none
Certificate Prompt in IE11 on 2012 R2 with RDS or Citrix causes Allow/Deny Prompt to Appear in Another Users Session RRS feed

  • Question

  • Hi there, spreading this a little wider to see whether anyone else has experienced the same issue and whether anyone has found a workaround. Disabled strong security on the cert works around the issue as the prompt will not occur without strong security enabled. 

    Summary of issue:

    When using Internet Explorer 11 on 2012 R2 with RDS or Citrix and "Enable Strong Security" is set on a Personal Certificate, the prompt to ALLOW or DON'T ALLOW the application (in this case IE11) to access the certificate appears in another users session.

    Others have highlighted the same issue:

    https://connect.microsoft.com/IE/Feedback/Details/1335957

    Greg99 details the steps in this post with screenshots:

    https://social.technet.microsoft.com/Forums/en-US/f630cc0f-a707-477e-a397-202e29247e13/certificate-prompt-in-rdp-session-and-then-puts-an-allowdeny-option-on-another-users-session?forum=winserverTS

    http://www.symantec.com/connect/forums/windows-security-prompts-wrong-user-access-pki-key-personal-certificate-internet-explorer-11
    

    Cheers.

    Monday, June 29, 2015 11:25 PM

All replies

  • Hi,

    According to your description, maybe you are misunderstand the policy setting of: 

    System Cryptography: Force strong key protection for user keys stored on the computer

    Please access to the link below to see if it's helpful with this problem:

    http://blogs.technet.com/b/pki/archive/2009/06/17/what-is-a-strong-key-protection-in-windows.aspx


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, June 30, 2015 7:13 AM
    Moderator
  • Hi Roger, thanks for your reply.

    Unfortunately no misunderstanding.

    It is normal that a user will be prompted with "allow" or "don't allow", in their session, when an application attempts to access a certificate with strong security enabled. The default GPO setting for "System Cryptography: Force strong key protection for user keys stored on the computer" is set to "not defined" which states that "User is prompted when the key is first used".

    It is not normal that the prompt appears within another users RDS/Citrix session when the default setting is used. 

    You can configure a computer based GPO to force no prompt, to prompt you or a require a password. Computer based GPO's would apply that setting to all users of that computer and for all certificates with strong key protection enabled.

    You could get around the bug/issue by setting a computer based GPO to force "no prompt" when an application accesses a key, however the result is a reduction in both visibility and security for that certificate and for all users on that RDS/Citrix server. 

    Looks like a bug with no fix.

    Cheers

    Tuesday, June 30, 2015 11:56 AM
  • Hi,

    Thanks for your feedback, I'll make further research with this problem, if there is any progress, I'll post here.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, July 1, 2015 1:54 AM
    Moderator
  • After submitting 3 screen shots showing this exact problem to microsoft back on 11/07/2014 they finally acknowledged that it was a bug 4 weeks later. At that time they refunded the fee for the trouble ticket but they have still NOT resolved the issue. It is now Sep. 25 2015.

    Not sure I expect them to ever fix it. In case anyone at microsoft cares the ticket # was: REG:214101411899978002

    Friday, September 25, 2015 6:24 PM
  • Hi there,

    Did anyone ever find a resolution for this?  We are experiencing the same issue...

    Thanks

    Monday, March 7, 2016 8:21 PM