Client Certificate and SSL termination

Hi all.

We are currently building a web site that requires a client certificate for
authentication (certificate hosted on smart card). We are having some
problems implementing the "Sign out" functionality of the website.

What we are trying to do is to implement the following scenario:
1. User enters the website at https://www.somesite.com/myapp/default.aspx
2. User enters the private part of the website at
https://www.somesite.com/myapp/secret/ which prompts for a client certificate
(and the smart card middleware asks for a PIN to access the certificate)
3. Users signs out of the web site at
https://www.somesite.com/myapp/signout.aspx, the asp.net page closes the
application session with Session.Abandon() and the SSL session is terminated
4. User enters the private part of the website again at
https://www.somesite.com/myapp/secret/ and is authenticated again (prompted
for a PIN to access the certificate on the smart card).

The problem we are facing is that in step 3 we are not able to terminate the
SSL session. This means that when the user enters
https://www.somesite.com/myapp/secret/ again in step 4 the previous SSL
session is used and the user is not prompted for PIN to access the
certificate on the smart card.

The application currently runs on IIS 6.0.

Any help would be appreciated.

Best regards,
Kjartan

Re: Client Certificate and SSL termination

How exactly are you "terminating the SSL session" in Step 3?

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

"kjartan" wrote in message
news:29407BAD-3CA9-4767-82C3-72B036897EA3@microsoft.com...
> Hi all.
>
> We are currently building a web site that requires a client certificate
> for
> authentication (certificate hosted on smart card). We are having some
> problems implementing the "Sign out" functionality of the website.
>
> What we are trying to do is to implement the following scenario:
> 1. User enters the website at https://www.somesite.com/myapp/default.aspx
> 2. User enters the private part of the website at
> https://www.somesite.com/myapp/secret/ which prompts for a client
> certificate
> (and the smart card middleware asks for a PIN to access the certificate)
> 3. Users signs out of the web site at
> https://www.somesite.com/myapp/signout.aspx, the asp.net page closes the
> application session with Session.Abandon() and the SSL session is
> terminated
> 4. User enters the private part of the website again at
> https://www.somesite.com/myapp/secret/ and is authenticated again
> (prompted
> for a PIN to access the certificate on the smart card).
>
> The problem we are facing is that in step 3 we are not able to terminate
> the
> SSL session. This means that when the user enters
> https://www.somesite.com/myapp/secret/ again in step 4 the previous SSL
> session is used and the user is not prompted for PIN to access the
> certificate on the smart card.
>
> The application currently runs on IIS 6.0.
>
> Any help would be appreciated.
>
> Best regards,
> Kjartan
>
>

Re: Client Certificate and SSL termination

I am not, and that is my problem I think. Since the SSL session is not
terminated, the user is not asked for his client certificate again since the
SSL session is still authenticated.

I have been searching for a solution for some time now. The only info I have
found about the SSL session was in http://support.microsoft.com/?id=247658.
This article shows how to configure the SSL session timeout - but this is of
no good for me, since I want to close the session explicitly when the user
logs out of my web application.

Best regards,
Kjartan

"Ken Schaefer" wrote:

> How exactly are you "terminating the SSL session" in Step 3?
>
> Cheers
> Ken
>
> --
> My IIS Blog: www.adOpenStatic.com/cs/blogs/ken
>
> "kjartan" wrote in message
> news:29407BAD-3CA9-4767-82C3-72B036897EA3@microsoft.com...
> > Hi all.
> >
> > We are currently building a web site that requires a client certificate
> > for
> > authentication (certificate hosted on smart card). We are having some
> > problems implementing the "Sign out" functionality of the website.
> >
> > What we are trying to do is to implement the following scenario:
> > 1. User enters the website at https://www.somesite.com/myapp/default.aspx
> > 2. User enters the private part of the website at
> > https://www.somesite.com/myapp/secret/ which prompts for a client
> > certificate
> > (and the smart card middleware asks for a PIN to access the certificate)
> > 3. Users signs out of the web site at
> > https://www.somesite.com/myapp/signout.aspx, the asp.net page closes the
> > application session with Session.Abandon() and the SSL session is
> > terminated
> > 4. User enters the private part of the website again at
> > https://www.somesite.com/myapp/secret/ and is authenticated again
> > (prompted
> > for a PIN to access the certificate on the smart card).
> >
> > The problem we are facing is that in step 3 we are not able to terminate
> > the
> > SSL session. This means that when the user enters
> > https://www.somesite.com/myapp/secret/ again in step 4 the previous SSL
> > session is used and the user is not prompted for PIN to access the
> > certificate on the smart card.
> >
> > The application currently runs on IIS 6.0.
> >
> > Any help would be appreciated.
> >
> > Best regards,
> > Kjartan
> >
> >
>
>