Hello;
I'm hoping someone can help me with this.
Issue: On various systems using Internet Explorer 7 or 8, smart card
credentials are not being prompted. Firefox works providing the Security Device
for ActivClient is installed.
Environment:
Server: Windows Apache 2.2.14 with OpenSSL
Clients: Various (Windows platforms)
IE 8
Firefox 3.5.3
ActivClient Smart Card/Key reader.
The issue I am having is as follows.
I have a simple apache install running SSL with a server certificate from a
trusted authority. If I use a self-signed, works just as well.
I have enabled SSLClientVerify on my cgi-bin folder
Here is my directive:
<Directory "C:/Program Files/Apache Software Foundation/Apache2.2/cgi-bin">
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StdEnvVars
</Directory>
This is in extra/httpd-ssl.conf, basically everything is out of the box 2.2.14
so I could eliminate any customizations we made. The only real changes are me
pointing to the certificates and adding this directive.
What works:
Accessing https://servername (which is running on 443) works and the client
trusts the server. I see the infamous apache: It Works!'
All client browsers IE, Firefox, Windows 7, Windows Vista, 32bit 64bit all work.
What doesn't work (completely)
https://servername/cgi-bin/printenv.tcl
Note: I have a tcl interpreter running a custom printenv.tcl, but the file
doesn't matter, assume we are just trying to access cgi-bin directly, same
issue exists there. Same issue exists if I set the directive on the whole
webserver (e.g. <location />
Now, here is where gets interesting. What should happen is the client should
prompt for a client certificate from the smart card reader and ask the user for
their pin.
On firefox 3.5.3 it prompts the user for their smartcard pin as long as the
Security Device for ActivClient is installed. Works great!
IE 8.0 on Windows 7 didn't work, after rebuilding the system it works now.
All the other systems (tested 10) running IE will not work. This is where I am
completely baffled. I've tried everything I could think of. But where I am
stuck now is I can't seem to get IE 7 or 8 to (via ActivClient) prompt for a
pin. Using the same client, same IE browser accessing some of our internal
sites where we require a certificate it works fine. Just not to my site on
apache. The other two sites that do work are hosted by IIS 6 and Omniture
Dc/2.0.0 (at least states the HTTP header)
If anyone needs more information from me or has any advice here please let me
know. I'm stumped and have been scouring google for hours with no luck.
Thanks
- Steve
