Microsoft KB Archive/260749

= Internet Explorer Does Not Display Applicable Client Certificates =

Article ID: 260749

Article Last Modified on 1/27/2007

-

APPLIES TO


 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 5.01
 * Microsoft Internet Explorer 5.0
 * Microsoft Internet Explorer 4.01 Service Pack 1
 * Microsoft Internet Explorer 4.01 Service Pack 2
 * Microsoft Internet Explorer 4.0 128-Bit Edition
 * Microsoft Internet Information Server 3.0
 * Microsoft Internet Information Server 4.0

-



This article was previously published under Q260749



SYMPTOMS
Client certificates may not be listed as you expect in Internet Explorer when you connect to a secure (HTTPS://) Web site. This results in the Client Certificates list being blank or not containing applicable client certificates. This issue has been observed in the following situations:
 * On newly installed Internet Explorer 5 clients
 * After upgrading the Internet Information Server (IIS) server to Microsoft Windows NT 4.0 SP4 or later



RESOLUTION
To resolve this issue, use any of the following methods:  Enable Private Communications Technology (PCT) on the Internet Explorer clients that are exhibiting the issue. Do this on Internet Explorer 5 clients that have been freshly installed. NOTE: This is a short-term workaround. Microsoft recommends using the next method. Resolve the issue that prevents Internet Explorer from selecting applicable client certificates when you connect by using Transport Layer Security (TLS)/Secure Socket Layer 3 (SSL3). This issue likely occurs because:  the certificate authority (CA) root certificate is not installed correctly on the Web server. This prevents IIS from passing the CA's distinguished name (DN) to the client. To resolve this issue:  On IIS3, install the CA root certificate in Internet Explorer. on IIS 4.0 up to Windows NT 4.0 SP3, install the CA root certificate in Internet Explorer and use Iisca.exe to transfer the root certificates to IIS. If you are using Windows NT 4.0 SP4 or later), Iisca.exe is not required. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

194788 Windows NT Service Pack 4 and Client Certificates

  The client certificate does not match the CA root certificate. Use the Certutil tool with the -verify option to verify that the client certificate matches the CA certificate.</li></ul> </li></ul>

<div class="moreinformation_section">

MORE INFORMATION
When you connect to a secure (HTTPS://) Web site, the negotiated protocol that supports client certificates can be either PCT or TLS/SSL3 depending on the client and server configuration.

Default Server Configuration

 * The default security protocol up to Windows NT 4.0 SP3 is PCT.
 * The default security protocol for Windows NT 4.0 SP4 and later is TLS/SSL3.

For additional information about how to enable or disable security protocols, click the article number below to view the article in the Microsoft Knowledge Base:

187498 Disable PCT 1.0, SSL 2.0, or SSL 3.0 on IIS

Default Client Configuration

 * Internet Explorer 4.x has all security protocols enabled.
 * Internet Explorer 5 has PCT disabled.

Note that upgrading from Internet Explorer 4.x to Internet Explorer 5 results in keeping the Internet Explorer 4.x settings. When a Web server requests a client certificate, Internet Explorer builds a list of certificates by using the following method:
 * If PCT is negotiated, Internet Explorer builds a list of all client certificates regardless of certificate authorities.
 * If TLS/SSL3 is used, Internet Explorer builds a list of client certificates matching:
 * A list of well-known certificate authorities such as VeriSign.
 * A list of certificate authorities passed by the server (see section 5.6.4 of the TLS/SSL3 specification available at http://home.netscape.com/eng/ssl3/index.html).

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

<div class="references_section">