Regarding pont 2.) if it is present in the browser store, than it's a clientcert and not a machine cert. For those you not need HC.

HC is needed if you want to check certs beeing in other stores of your client PC, e.g. when checking Certs stored on a smartcard etc.

But this is not a machinecertificiate anymore, because for my understanding a machine cert identifies the machine, which can not be done by just inserting a smart card (by the user)....

Ben,

Thanks for the response. So, If it is in the browser then will the IVE still be able to evaluate the certificate and it's proerties so that I can creat custom expressions from this info.

Hey (guys/gals). I'm interested in someone assisting me a little bit with the GPO polcies side of the certificates. I'm working on a project where I want to have the user authenticate with their AD credentials and have the the IVE evaluate the client side certificate installed on the PC. So, here are the steps I'm planning:

1) I've tried to test this and have not been able to to see how the IVe can evalute the browser cert and use it in custome expression or even validate it. So, when a user has a digital certificate installed in the browser of a PC, Hostchecker is not required. I saw where someone said the browers serves it up. So, I'm curious as to how I can have the IVE capture that info?

Does it have to be in a specifc store?

To avoid confusion - I've reposted this issue. (Forget about the GPO stuff.)

Hey (guys/gals). I'm interested in someone assisting me a little bit. I'm working on a project where I want to have the user authenticate with their AD credentials and have the the IVE evaluate or validate the client side certificate installed on the PC. I know to validate the cert I will need a trusted root CA from the Internal PKI system. So, here are the steps I'm planning:

1) Create and LDAPs server object. (The LDAPs instead of AD will give me password management power).
2) Install a Trusted CA to verify the client side certs.
3) Using custom expressions evaluate the cert and based on the cert attributes and the AD account, I'll create role mappings.


My questions are:

1) When a user has a digital certificate installed in the browser of a PC, I've been told that Hostchecker is not required. I saw where someone said the browser serves it up. So, I'm curious as to how I can have the IVE capture that certificate info without running hostchecker.

2) I've tried to test this and have not been able to to see how the IVE can evalute the browser cert and use it in custom expression or even validate it, (without the trusted CA cert installed.)

Does it have to be in a specifc store?

OK, Progress!

So, I've gotten the LDAP server to work properly and I'm able to see the Cert ... "served up" automatically in a pop-up. The user then chooses the cert or says OK. The IVE evaluates the info in the cert. Sweet!!

Now,

I'm having problems with the CRL list. The IVE gets a "Failed to connect" error when it tries to check for it. I have a PC on the same internal network as the IVE and when I place the URL in the browser of the PC I get the list with no problem.

Question #1 - Does any one no why?

Question #2 - Is it part of the natural process for the pop-up of the cert? Is there a way for the IVE to see the cert without the user having to see the pop-up and click yes?

Re: Question #2 - Is it part of the natural process for the pop-up of the cert? Is there a way for the IVE to see the cert without the user having to see the pop-up and click yes?

There is an option under Internet Options - Security - Custom which allows you to avoid the popup if there is only one certificate (or none) installed in the browser.

KENLAR,

That was it! Thanks a million!

For some reason I can't mark that as a solution...?

Guys, thanks for your help. I have just about completed my testing with success. The problem I'm running into now is the IVE can't seem to retrieve the CRL from the distribution points.

There are several options that has been presented to the IVE, (both fail). Option 1 is via LDAP and option 2 is via HTTP. I've been trying to use the HTTP method but it is failing. The error just says "Failed, Failed to connect." I've opened a ticket but so far no dice.

Any one.