Browser/Office is prompting for certificate, when opening office documents in SharePoint 2010 with CA siteminder using SSL

Question

Hi,

I am not sure its a configuration issue on SharePoint side or on CA Site Minder side.

This is the first time we are using CA site minder for authentication, we are building a new environment on SharePoint 2010 which uses CA site minder as authentication(Claims Based Authentication). Everything is working as expected if we don't use SSL, it is opening all office documents in sp 2010 and saving them back if we don't use SSL(but we are still using CA siteminder for authentication), but when we use SSL(https), then it is prompting for certificate, it is showing the certificate we are using in the prompted box, but when we select the certificate and click ok, it is not bringing anything, just plane office.

I made some googling, and came across some setting changes in IE browser to take the certificate if its just one, but nothing helped.

Can someone please help me on this, we are unable to move forward with out solving this issue.

I appreciate your time and help.

Thank you,

Kishore

Answer 1

Hi Kishore,

For this issue, have you add this site to the trust site list?  If not, you can have a try.

Based on your description, we don’t know which IE version you use, below is a blog about “Client Certificate Selection Prompt”  of different version,

http://blogs.msdn.com/b/ieinternals/archive/2009/09/03/client-certificate-selection-prompt.aspx

Regards,

Kelly Chen

Answer 2

Hi Chen,

Thank you for your response.

I am using IE 8, I tried enabling and disabling the certificate option in IE, but no luck.

But we are not just getting this prompt in IE, we are getting this in all the browsers. I am so confused, what is causing this behavior, is it a CA site minder agent configurations, or office and SharePoint integration.

Any ideas will be highly appreciated.

Thank you,

Kishore

Answer 3

- Check is if SSL works in a basic site access scenario - if the issue is with accessing Office Docs ONLY and that rest of the site access works fine even with SSL?
- If the site just doesn't work over SSL it is more likely an issue with certificate configuration and if SSL scenario fails only for accessing Office documents, its more likely an issue with WebDav communication over SSL that ensues while communicating with Office clients
- Another thing to check is if we have SSL cert on the IIS website corresponding to SharePoint Webapp or if we are using SSL termination at an intermediate device (ISA server? CA device?) - in which case we might need to check SSL configuration on the intermediate device
- You mentioned you see the issue on multiple browser types - I would also check across multiple IE versions , so does IE7, 8 and 9 all depict the issue same way?
- Are the clients any specific OS, - so like does the issue happen from XP, Win7 and all otehr client OS
- Would be nice to see a screenshot of the behavior
- Check  if we see anything in event viewer of WFE regarding Schannel errors
- Have you checked IIS Website SSL settings in IIS manager and confirmed that Client Certificates is set to Ignore?
- I came across this https://support.ca.com/cadocs/0/h006193e.pdf says something about an issue with retrieval of SSL certificates, not sure if thats what it is, make sure you have latest version of CA agent

---

Please remember to click 'Mark as Answer' on the post that helps you or click 'Unmark as Answer' if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Regards,
Nishant Shah
Microsoft Online Community Support

Answer 4

Hi Nishant,

I appreciate your help.

-Yes, it works well, when we just access the site, it only throws this certificate prompt when we open office documents.

-We have IE tester installed to test in all IE versions, it's the same behavior across all IE versions

-Windows xp - office 2007 -> works (no prompt for certificate)

Windows xp - office 2010 -> doesn't work (prompt for certificate)- works if we select OK for cert (BUT INCONSISTENT)

Windows 7 - Office 2010 -> doesn't work (prompt for certificate) - works if we select OK for cert (BUT INCONSISTENT)

- We are getting this certificate prompt, when we click on the document to open, once we select the right certificate and click ok, then the document gets opened some time and NOT some time(but we don't want this cert prompt)

-There is no error in the event viewer of WFE

-IIS SSL settings is set to ignore

- I am not sure, what went wrong, but we are using the latest version of CA agent.

Any help will be highly appreciated.

Thank you,

Kishore

Answer 5

Hi,

Can you please provide a screenshot for us to review? I want to find out if its OOB client certificate choose prompt or not.

---

Please remember to click 'Mark as Answer' on the post that helps you or click 'Unmark as Answer' if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Regards,
Nishant Shah
Microsoft Online Community Support

Answer 6

Hi Nishant,

We are testing other stuff with out SSL, so took some time to role back to HTTPS and take the screenshot.

Here you go..

Any suggestions?

Thank you,

Kishore

---

kishore

Answer 7

I am having the same issue but do not use the CA product you reference just straight sharepoint and 2 way ssl.

My troubleshooting has gotten me to the point that it appears to be related to webdav specific libraries.

In addition to having the problem from office the problem will also occur it I attempt to map to a sharepoint document library. However in this case the certificate prompt is different than the one I get from office.

I have done header inspection and when office is making the request the agent is "Office Existence Discovery Protocol" that is issue a "OPTIONS" method request to detect if the server supports webdav.

What I cannot find is any option to tell the webclient that webdav uses that if only one certificate is valid for the requesting domain it should use that without prompting. As mentioned previously accessing the same URLS through IE or Firefox presents no issue.

Answer 8

Hi Kishore,

Is it possible to extend the SharePoint site to a new web application where you use OOB Windows claims as authentication + SSL and see if you are able to replicate this behavior? In other words are you able to reproduce this issue without using Site Minder authentication?

---

Please remember to click 'Mark as Answer' on the post that helps you or click 'Unmark as Answer' if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Regards,
Nishant Shah
Microsoft Online Community Support

Answer 9

Hi Nishant,

Everything is working fine, if we use Windows claims as auth + SSL, it is even working fine if we just use Site minder with out SSL.

Thank you,

Kishore

---

kishore

Answer 10

Hi Kishore,

Further troubleshooting requires a more in-depth level of support which may include log analysis / Network trace which is not feasible over forums. Please visit the below link to see the various paid support options that are available to better meet your needs: http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone. If you are a MSDN / TechNet subscriber, you can also contact our support by using your free support incidents.
However, other members of the community may still have encountered the issue you're seeing, and have a solution to offer!

---

Please remember to click 'Mark as Answer' on the post that helps you or click 'Unmark as Answer' if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Regards,
Nishant Shah
Microsoft Online Community Support

Answer 11

Hi,

Could you try this if it helps:

Go to word/excel and click on the Office Button >> Word Options >> Trust Center >> Trust Center Settings >> Trusted Locations >> Allow Trusted Locations on my network and tick that check box.

Hope it helps.

Cheers,

Answer 12

Hi Esad,

We tried adding site to trusted locations in word and IE, with no luck.

Thanks,

Kishore

---

kishore

Answer 13

Our organization has exactly the same configuration and problem.

It seemed to crop up recently after applying siteminder patches - it's very likely a siteminder issue.

our configuration:

Dns points our site to a load balancer, then to siteminder for authentication, then if I'm not mistaken, it passes through the siteminder box (siteminder is acting as a proxy) and is sent to the load balancer in front of the sharepoint Web front ends.

Our problem does not happen when we access it from our company PC's on our network (still going through siteminder) but it does occur when I use a vanilla Windows 7 box.

Like Kishore002, it is the office apps themselves that are prompting for the certificate (the browsers work fine and don't report a certificate error)

We'll likely open a case with MS and with CA to see if we can get this sorted out.

- Jack

---

- Jack