Thanks for the additional insight into client authentication.
The smart card and IE are set up correctly to prompt for a valid certificate. I know this because that is how it works when I visit other web sites on our network that has client authentication implimented. I have a feeling the problem I am having has something to do with Tomcat not knowing what to validate clients against. Does Tomcat use the value in the keystoreFile property to determine what certificates to validate client against? If so, what entries should be in the keystore? If not how do I let tomcat know that CA to validate against? Below is the applicable part of my server.xml <Connector acceptCount="100" clientAuth="true" debug="9" disableUploadTimeout="true" enableLookups="true" keystoreFile="C:\Program Files\Apache Group\Tomcat 5.0\SSL\keystore" maxProcessors="75" port="8443" scheme="https" secure="true" sslProtocol="TLS"> </Connector> Here is the content of the keystore being used for SSL from running keytool -list. Please let me know if something doesn't look right. --------------------------------------------------- tomcat, Nov 4, 2005, keyEntry, Certificate fingerprint (MD5): FE:5A:8B:C9:95:72:85:2D:46:52:86:90:7A:98:B1:E2 mykey, Nov 28, 2005, trustedCertEntry, Certificate fingerprint (MD5): C9:0F:75:AA:61:F0:B2:8B:73:A9:2F:40:57:48:15:C1 --------------------------------------------------- mykey is what I want to validate clients against. I guess what I am looking for are confiuration steps that I may have missed. Thanks in advance for your help. Paul Dobson -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 29, 2005 9:51 AM To: Tomcat Users List Subject: Re: Client Authentication Dobson Paul L Contr 84 MSUG/GBMLBR <[EMAIL PROTECTED]> writes: > I am having a tough time finding information on implementing client > authentication. When trying to access my site, I need the user to be > presented with a dialog box asking for a digital certificate. The > certificate needs to be validated then bounced against a list of > revoked certificates, If it is valid and not revoked, the user should > be allowed in the site. I have SSL implemented and have modified my > server.xml, setting clientAuth="true". If I set it to true, I am > quickly presented with the explorer page that says: > > The page cannot be displayed > > The page you are looking for is currently unavailable. The Web site > might be experiencing technical difficulties, or you may need to > adjust your browser settings. > > If I set clientAuth="want", I am let into the site without being > prompted for a certificate. > > I think it is automatically behaving as if a client certificate is not > available without prompting for one ( we are set up with ActiveCard > smart cards and readers at all work stations) > > I am using Tomcat 5.0 with j2sdk1.4.2_04 on windows 2000 server with > SP4 Client Authentication works as follows: You connect to the server, the server gives you a list with valid certificates. IE looks if it has a certificate in the list. The next step depends upon your IE settings. If there is only one matching certificate and you set IE up to automtically choose one the connection is established. If there are more you get a window, where you can select the proper certificate. If there are none you either get a "page cannot be displayed" message (automatic mode) or you get a window with not certificate to choose. So if you are using a smartcard you have to somehow tell IE that it should take a certificate from a smartcard and not its internal certificate store. I have no idea how this is all working with smartcards though. regards Markus --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]