any problem, please feel free to ask.
  Regards,
  Vicky Liu
  Vicky Liu
  TechNet Community Support

• ActiveSync with Certificate-Based Authentication

  We are trying to setup ActiveSync with certificate-based authentication against Exchange 2010 SP2, but with no luck.
  What has been done so far:
  OWA over https works fine. A public, trusted certificate is in place.
  Setup ActiveSync against this Exchange server: works fine, using user name/password.
  Issued a user cert, signed with an internal CA, CA-cert successfully imported into al client devices.
  Created a new OWA-site with cert-based authentication (just to make sure it works), imported user certificate into a mac, visit this OWA site - cert-based authentication works fine.
  Now, with the configuration utility, created configuration profile with that user cert and an ActiveSync account, left password blank and chose the imported cert (p12) as authentication means.
  After installing that last profile the device keeps asking for a password and refuses to synchronize. Logs on the server show error 401.2, so I assume iPhone is ignoring the cert and is trying to use password-authentication instead.
  The devices tested were iPhone 3G with IOS 4 and iPad 2 with IOS 5.
  Any help will be greatly appreciated.
  Roman.

  No-one with this experience?
  We've done some network analysis (as much as was possible to decrypt) and could see, that the server sends an SSL-Alert (rejection?) to the client after the client presents the certificate.
  That explains why the client falls back to password-authentication, but it does not tell us why the server rejects the cert (that is accepted perfectly when accessed from a browser) in first place.

• X.509 certificate based authentication with load balancer

  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

  Hi George,
  If you want the client's cert, the server has to ask for it and this
  implies two-way SSL. Normal one-way SSL the server provides the cert to
  the client and the client decides if it wants to continue the handshake.
  If the client is OK with the server certs and two-way SSL is configured
  on the server, then the server will request the client send it's certs.
  If the client certs are OK, then the pipe is established.
  Concerning the load balancer I'm assuming it is simply providing a
  tunnel, but I don't have the experience to comment and it is something I
  would suggest that you that you seek guidance from our outstanding
  support team [1] or drop a note in the security newsgroup [2] for the
  experts to review.
  Regards,
  Bruce
  [1]
  http://support.bea.com
  [email protected]
  [2]
  http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=xover&group=weblogic.developer.interest.security
  George Coller wrote:
  >
  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

• OWA and ActiveSync certificate based authentication

  I have Exchange 2013 CU3 installed and want to activate the certificate based authentication for ActiveSync and OWA. But I want to have the login without certificate as well for users without a certificate.
  I already found some information how to do that on Exchange 2010 and I already did all steps to activate it.
  But at one point I cant find anything to configure in Exchange 2013. So I have activated the AD certificate based authentication in ISS and configured the OWA folder in IIS to accept client certificates. This seems to work as I get asked to use the certificate
  when I open the OWA page. But then I am landing on the OWA login page where I have to enter username and password.
  So it seems that I am missing something. In the tutorials for Exchange 2010 they activate the certificate based authentication in the Management console. But I cant find anything in ECP to activate.
  Can anyone help me?

  Hi,
  We can create an additional Web Site in IIS to configure additional OWA and ECP virtual directory for external access. And configuring the Default Web Site for internal access.
  Then we can configure internal one with Integrated Windows authentication and Basic authentication while the external one configured for forms-based authentication of Domain\user name format. For more information about
  Configuring Multiple OWA/ECP Virtual Directories, we can refer to:
  https://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx
  Thanks,
  Winnie Liang
  TechNet Community Support