locked
Get warning message when enrolling certificate on Windows 7, IE 8, Windows 2008 R2 Server RRS feed

  • Question

  • I need to be able to enroll without a popup for our users.  I can add the Certificate Server to "Trusted Sites" and set the appropriate security levels (such as allow scripting, etc) in Vista and IE7 without any issues.  This way, when a user visits the site and requests a certificate, he is not prompted with the warning box that says: "This Web site is attempting to perform a digital certificate operation on your behalf" message.  The problem is that if a user clicks "No" to that message, it automatically pops up an error that is not correct that: "In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication."

    What settings can I use in Windows 7, IE 8 to get past that popup?  Every setting I have tried still results in that popup appearing.
    Thursday, February 4, 2010 10:29 PM

Answers

  • To be honest, you shoud be letting that prompt appear, and here is why.
    If you disable the prompt, I can do the following to your users:
    - Install a root CA certificate into their certificate store without their knowledge
    - Issue them any certificate that I want without their knowledge
    - with a DNS attack, I can now direct them to a fraudulent Web site, and they will *trust my fake certificate* since i installed my trusted root on their box.

    Why not work on educating the user that they should be aware that they are requesting a certificate, and should answer Yes when connecting to your corporate site. Or, why not use autoenrolment if you want no user interaction

    Brian
    • Proposed as answer by Miles Li Friday, February 12, 2010 7:01 AM
    • Marked as answer by Miles Li Friday, February 12, 2010 7:01 AM
    Friday, February 5, 2010 1:42 AM

All replies

  • To be honest, you shoud be letting that prompt appear, and here is why.
    If you disable the prompt, I can do the following to your users:
    - Install a root CA certificate into their certificate store without their knowledge
    - Issue them any certificate that I want without their knowledge
    - with a DNS attack, I can now direct them to a fraudulent Web site, and they will *trust my fake certificate* since i installed my trusted root on their box.

    Why not work on educating the user that they should be aware that they are requesting a certificate, and should answer Yes when connecting to your corporate site. Or, why not use autoenrolment if you want no user interaction

    Brian
    • Proposed as answer by Miles Li Friday, February 12, 2010 7:01 AM
    • Marked as answer by Miles Li Friday, February 12, 2010 7:01 AM
    Friday, February 5, 2010 1:42 AM
  • Hi Brian,

    We are using certenroll in a secured environment, on a smartcard station, for generation of keys and printing on smartcards via a browser /javascript application.

    We would also like a solution to this problem. It is a Windows 7 operating system, using IE 8.0, and we would like to configure it so that this pop up "This Web site is attempting to perform a digital certificate operation on your behalf" does NOT ever appear.

    Do you know if it is possible to achieve this, and if so how?

    Or is this pop-up now impossible to dispose of (it is possible on Vista, and all the workstations are thus now locked to use only Vista)?

    Kevin

    Wednesday, March 30, 2011 1:21 PM
  • The answer to this question was found subsequently:

    http://blogs.msdn.com/b/alejacma/archive/2011/02/18/how-to-disable-quot-this-web-site-is-attempting-to-perform-a-digital-certificate-operation-on-your-behalf-quot-message.aspx

    "NO, we cannot disable this security warning on Windows 7. The enrollment is done by CertEnroll control. This control will always show the security warning when running within a browser. This is by design.

    Actually, if CertEnroll cannot show that warning for some reason, it will just stop working. That is what happened in this bug I worked on some time ago:

    The CertEnroll control does not work in Internet Explorer 8 on a computer that is running Windows 7 or Windows Server 2008 R2

    The only way to get rid of this warning is to use CertEnroll out of the browser, in e.g. a WinForms app."

    Kevin

    • Proposed as answer by KGB WK Wednesday, March 30, 2011 1:43 PM
    Wednesday, March 30, 2011 1:43 PM