Membership Authentication Fails with Client Certificate

ID: Q229788

The information in this article applies to:

Microsoft Site Server version 3.0

SYMPTOMS

Membership authentication with a client certificate always fails if Unicode characters are used to encode the certificate's subject or issuer field. Unicode characters are used to encode certificate fields that include extended (non-English) characters such as the following:

à,é,è,ä,ë,ï (ANSI characters 224,233,232,228,235,239).

CAUSE

This problem is cause by Request.ClientCertificate(), which does not handle the Unicode based certificate fields correctly.

During the certificate registration, Regcert.asp computes a hash based on the certificate "SUBJECT" and "ISSUER" fields:


...
set x = Server.CreateObject("Membership.verifusr.1")
y = x.HashCert(Request.ClientCertificate("SUBJECT"),Request.ClientCertificate("ISSUER"))
...

If the certificate's subject (or issuer) field is Unicode encoded, Request.ClientCertificate() only returns the first character of the field and the hash is incorrectly computed and stored in the membership database. Subsequent authentication using the user's certificate will always fail.

WORKAROUND

To work around this issue, modify Regcert.asp in order to use Request.ServerVariables() instead of Request.ClientCertificate().

Regcert.asp is located in \Microsoft Site Server\Sites\samples\knowledge\membership\sampapps\pers.

The following is an example of the modification:


set x = Server.CreateObject("Membership.verifusr.1")
 
'********************************************************
function ReplaceToken(token_name,source_string,dest_string) 
 
pos=InStr(1, dest_string, token_name)
replaceStr=right(dest_string,len(dest_string)+1-pos-len(token_name))
pos=InStr(1, replaceStr, ",")
if pos>0 then
  replaceStr=left(replaceStr,pos)
  end if
pos=InStr(1, source_string, token_name) 
destStr1=left(source_string,pos+len(token_name)-1)
destStr2=right(source_string,len(source_string)-pos)
pos=InStr(1, destStr2, ",")
if pos>0 then
  destStr2=right(destStr2,len(destStr2)-pos)
else destStr2=""
  end if
ReplaceToken=destStr1+replaceStr+destStr2
end function 
 
source=Request.ClientCertificate("SUBJECT")
dest=Request.ServerVariables("CERT_SUBJECT")
source=ReplaceToken(" CN=",source,dest)
source=ReplaceToken(" S=",source,dest)
source=ReplaceToken(" L=",source,dest)
source=ReplaceToken(" O=",source,dest)
source=ReplaceToken(" OU=",source,dest)
subject=source
 
source=Request.ClientCertificate("ISSUER")
dest=Request.ServerVariables("CERT_ISSUER")
source=ReplaceToken(" CN=",source,dest)
source=ReplaceToken(" S=",source,dest)
source=ReplaceToken(" L=",source,dest)
source=ReplaceToken(" O=",source,dest)
source=ReplaceToken(" OU=",source,dest)
issuer=source
 
y = x.HashCert(subject,issuer)
'********************************************************
AddToAttribute "userCertificateHash", y

Additional query words: membership authentication certificate unicode ValueType


Keywords          : 
Version           : winnt:3.0
Platform          : winnt 
Issue type        : kbprb

Last Reviewed: April 23, 1999