Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.

Windows Security prompts wrong user for access to the PKI key: Personal Certificate Internet Explorer 11

Created: 12 May 2014 • Updated: 28 May 2014 | 3 comments

First of all I'm not sure if this is the right place for my question, but I hope to find an answer to this problem.

We use personal certificates issued from Symantec on a work related website. This certificate stores the private key in the personal certificate storage, and when we access the page we get a prompt to chose the certificate. After that it should ask for access to the private key. The problem is that this prompt does not pop up to the user who access the site, but the first user who has logged on to the server. This means that he/she has to accept this prompt for every user that want access to the website. The website does not load until she does this.

We are running Server 2012 R2 with RDS and Internet Explorer 11. This error does not occur on Server 2008 R2 with IE10.

Any suggestions on how to solve this, or where to find any information that can lead my on the right track?

Operating Systems:

Comments 3 CommentsJump to latest comment

Patrick R.'s picture

Greetings Alfern,

Certificate installations for users are installed to the Certificates - Current User certificate store. As such, the only certificates that can show up for authentication purposes are those which were created on the currently active user profile.

If you have multiple certificates installed to the same profile, and just want to be prompted again, you will need to restart your browser entirely as that will reset the SSL state.

If you want users to always have access to their own certificates no matter which workstation they are at, you can look at a token setup where certificates are installed to a USB device that they can carry with them.

If you believe this behavior is particular to a specific operating system, you may wish to check with Microsoft to learn the expected behavior.

Regards,

Patrick

alfern's picture

Hi.

This is a Remote Desktop Server. The first user that logs on in the morning, will get all certificate prompts from all users on the server that access the website. All users have their unique cerificate installed. When they access the website the get prompted for the certificate, chooses it and clicks "ok". Then the other user (the first logged on user) gets the prompt to accept the certificate. The website is not hosted by us.

Screenshots are in Norwegian:

Prompt 1 (To each user that accesses the website)

 

(Translated: Windows Secutiy, Confirm Certificate, Confirm this certificate by clicking OK, Cancel if its the wrong certificate 'certificate info below')

Prompt 2: (Presented to the first user that has logged on to the RDS environment.)

(Translated: Windows Security , Authentication needed, do you want the application to access your private key?  Accept/Dont Accept)

Patrick R.'s picture

Greetings Again,

If I'm understanding this correctly, you have multiple users logged into the same server remotely at the same time, and one person is getting the certificate prompts for all users as they try to access a website?

Unfortunately, this has nothing to do with the actual certificates themselves, but by how the Microsoft Software is directing the prompts.

I would recommend reaching out to Microsoft Support and bring this to their attention as it may cause security issues. They may be able to resolve this issue for you.

Regards,

Patrick