Microsoft KB Archive/229788

= Membership Authentication Fails with Client Certificate =

Article ID: 229788

Article Last Modified on 10/28/2002

-

APPLIES TO


 * Microsoft Site Server 3.0 Standard Edition

-



This article was previously published under Q229788



SYMPTOMS
Membership authentication with a client certificate always fails if Unicode characters are used to encode the certificate's subject or issuer field. Unicode characters are used to encode certificate fields that include extended (non-English) characters such as the following:

,,,,, (ANSI characters 224,233,232,228,235,239).



CAUSE
This problem is cause by Request.ClientCertificate, which does not handle the Unicode based certificate fields correctly.

During the certificate registration, Regcert.asp computes a hash based on the certificate "SUBJECT" and "ISSUER" fields: ... set x = Server.CreateObject("Membership.verifusr.1") y = x.HashCert(Request.ClientCertificate("SUBJECT"),Request.ClientCertificate("ISSUER")) ... If the certificate's subject (or issuer) field is Unicode encoded, Request.ClientCertificate only returns the first character of the field and the hash is incorrectly computed and stored in the membership database. Subsequent authentication using the user's certificate will always fail.



WORKAROUND
To work around this issue, modify Regcert.asp in order to use Request.ServerVariables instead of Request.ClientCertificate.

Regcert.asp is located in \Microsoft Site Server\Sites\samples\knowledge\membership\sampapps\pers.

The following is an example of the modification:

set x = Server.CreateObject("Membership.verifusr.1") '******************************************************** function ReplaceToken(token_name,source_string,dest_string) pos=InStr(1, dest_string, token_name) replaceStr=right(dest_string,len(dest_string)+1-pos-len(token_name)) pos=InStr(1, replaceStr, ",") if pos>0 then replaceStr=left(replaceStr,pos) end if pos=InStr(1, source_string, token_name) destStr1=left(source_string,pos+len(token_name)-1) destStr2=right(source_string,len(source_string)-pos) pos=InStr(1, destStr2, ",") if pos>0 then destStr2=right(destStr2,len(destStr2)-pos) else destStr2="" end if ReplaceToken=destStr1+replaceStr+destStr2 end function source=Request.ClientCertificate("SUBJECT") dest=Request.ServerVariables("CERT_SUBJECT") source=ReplaceToken(" CN=",source,dest) source=ReplaceToken(" S=",source,dest) source=ReplaceToken(" L=",source,dest) source=ReplaceToken(" O=",source,dest) source=ReplaceToken(" OU=",source,dest) subject=source source=Request.ClientCertificate("ISSUER") dest=Request.ServerVariables("CERT_ISSUER") source=ReplaceToken(" CN=",source,dest) source=ReplaceToken(" S=",source,dest) source=ReplaceToken(" L=",source,dest) source=ReplaceToken(" O=",source,dest) source=ReplaceToken(" OU=",source,dest) issuer=source y = x.HashCert(subject,issuer) '******************************************************** AddToAttribute "userCertificateHash", y

Additional query words: membership authentication certificate unicode ValueType

Keywords: kbprb KB229788

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.