none
Windows CE 6.0 Web Server Client Certificates RRS feed

  • Question

  • Hi All

    I am trying to secure one of the virtual roots on my CE 6.0 Web Server using two factor authentication (using basic credentials over SSL and a Client
    Certificate at the browser (IE8)). I can access my /Secure virtual root from the browser OK (I get the padlock in IE8) but my /Cert virtual root
    (which I am trying to configure to require the browser to supply a Client Certificate) fails with a '400 Bad Request' http error. From the tracker
    log it seems that the rquest is failing before the server even asks for the client certificate. I expected that the browser would prompt me to specify
    a client certificate to send, but the connection just times out with the error 400.

    The browser trusts the Web Server OK (since I have imported the server and root ca certificates into the relevant stores on the client). I have loaded
    a client certificate issued from the same root ca (Windows 2003 server certificate services) as the web server certificate and I have tried a few
    permutations of 'p' value for the /Cert virtual root including and excluding HSE_URL_FLAGS_SSL and HSE_URL_FLAGS_SSL128 in all combinations (0x2CD,
    0x3C5,0x3CD) but still no joy.   

    Is what I am trying to do reasonable? If so, can anyone suggest what I am doing wrong? Where should I go from here?


    Thanks for any help!


    Phil


    The nitty-gritty:-
    ------------------

    Windows CE 6.0 R3 with all updates up to December 2012 applied.

    As guided by "SSL Client Authentication (Windows Embedded CE 6.0)" in MSDN. I note that this document shows the registry paths without the Comm
    subkey?

    My registry is set up as follows:

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/]
    "Default"="\\USB Storage\\www\\default"

    [HKEY_LOCAL_MACHINE\Comm\HTTPD]
    "IsEnabled"=dword:1

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\SSL]
    "CertificateSubject"="WindowsCE"

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\SSL]
    "IsEnabled"=dword:1

    [HKEY_LOCAL_MACHINE\Comm\HTTPD]
    "Basic"=dword:1

    [HKEY_LOCAL_MACHINE\Comm\HTTPD]
    "NTLM"=dword:0

    [HKEY_LOCAL_MACHINE\Comm\HTTPD]
    "ServerID"="WindowsCE"

    [HKEY_LOCAL_MACHINE\Comm\HTTPD]
    "LogFileDirectory"="\\USB Storage\\www"

    [HKEY_LOCAL_MACHINE\Comm\HTTPD]
    "PostReadSize"=dword:8000

    [HKEY_LOCAL_MACHINE\Comm\HTTPD]
    "MaxHeaderSize"=dword:10000

    [HKEY_LOCAL_MACHINE\Comm\HTTPD]
    "Filter DLLs"="\\windows\\tracker.dll"

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\SSL\USERS\USER\MAP-1]
    "IssuerCN"="Titan Root CA"

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/]
    "a"=dword:0


    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/Secure]
    "Default"="\\USB Storage\\www\\secure"

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/Secure]
    "a"=dword:1

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/Secure]
    "p"=dword:20d

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/Secure]
    "UserList"="USER"


    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/Cert]
    "Default"="\\USB Storage\\www\\cert"

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/Cert]
    "a"=dword:1

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/Cert]
    "p"=dword:3c5

    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/Cert]
    "UserList"="USER"

     
    [HKEY_LOCAL_MACHINE\Comm\HTTPD\VROOTS\/Tracker]
    "Default"="\\windows"


    the 'p' value for the /Secure virtual root equates to:

    HSE_URL_FLAGS_READ             1
    HSE_URL_FLAGS_EXECUTE          4
    HSE_URL_FLAGS_SSL              8
    HSE_URL_FLAGS_SCRIPT         512  
                                 ---
                                 525 (0x20D)
                                 ---

    the 'p' value for the /Cert virtual root equates to:

    HSE_URL_FLAGS_READ             1
    HSE_URL_FLAGS_EXECUTE          4
    HSE_URL_FLAGS_REQUIRE_CERT    64
    HSE_URL_FLAGS_MAP_CERT       128
    HSE_URL_FLAGS_SSL128         256
    HSE_URL_FLAGS_SCRIPT         512
                                 ---
                                 965  (0X3C5)


    From the tracker.dll log...

    //----------------------------------------------------------

    This request works!

    //----------------------------------------------------------


    41 time: 21:26:20:0781 ThreadID: 0x55b007e 
    Notification: Read Raw Data
    PFC Addr:0x11fac0 Context:5 ConnID:87
    Data:

    GET /secure HTTP/1.1
    Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
    Accept-Language: en-gb
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
    Accept-Encoding: gzip, deflate
    Host: windowsce
    Connection: Keep-Alive
    Authorization: Basic VVNFUjp1c2Vy

    42 time: 21:26:20:0784 ThreadID: 0x55b007e 
    Notification: Pre-Process Headers
    PFC Addr:0x11fa9c Context:5 ConnID:87
    URL: /secure
    Headers: Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Accept-Language: en-gb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Host: windowsce Connection: Keep-Alive Authorization: Basic VVNFUjp1c2Vy 

    43 time: 21:26:20:0786 ThreadID: 0x55b007e 
    Notification: URL Map
    PFC Addr:0x11fa9c Context:5 ConnID:87
    URL: /secure
    Physical Path: \USB Storage\www\secure

    44 time: 21:26:20:0789 ThreadID: 0x55b007e 
    Notification: Authentication
    PFC Addr:0x11f368 Context:5 ConnID:87
    User: USER
    Password: user

    45 time: 21:26:21:0150 ThreadID: 0x55b007e 
    Notification: Send Raw Data
    PFC Addr:0x11ea0c Context:5 ConnID:87
    Data:

    HTTP/1.0 302 Object Moved
    Date: Sat, 19 Jan 2013 05:26:21 GMT
    Connection: keep-alive
    Server: WindowsCE
    Location: /secure/
    Content-Type: text/html
    Content-Length: 120

    <html><head><title>Object Moved</title></head><body><h1>Object Moved</h1>This object has moved to /secure/</body></html>

    46 time: 21:26:21:0154 ThreadID: 0x55b007e 
    Notification: End of Request
    PFC Addr:0x11fac0 Context:5 ConnID:87

    47 time: 21:26:21:0157 ThreadID: 0x55b007e 
    Notification: Log (IIS Log, not Tracker Log)
    PFC Addr:0x11fac0 Context:5 ConnID:87

    48 time: 21:26:21:0365 ThreadID: 0x55b007e 
    Notification: Read Raw Data
    PFC Addr:0x11fac0 Context:6 ConnID:87
    Data:

    GET /secure/ HTTP/1.1
    Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
    Accept-Language: en-gb
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
    Accept-Encoding: gzip, deflate
    Host: windowsce
    Connection: Keep-Alive
    Authorization: Basic VVNFUjp1c2Vy

    49 time: 21:26:21:0368 ThreadID: 0x55b007e 
    Notification: Pre-Process Headers
    PFC Addr:0x11fa9c Context:6 ConnID:87
    URL: /secure/
    Headers: Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Accept-Language: en-gb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Host: windowsce Connection: Keep-Alive Authorization: Basic VVNFUjp1c2Vy 

    50 time: 21:26:21:0370 ThreadID: 0x55b007e 
    Notification: URL Map
    PFC Addr:0x11fa9c Context:6 ConnID:87
    URL: /secure/
    Physical Path: \USB Storage\www\secure\

    51 time: 21:26:21:0713 ThreadID: 0x55b007e 
    Notification: Send Raw Data
    PFC Addr:0x11ea84 Context:6 ConnID:87
    Data:

    HTTP/1.0 200 OK
    Date: Sat, 19 Jan 2013 05:26:21 GMT
    Connection: keep-alive
    Server: WindowsCE
    Last-Modified: Thu, 10 Jan 2013 05:52:14 GMT
    ETag: "03bbca3f6eecd1:20:2"
    Content-Type: text/html
    Content-Length: 117

    52 time: 21:26:21:0723 ThreadID: 0x55b007e 
    Notification: Send Raw Data
    PFC Addr:0x11ea58 Context:6 ConnID:87
    Data:

    <html>
    <head>
    <title>Windows CE</title>
    </head>
    <body>
    Windows CE Web Server - Secure Page 
    </body>
    </html>

     

    53 time: 21:26:21:0727 ThreadID: 0x55b007e 
    Notification: End of Request
    PFC Addr:0x11fac0 Context:6 ConnID:87

    54 time: 21:26:21:0731 ThreadID: 0x55b007e 
    Notification: Log (IIS Log, not Tracker Log)
    PFC Addr:0x11fac0 Context:6 ConnID:87

    55 time: 21:26:51:0735 ThreadID: 0x55b007e 
    Notification: End of Net Session
    PFC Addr:0x11fb58 Context:6 ConnID:87

    56 time: 21:26:53:0923 ThreadID: 0x55c007e 
    Notification: Read Raw Data
    PFC Addr:0x14fac0 Context:7 ConnID:87
    Data:


    //----------------------------------------------------------

    This request fails!

    //----------------------------------------------------------


    GET /cert/ HTTP/1.1
    Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */*
    Accept-Language: en-gb
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)
    Accept-Encoding: gzip, deflate
    Host: windowsce
    Connection: Keep-Alive
    Authorization: Basic VVNFUjp1c2Vy

    57 time: 21:26:53:0926 ThreadID: 0x55c007e 
    Notification: Pre-Process Headers
    PFC Addr:0x14fa9c Context:7 ConnID:87
    URL: /cert/
    Headers: Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, */* Accept-Language: en-gb User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E) Accept-Encoding: gzip, deflate Host: windowsce Connection: Keep-Alive Authorization: Basic VVNFUjp1c2Vy 

    58 time: 21:26:53:0931 ThreadID: 0x55c007e 
    Notification: URL Map
    PFC Addr:0x14fa9c Context:7 ConnID:87
    URL: /cert/
    Physical Path: \USB Storage\www\cert\

    59 time: 21:26:53:0935 ThreadID: 0x55c007e 
    Notification: Authentication
    PFC Addr:0x14f894 Context:7 ConnID:87
    User: USER
    Password: user

    60 time: 21:27:23:0940 ThreadID: 0x55c007e 
    Notification: Send Raw Data
    PFC Addr:0x14ea84 Context:7 ConnID:87
    Data:

    HTTP/1.0 400 Bad Request
    Date: Sat, 19 Jan 2013 05:27:23 GMT
    Connection: close
    Server: WindowsCE
    Content-Type: text/html
    Content-Length: 30

    The request was not understood

    61 time: 21:27:23:0944 ThreadID: 0x55c007e 
    Notification: End of Request
    PFC Addr:0x14fac0 Context:7 ConnID:87

    62 time: 21:27:23:0947 ThreadID: 0x55c007e 
    Notification: Log (IIS Log, not Tracker Log)
    PFC Addr:0x14fac0 Context:7 ConnID:87

    63 time: 21:27:23:0950 ThreadID: 0x55c007e 
    Notification: End of Net Session
    PFC Addr:0x14fb58

     

    Monday, January 21, 2013 9:58 AM