Internet Explorer Does Not Display Applicable Client Certificates (260749)

SYMPTOMS

Client certificates may not be listed as you expect in Internet Explorer when you connect to a secure (HTTPS://) Web site. This results in the Client Certificates list being blank or not containing applicable client certificates. This issue has been observed in the following situations:

On newly installed Internet Explorer 5 clients
After upgrading the Internet Information Server (IIS) server to Microsoft Windows NT 4.0 SP4 or later

RESOLUTION

To resolve this issue, use any of the following methods:

Enable Private Communications Technology (PCT) on the Internet Explorer clients that are exhibiting the issue. Do this on Internet Explorer 5 clients that have been freshly installed. NOTE: This is a short-term workaround. Microsoft recommends using the next method.
Resolve the issue that prevents Internet Explorer from selecting applicable client certificates when you connect by using Transport Layer Security (TLS)/Secure Socket Layer 3 (SSL3). This issue likely occurs because:
- the certificate authority (CA) root certificate is not installed correctly on the Web server. This prevents IIS from passing the CA's distinguished name (DN) to the client. To resolve this issue:
  - On IIS3, install the CA root certificate in Internet Explorer.
  - on IIS 4.0 up to Windows NT 4.0 SP3, install the CA root certificate in Internet Explorer and use Iisca.exe to transfer the root certificates to IIS. If you are using Windows NT 4.0 SP4 or later), Iisca.exe is not required. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    194788 Windows NT Service Pack 4 and Client Certificates
- The client certificate does not match the CA root certificate. Use the Certutil tool with the -verify option to verify that the client certificate matches the CA certificate.

MORE INFORMATION

When you connect to a secure (HTTPS://) Web site, the negotiated protocol that supports client certificates can be either PCT or TLS/SSL3 depending on the client and server configuration.

Default Server Configuration

The default security protocol up to Windows NT 4.0 SP3 is PCT.
The default security protocol for Windows NT 4.0 SP4 and later is TLS/SSL3.

For additional information about how to enable or disable security protocols, click the article number below to view the article in the Microsoft Knowledge Base:

187498 Disable PCT 1.0, SSL 2.0, or SSL 3.0 on IIS

Default Client Configuration

Internet Explorer 4.x has all security protocols enabled.
Internet Explorer 5 has PCT disabled.

Note that upgrading from Internet Explorer 4.x to Internet Explorer 5 results in keeping the Internet Explorer 4.x settings. When a Web server requests a client certificate, Internet Explorer builds a list of certificates by using the following method:

If PCT is negotiated, Internet Explorer builds a list of all client certificates regardless of certificate authorities.
If TLS/SSL3 is used, Internet Explorer builds a list of client certificates matching:
- A list of well-known certificate authorities such as VeriSign.
- A list of certificate authorities passed by the server (see section 5.6.4 of the TLS/SSL3 specification available at http://home.netscape.com/eng/ssl3/index.html).

Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

REFERENCES

For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:

218445 How to Configure Certificate Server for Use with SSL on IIS

197306 How to Troubleshoot SSL in Internet Information Server 4.0

194788 Windows NT Service Pack 4 and Client Certificates

231718 Client Certificates May Not Appear in Internet Explorer

187498 Disable PCT 1.0, SSL 2.0, or SSL 3.0 on IIS