Otdfbt

Why doesn't a particle exert force on itself?

How long can fsck take on a 30 TB volume?

Efficient manipulation of Associations passed to functions, how to?

"I can't place her": How do Russian speakers express this idea colloquially?

What is the oldest instrument ever?

Do these creatures from the Tomb of Annihilation campaign speak Common?

How to append code verbatim to .bashrc?

Should one save up to purchase a house/condo or maximize their 401k first?

Magical Modulo Squares

GLM: Modelling proportional data - account for variation in total sample size

why it is 2>&1 and not 2>>&1 to append to a log file

Cyclic queue using an array in C#

Is your maximum jump distance halved by grappling?

Company stopped paying my salary. What are my options?

Examples where existence is harder than evaluation

Are wands in any sort of book going to be too much like Harry Potter?

How do integrated charger ICs dissipate differences in VCC and the battery voltage?

What happens when the drag force exceeds the weight of an object falling into earth?

Crime rates in a post-scarcity economy

Why doesn't Dany protect her dragons better?

get unsigned long long addition carry

I'm attempting to understand my 401k match and how much I need to contribute to maximize the match

How can I test a shell script in a "safe environment" to avoid harm to my computer?

Why is the episode called "The Last of the Starks"?

How to prevent browser from prompting for a client certificate and allow the IIS to accept it (not require it)?

WCF service and application poolHow do you configure IIS to trust internal Certificate Authorities for server-to-server https requestsSetup IIS to require client certificate and to use anonymous authenticationIIS web service responds on server, not from remote clientIIS - How to have a separate SSL for an application under the Default WebsiteClient Certificate Authentication and Windows Authentication on IISIIS ARR ReverseProxy with Client Certificate Authentication for backend IISWhat are the implications of requiring SSL and a client certificate, but leaving anonymous authentication on in IISIIS Windows Authentication : IE not choosing the right certificateIIS 10 ARR : Client certificate not interpreted by backend server

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

6

1

In a web application, I have a WCF service uses Client Certificate authentication. I checked "Accept Client Certificate" in IIS - SSL Settings and it works fine. But some times, in some browsers, if a certificate is installed on the client machine, the browser is prompting a message to choose the certificate it wants to provide to the server which is not a desired behavior since only the web service needs the certificate - not the web application!.

How can I handle it without creating an independent web project for the web service on IIS?

authentication iis wcf

share|improve this question

edited Feb 13 '15 at 9:22

Homam

asked Feb 10 '15 at 15:05

HomamHomam

168126

migrated from security.stackexchange.com Feb 13 '15 at 3:57

This question came from our site for information security professionals.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You should be able to set the SSL settings Accept Client Certificate on folder or file basis. So just put it on the files/folders that make up your service.
  
  – Peter Hahndorf
  Feb 13 '15 at 8:40
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @PeterHahndorf, I have already set it to Accept Certificate, but it is acting like it is requiring certificate! which is not desired.
  
  – Homam
  Feb 13 '15 at 9:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If set to accept, the server will tell the client that it supports client certificates. If the browser knows about at least one client cert, it shows the selection box to the user. My point was that you should set Accept Client Certificate only on the service files which are not directly accessed by the user.
  
  – Peter Hahndorf
  Feb 13 '15 at 9:53
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So, it is on the file / folder level. Not on the application level. Right?
  
  – Homam
  Feb 13 '15 at 12:34
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Yes, if only the services files are marked as Accept Client Certificate then the browsers will never know about it, except if you are using JavaScript on your pages to call the service.
  
  – Peter Hahndorf
  Feb 13 '15 at 14:00
  

  
  
  
  

 | 
show 1 more comment

6

1

In a web application, I have a WCF service uses Client Certificate authentication. I checked "Accept Client Certificate" in IIS - SSL Settings and it works fine. But some times, in some browsers, if a certificate is installed on the client machine, the browser is prompting a message to choose the certificate it wants to provide to the server which is not a desired behavior since only the web service needs the certificate - not the web application!.

How can I handle it without creating an independent web project for the web service on IIS?

authentication iis wcf

share|improve this question

edited Feb 13 '15 at 9:22

Homam

asked Feb 10 '15 at 15:05

HomamHomam

168126

migrated from security.stackexchange.com Feb 13 '15 at 3:57

This question came from our site for information security professionals.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  You should be able to set the SSL settings Accept Client Certificate on folder or file basis. So just put it on the files/folders that make up your service.
  
  – Peter Hahndorf
  Feb 13 '15 at 8:40
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @PeterHahndorf, I have already set it to Accept Certificate, but it is acting like it is requiring certificate! which is not desired.
  
  – Homam
  Feb 13 '15 at 9:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If set to accept, the server will tell the client that it supports client certificates. If the browser knows about at least one client cert, it shows the selection box to the user. My point was that you should set Accept Client Certificate only on the service files which are not directly accessed by the user.
  
  – Peter Hahndorf
  Feb 13 '15 at 9:53
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  So, it is on the file / folder level. Not on the application level. Right?
  
  – Homam
  Feb 13 '15 at 12:34
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Yes, if only the services files are marked as Accept Client Certificate then the browsers will never know about it, except if you are using JavaScript on your pages to call the service.
  
  – Peter Hahndorf
  Feb 13 '15 at 14:00
  

  
  
  
  

 | 
show 1 more comment

In a web application, I have a WCF service uses Client Certificate authentication. I checked "Accept Client Certificate" in IIS - SSL Settings and it works fine. But some times, in some browsers, if a certificate is installed on the client machine, the browser is prompting a message to choose the certificate it wants to provide to the server which is not a desired behavior since only the web service needs the certificate - not the web application!.

How can I handle it without creating an independent web project for the web service on IIS?

authentication iis wcf

share|improve this question

edited Feb 13 '15 at 9:22

Homam

asked Feb 10 '15 at 15:05

HomamHomam

168126

share|improve this question

edited Feb 13 '15 at 9:22

Homam

asked Feb 10 '15 at 15:05

HomamHomam

168126

share|improve this question

edited Feb 13 '15 at 9:22

Homam

asked Feb 10 '15 at 15:05

HomamHomam

168126

asked Feb 10 '15 at 15:05

HomamHomam

168126

asked Feb 10 '15 at 15:05

HomamHomam

168126

1 Answer
1

active

oldest

votes

0

From the comments it turned out, your service consisted of a few specific files, but you set the Accept Client Certificate setting for the whole application.

Use the settings on just the files (or folder) for your service, not on the application level.

share|improve this answer

answered Feb 13 '15 at 14:57

Peter HahndorfPeter Hahndorf

10.7k23052

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f667285%2fhow-to-prevent-browser-from-prompting-for-a-client-certificate-and-allow-the-iis%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

From the comments it turned out, your service consisted of a few specific files, but you set the Accept Client Certificate setting for the whole application.

Use the settings on just the files (or folder) for your service, not on the application level.

share|improve this answer

answered Feb 13 '15 at 14:57

Peter HahndorfPeter Hahndorf

10.7k23052

add a comment | 

0

From the comments it turned out, your service consisted of a few specific files, but you set the Accept Client Certificate setting for the whole application.

Use the settings on just the files (or folder) for your service, not on the application level.

share|improve this answer

answered Feb 13 '15 at 14:57

Peter HahndorfPeter Hahndorf

10.7k23052

add a comment | 

From the comments it turned out, your service consisted of a few specific files, but you set the Accept Client Certificate setting for the whole application.

Use the settings on just the files (or folder) for your service, not on the application level.

share|improve this answer

answered Feb 13 '15 at 14:57

Peter HahndorfPeter Hahndorf

10.7k23052

share|improve this answer

answered Feb 13 '15 at 14:57

Peter HahndorfPeter Hahndorf

10.7k23052

answered Feb 13 '15 at 14:57

Peter HahndorfPeter Hahndorf

10.7k23052

answered Feb 13 '15 at 14:57

Peter HahndorfPeter Hahndorf

10.7k23052