Membership Authentication Fails with Client Certificate (229788)


The information in this article applies to:

  • Microsoft Site Server 3.0
This article was previously published under Q229788

SYMPTOMS

Membership authentication with a client certificate always fails if Unicode characters are used to encode the certificate's subject or issuer field. Unicode characters are used to encode certificate fields that include extended (non-English) characters such as the following:

,,,,, (ANSI characters 224,233,232,228,235,239).

CAUSE

This problem is cause by Request.ClientCertificate(), which does not handle the Unicode based certificate fields correctly.

During the certificate registration, Regcert.asp computes a hash based on the certificate "SUBJECT" and "ISSUER" fields: 
...
set x = Server.CreateObject("Membership.verifusr.1")
y = x.HashCert(Request.ClientCertificate("SUBJECT"),Request.ClientCertificate("ISSUER"))
...
If the certificate's subject (or issuer) field is Unicode encoded, Request.ClientCertificate() only returns the first character of the field and the hash is incorrectly computed and stored in the membership database. Subsequent authentication using the user's certificate will always fail.

WORKAROUND

To work around this issue, modify Regcert.asp in order to use Request.ServerVariables() instead of Request.ClientCertificate().

Regcert.asp is located in \Microsoft Site Server\Sites\samples\knowledge\membership\sampapps\pers.

The following is an example of the modification:

set x = Server.CreateObject("Membership.verifusr.1")
 
'********************************************************
function ReplaceToken(token_name,source_string,dest_string) 
 
pos=InStr(1, dest_string, token_name)
replaceStr=right(dest_string,len(dest_string)+1-pos-len(token_name))
pos=InStr(1, replaceStr, ",")
if pos>0 then
  replaceStr=left(replaceStr,pos)
  end if
pos=InStr(1, source_string, token_name) 
destStr1=left(source_string,pos+len(token_name)-1)
destStr2=right(source_string,len(source_string)-pos)
pos=InStr(1, destStr2, ",")
if pos>0 then
  destStr2=right(destStr2,len(destStr2)-pos)
else destStr2=""
  end if
ReplaceToken=destStr1+replaceStr+destStr2
end function 
 
source=Request.ClientCertificate("SUBJECT")
dest=Request.ServerVariables("CERT_SUBJECT")
source=ReplaceToken(" CN=",source,dest)
source=ReplaceToken(" S=",source,dest)
source=ReplaceToken(" L=",source,dest)
source=ReplaceToken(" O=",source,dest)
source=ReplaceToken(" OU=",source,dest)
subject=source
 
source=Request.ClientCertificate("ISSUER")
dest=Request.ServerVariables("CERT_ISSUER")
source=ReplaceToken(" CN=",source,dest)
source=ReplaceToken(" S=",source,dest)
source=ReplaceToken(" L=",source,dest)
source=ReplaceToken(" O=",source,dest)
source=ReplaceToken(" OU=",source,dest)
issuer=source
 
y = x.HashCert(subject,issuer)
'********************************************************
AddToAttribute "userCertificateHash", y
Modification Type:MajorLast Reviewed:10/28/2002
Keywords:kbprb KB229788
©2002 Microsoft Corporation. All rights reserved.