Thanks for the reply. The only other outstanding issue is the particular site I use it with most sometimes requests user/pass every time I click on a link within the site. It's annoying:(
On 1/8/07, Timothy J. Miller <[EMAIL PROTECTED]> wrote:
John H. wrote: > Yes, that fixes it! That's what I've been wondering how to force it > to do for a while, as I always noticed with IE that it worked with one > but not the other. Technically speaking, the back-end application should accept either. Practically speaking, the naive way of mapping cert to account in Active Directory is to add the user's UPN to the cert. The DoD PKI only does this in the email signing cert. So naive developers and AD admins allow for this and go no further. However, both IIS and AD support an attribute, altSecurityIdentities. This attribute can be populated with the subject and issuer DNs. If a cert is presented to IIS that has no UPN, IIS will query AD using this attribute to find the account. Unfortunately a lot of domains don't have this attribute populated. There's a tool the AF uses (LEAP) that will allow users to populate this themselves, but not everyone has done this. > Is it possible, in firefox, to force a specific SITE to use a specific > certificate, like the site in question, to where you are not prompted > for it each time? Not that I'm aware of, though it is possible to do this in Safari on OS X. I've experimented with using the trust list exchanged during the SSL handshake to limit cert selection on the client to only the email signing cert. Couple of problems: 1) IIS won't let you do this, and 2) browser support for SSL trust lists with no root CAs in them is spotty (and technically it's not allowed anyway). -- Tim _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
_______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
