Hello, We are running into an issue with Windows Vista clients (using IE7) when trying to access a secure (SSL+Require Cert) web-page with Client Certificates. It only pops-up an empty list (Choose a digital certificate) to choose a Client certificate from. We have applied KB article 922706 on the CA machine (Windows Server 2003). We can now go to certsrv and request and install the certificates (client and CA), but when I go to the secured siteI am prompted to select a certificate, but the box is empty. When I look at the Personal certificate store, I see the certificate listed. The CA is listed under Trusted Certificates. Using MMC I have also made sure the certificates are under both Local Computer and User, just to make sure it's not some sort of security issue. We have also elevated the IE7 to "Run as administrator". Everything works fine if the client is Windows XP, both with IE6 and IE7. The problem only occurs on clients running Vista. We are using Web enrollment to request/download requested certificates. Any help would be greatly appreciated! Thank you in advance! /P

Hi, Please read the following KB article to check if this is a same issue with yours. A certificate may not be enrolled, and you do not receive an error message in Windows Vistahttp://support.microsoft.com/kb/926168/en-us Besides, have you tried to delete the existing certificates and re-install it? Thanks.

Hello Yog Li, thank youfor your answer. Unfortunately it doesn't seem to be the problem. If I understand the KB you linked correctly it applies to Vista running the Cert Srv? We are running the Cert Srv on a Win Server 2003 R2. The command in the KB (debug) does not work here? Also, our Cert Srv is set up as stand-alone, if that makes any difference. Yes, we have tried to remove and install the certificate several times on several different Vista clients. Also using MMC to add the cert to be sure. The certificate is always shown in the MMC, but IE always pops-up an empty list of certificates to choose from. Best regards, P

Hi, an update: We installed FireFox on the Vista machine, and requested the certificate using it. This works as it should! So the problem must be the combination Vista+IE7... (too bad we can't use FF though...) /P

Hi, It seems that some configuration settings caused this issue. Try to reset your IE by following the methods in the article below. Hope it helps. How to optimize or reset Internet Explorer 7http://support.microsoft.com/kb/936213/en-us

Hello, it sounds strange that all our 4 test-machines should have this error. Two of these machines also have a fresh install of Vista, only patched, nothing else on them. But I agree, it sounds like something of that sort, that is why we tried to manually install the certificate via MMC also. We did try the reset-link you posted above, but I am sorry to say it did not work on any of the machines. The only thing that hapened is that the empty list of certificates to chose from never showed up. The secured web-site still did not recognize that the client had a certificate. Thanks for your time and efforts! It seemsthe time to call MS has come... Best regards, P

FYI I did find this thread also, seems to describe the problems we have (but we don't use OWA in this case): http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2121794&SiteID=17 /P

Can you see the certificate in the local store by using the mmc? What version of Vista do you use? Are you sure that your client certificates have the right properties?

Hello izackhack, Yes we can. Windows Vista Enterprise SP1. What kind of properties for client certificates are you refering to? As I wrote before it works for Windows XP using IE6/IE7/FF and Vista using FF. So if there are any special settingswe should use for Vista and IE7, then I guess no. Where couldI find more info about this? /P

I am also having the same issue. Have you found a solution to this problem? Microsoft needs to release a Hot Fix for this issue. It appears to me that the Vista IE7 Browser softwareis not able to match the client cert with the server cert for some reason, or the browser is looking in the wrong store for the cert.

We have solved this issue. If you chose advance certificate services and change the encryption key to 2048 it will work. Firefox does 2048 by default and that is why it works and Vista does not.

Wow! This actually worked! Thanks for posting the "solution"! (is this a solution or is this a work-around? Vista security "feature"?)(I haven't had time to contact MS about this, the company chose another interim security solution. This project got down-prioritized...it was meant to get re-opened in august again though, so this solution makes it easier!)Again, thanks! I thought I was the only one in the world with this problem (me stupid?).

Sorry, but where can you reset the encryption key to 2048?

You do a ADVANCE CERTIFICATION REQUEST then there is a section for key options. That is where you set the key to 2048 Key Options: Create new key set Use existing key set CSP: Loading... Key Usage: Exchange Signature Both Key Size: Min: (common key sizes: ) Max: Warning: Large keys can take many hours to generate! A key of this size will be generated only if a key for the specified usage does not already exist in the specified container. Automatic key container name User specified key container name Container Name: Mark keys as exportable Enable strong private key protection

Hi, i have some problem with Windows Vista / IE7, but i didn't understnad how you have solved this problem using Firefox and 2048b encryption key.I try to require certificate using Firefox but if:1) i ask Certificate for Web Browser after i have made request the Certification Auth (I) can't issue the certificate due this error message: "Error during certificate creating or publishing. Forwarded from <DOMAIN>\Administrator"2) i ask the Advanced Certificate Request i view only the page ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////Invia una richiesta di certificato o di rinnovo certificatoPer inviare una richiesta salvata alla CA, incollare nella casella Richiesta salvata una richiesta di certificato CMC o PKCS #10 codificato in base 64 o una richiesta di rinnovo PKCS #7 generata esternamente (ad esempio da un server Web). Richiesta salvata:codificato base 64richiesta di certificato(CMC oPKCS #10 oPKCS #7): Attributi supplementari:Attributi: INVIA////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////Can you tell me more details about your solution???Thank youp.s.: but Microsoft didn't resolve the problem yet?????

To use FireFox you have to run the following hack. certutil -setreg ca\CRLFlags +CRLF_ALLOW_REQUEST_ATTRIBUTE_SUBJECT

Hi, thank you for you graceful help!i have runned you hack on Windows 2003 R2 SP2 -TEST- Server and it's ok, but when i apply the hack on Prodction Server Windows 2003 SP2 when i access to CertSrv Web site with firefox and click on Request certificate i can view only the option "User certificate", but Browser Certificate and other options are hided.Can you help me to understand reasons?Thank also.