Membership Authentication Fails with Client Certificate
ID: Q229788
|
The information in this article applies to:
-
Microsoft Site Server version 3.0
SYMPTOMS
Membership authentication with a client certificate always fails if Unicode characters are used to encode the certificate's subject or issuer field.
Unicode characters are used to encode certificate fields that include
extended (non-English) characters such as the following:
à,é,è,ä,ë,ï (ANSI characters 224,233,232,228,235,239).
CAUSE
This problem is cause by Request.ClientCertificate(), which does not handle the Unicode based certificate fields correctly.
During the certificate registration, Regcert.asp computes a hash based on the certificate "SUBJECT" and "ISSUER" fields:
...
set x = Server.CreateObject("Membership.verifusr.1")
y = x.HashCert(Request.ClientCertificate("SUBJECT"),Request.ClientCertificate("ISSUER"))
...
If the certificate's subject (or issuer) field is Unicode encoded, Request.ClientCertificate() only returns the first character of the field and the hash is incorrectly computed and stored in the membership database. Subsequent authentication using the user's certificate will always fail.
WORKAROUND
To work around this issue, modify Regcert.asp in order to use Request.ServerVariables() instead of Request.ClientCertificate().
Regcert.asp is located in \Microsoft Site Server\Sites\samples\knowledge\membership\sampapps\pers.
The following is an example of the modification:
set x = Server.CreateObject("Membership.verifusr.1")
'********************************************************
function ReplaceToken(token_name,source_string,dest_string)
pos=InStr(1, dest_string, token_name)
replaceStr=right(dest_string,len(dest_string)+1-pos-len(token_name))
pos=InStr(1, replaceStr, ",")
if pos>0 then
replaceStr=left(replaceStr,pos)
end if
pos=InStr(1, source_string, token_name)
destStr1=left(source_string,pos+len(token_name)-1)
destStr2=right(source_string,len(source_string)-pos)
pos=InStr(1, destStr2, ",")
if pos>0 then
destStr2=right(destStr2,len(destStr2)-pos)
else destStr2=""
end if
ReplaceToken=destStr1+replaceStr+destStr2
end function
source=Request.ClientCertificate("SUBJECT")
dest=Request.ServerVariables("CERT_SUBJECT")
source=ReplaceToken(" CN=",source,dest)
source=ReplaceToken(" S=",source,dest)
source=ReplaceToken(" L=",source,dest)
source=ReplaceToken(" O=",source,dest)
source=ReplaceToken(" OU=",source,dest)
subject=source
source=Request.ClientCertificate("ISSUER")
dest=Request.ServerVariables("CERT_ISSUER")
source=ReplaceToken(" CN=",source,dest)
source=ReplaceToken(" S=",source,dest)
source=ReplaceToken(" L=",source,dest)
source=ReplaceToken(" O=",source,dest)
source=ReplaceToken(" OU=",source,dest)
issuer=source
y = x.HashCert(subject,issuer)
'********************************************************
AddToAttribute "userCertificateHash", y
Additional query words:
membership authentication certificate unicode ValueType
Keywords :
Version : winnt:3.0
Platform : winnt
Issue type : kbprb