Enabling Client Authentication on Midtier Servers (Kind of long b ut important)

[Kaiser Norm E CIV USAF 96 CG/SCWOE]

** Hi everyone:   Has anyone successfully enabled client authentication on an IIS6 Midtier? The reason why I ask is it's causing me a lot of grief, and it seems like there should be a simple solution.  Let me explain my situation before I go into the details.   I need to turn on client authentication on the IIS server (keyword is NEED-it's not an option...they're forcing me to do it), which forces the user to provide a client certificate to the web server to authenticate.  In my case the client certificate is pulled off a common access card (CAC).  Enabling this is a piece of cake in IIS, but the problem is executing JSP.  When the login.jsp appears in the browser (Internet Explorer), the browser prompts the user for the certificate to use for the authentication.  So, OK, fine, the user clicks on her certificate.  IE validates the certificate and starts to display login.jsp.  But then the JRE jumps into the mix and asks for a certificate, too, citing that the web server is requesting identification-even though the user has already successfully provided a certificate to the browser.   So I researched this and found a seemingly relevant Q&A on the Sun Developers Network:   Q: Why does the Sun Plugin require a second authentication when the browser already authenticates the first time? A: This is due to the architecture design of Java plugin, starting in JRE 1.4. Java plugin uses JSSE to do the network handhaking (no longer the browser). Therefore Java plugin is not able to get previous information from the browser. There are actually many authentication methods. We did implement some features in JRE 5, such as basic authentication, that involve the username and password, so that users won't be be presented with the password dialog many times. But for client authentication, which needs a client certificate, a user will still see two certificate dialog box popups. OK, that's really annoying and will lead to hundreds of thousands of complaints from users, but fine, I can live with it.  But what's really weird and annoying is the fact that the plugin popup that asks which certificate to use pops up every time a new page is loaded! So in other words, it pops up at the login.jsp, then it pops up when the main form appears, and then it pops up anytime your app displays another form-even dialog boxes!  That's unacceptable.  So back to the Sun Developers Network I go and found that JRE 1.5.0_6 has a bug in it that had previously been fixed that causes this behavior-that is, repeatedly asking the user for authentication.  They purport that the bug is fixed in JRE 1.5.0_7, but installed that, and the behavior does not go away. I know I'm not the only Remedy developer in the world facing this problem.  Has anyone else tackled it or have any ideas at all? Thanks, Norm     __20060125_______________________This posting was submitted with HTML in it___