none
"Confirm Certificate" prompt appears in IE when it is not required RRS feed

  • Question

  • I'm developing a C# application that is installed on a user's PC, and it installs a certificate to Local Machine / Trusted Root Certification Authorities store. Using the Access-Control-Allow-Credentials header along with the certificate we install, I am able to successfully establish a CORS connection with its partner website.

    However, we have recently seen "Confirm Certificate" prompts in IE, which prompts for client certificates that are unrelated to my application. These certificates are populated from the Current User / Personal store. I have no need for the Confirm Certificate prompt to appear, and when I cancel out of the prompt the application works fine. When I click "OK" on the prompt, the javascript console in the browser shows the following error: "XMLHttpRequest: Network Error 0x80070005, Access is denied."

    As there is no client certificate that we need to use or have confirmed, I would like to prevent this prompt from appearing. Setting "Don't prompt for client certificate selection when only one certificate exists" in Security Settings will not work, because that automatically selects a certificate which will always cause the "Access is denied" error.

    We use a CorsEnabledServiceHost to create the service endpoint, and I am wondering if something about that instantiation has to be modified to remove the prompt.

    Thank you in advance for your help with this issue.

    Friday, December 15, 2017 10:02 PM

All replies

  • Hi MikeMangione,

    >> I'm developing a C# application that is installed on a user's PC

    What is your C# application? Is it a WCF Service?

    >> which prompts for client certificates that are unrelated to my application. These certificates are populated from the Current User / Personal store.

    What do you mean it is not related with your app? Could you make a test with installing the certificate under Current User/ Personal Store?

    >> I have no need for the Confirm Certificate prompt to appear

    It seems to be web application, it would be helpful if you could share us more information about your application.

    Which account did you run for application? You may need to grant access for the account, or I suggest you run the application under the account who installed this certificate.

    # Install the client certificate and grant access for the user account

    https://support.microsoft.com/en-us/help/901183/how-to-call-a-web-service-by-using-a-client-certificate-for-authentica

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Monday, December 18, 2017 3:12 AM
  • Hi Tao,

    >> What is your C# application? Is it a WCF Service?

    Yes, it is a WCF service used to communicate with USB devices plugged into the local machine, and our use of CORS in other browsers and in IE (apart from the prompt) works fine.

    >> What do you mean it is not related to your app? Could you make a test with installing the certificate under Current User/ Personal Store?

    Without modification, we usually see VPN client certificates populated in the message, and I have tried adding our certificate to the Current User's Personal store. Selecting either the VPN certificate or our application's certificate and clicking "OK" causes our CORS functionality to break on the first request.

    >> Which account did you run for application?

    A local administrator runs the installation of the app, and non-admin users are the ones who use the application itself. 

    I have also attempted to grant permission to the certificate using the WinGttpCertCfg.exe tool in the link you included. Adding permission for my personal, non-admin account had no obvious effect, as the prompt still appears. 

    The certificate we use has both Server Authentication and Client Authentication capability, and for users that have no Client Authentication certificates in their Current User / Personal store, no prompt appears. We use our certificate for server authentication, but this might explain why selecting it in the prompt (which I assume is for client authentication) breaks. We can potentially remove that tag from our certificate, but this is still a problem for users who have completely unrelated Client Authentication certificates (e.g. VPN certificates).

    Thank you for your help.

    Best,

    Mike



    Monday, December 18, 2017 2:41 PM
  • Hi Mike,

    Do you develop with WCF Rest Service?

    Could you share us how you develop this service? From my experience, I did not hit certificate prompt issue for WCF Rest Service.

    It would be helpful if you could share us a simple project and detail steps which could reproduce your issue.

    Best Regards,

    Tao Zhou


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Tuesday, December 19, 2017 6:02 AM