I'm having an issue where when trying to connect to my employer's website from my home computers I'm not getting prompted for my smart card credentials whenever I'm using my laptop, however when I'm using my desktop the prompts appear and smart card authentication occurs. Both systems are using Windows 10, and I'm using IE11 and Chrome on both systems. I suspect that there may be some Windows side setting that's blocking the browsers from seeing my smart card on my laptop, but after countless hours of troubleshooting and digging around every possible option online I'm at a standstill here.
Things that I've tried:
Tested smart card reader and card on second computer, no issues, IE/Chrome prompts for certificate and allows login to employer website.
Internet Options > Security > Internet > Custom Level: Don't prompt for client certificate selection when only one certificate exists - set to Disable
Internet Options > Content > Certificates: All smart card certificates are enabled for client authentication
Internet Options > Advanced: SSL 3.0, TLS 1.0/1.1/1.2 enabled
Installed all required PKI certificates required by employer
My smart card certificates do appear under the personal tab, so I know the laptop is seeing them, but for some reason IE and Chrome can't access the certificates (further verified by removing the card, deleting the certificates, reinserting the card and checking that the certificates come back).
I know it's not an issue with my internet connection or my employer's website as my desktop prompts me for my smart card certificate appropriately, so the issue here is limited to just my laptop. At a minimum the website should be pulling up the Windows smart card dialog and prompting me for my card even when it's not inserted, but I can't even get to that point right now.
I finally figured it out after finding a TechNet article on enabling the advanced CryptoAPI 2.0 diagnostics. It turned out that the Kaspersky anti-virus I had installed on my computer was injecting it's own security certificate instead of letting Windows pop up the certificates on my smart card. Uninstalled Kaspersky, everything worked.
Related
I have several devices that have invalid SSL certificates, mostly old routers,iDRAC,iLO etc.
It now appears to be impossible to access these devices via Chrome and Firefox.
In the past I have been able to add exceptions to access these devices, but I no longer seem to get the options.
Now I understand fully that these devices should be upgraded and I know there are very big risks when ignoring certificate errors, so please do not put a ton of replies telling me to upgrade, as this is not always possible, some of these devices do not any any upgrades available! also how do you upgrade a device that can be upgraded if you cant access it in the first place?
So the question is, is it possible to tell Chrome or Firefox to ignore all SSL/Certificate errors (like invalid certificate or incorrect SSL version), or is there an alternative browser that will work in there place that still allows things like javascript etc to run. I have tried a few browsers in the falcon/surf/hv3 but none of these work.
I cant find any method for the latest versions of chrome and the only thing I could find for firefox was 'security.ssl.enable_ocsp_stapling' and that didn't seem to make any difference :(
I would prefer to use my current install rather than creating a VM and running a totally outdated OS, which also creates problems with SSH and VPN access.
As request, example of error accessing old draytek router via firefox, no option given to bypass:
Secure Connection Failed
An error occurred during a connection to IP-ADDR.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
Chrome error when trying to access HP iLO, get option to ignore, but then get :
This site can’t be reached
The web page at https://IP-ADDR/login.htm might be temporarily down or it may have moved permanently to a new web address.
ERR_SSL_BAD_RECORD_MAC_ALERT
But in general looking to be able to access sites that chrome & firefox have decided in the last year or so that I am incapable of deciding if I trust the site (emphases on the 'I').
Both of these errors do not seem to be related to the certificate at all and can therefore not be solved by ignoring certificate problems. These are not trust problems but these are protocol incompatibility problems.
The problem with HP iLO is likely because the device supports only SSL 3.0 which is insecure for years and thus is not usable in any modern browser and OS. The problem with the Draytek router is not fully clear (there should be more information available in the browser) but it is likely similar, i.e. only SSL 3.0 or some unsupported because insecure cipher like RC4.
One option to deal with these devices is to install some older OS (like Ubuntu 12.04 or even older) in a virtual machine and use the browser from this machine to access the device. And of course note that these devices are long out of support and continued use might cause security risks.
Our IT department recently updated the certificate of our ADFS server.
Now some of our clients get a certificate dialog, especially Windows and Android devices, if they want to access our web applications and log in via AAD/ADFS.
(Sorry, Chrome blocks screenshots in incognito)
What has our IT department forgotten or disregarded here?
How can I proceed to find the cause?
Reproduce the issue and check if the port number is getting listed as 49443, (this information is not clearly visible in the first screenshot)
If it is 49443, certificate authentication is enabled on ADFS.
I have a ClearOs Linux server which, amongst other things, runs a CUPS print server. Installing CUPS makes an admin interface available via https protocol.
Every time I connect to this admin server, Chrome (and IE) warns me the certificate is invalid, and I have to click twice more to go through to the site.
I would like to tell Chrome to trust this certificate. I have Googled how to do this, and tried 3 or 4 different recipes - none of them seem to have worked (the certificate is still not trusted). I have tried the following:
Connect to the site via IE running as Administrator, click on the invalid certificate flash next to the url, view certificate, install certificate, choose Trusted Root Certificate store, and install it. I also tried the Personal store and the Trusted publishers store.
Connect to the site via Chrome, click on the certificate and export it, do Settings/Advanced/Manage certificates, and import it into the store (again, I tried Trusted Root and Personal stores).
I also tried some other instructions which said to start by running "MMC" from the Windows Start button - but typing MMC only offers me Hyper-V manager and Sql Server 2017 Configuration Manager - not the management console expected.
I have read Getting Chrome to accept self-signed localhost certificate here, and tried everything there that applies to Windows 10, but nothing works.
Enter “chrome://flags/#allow-insecure-localhost” in your chrome browser and “Allow invalid certificates for resources loaded from localhost.” to bypass the security warning about your self signed certificate.
When i tried to open my site (https://thaimeditationcenter.com/) by Google Chrome on My mac using macOS Sierra Version 10.12 i got an error like this.
Your connection is not private
Attackers might be trying to steal your information from thaimeditationcenter.com
(for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
Automatically report details of possible security incidents to Google. Privacy policy
But when i open it on Firefox , Safari or Google chrome on my Iphone it seems fine there was no error at all.
How can i fix this?
Thanks!
According to SSLLabs your site is not configured properly:
Chain issues Incomplete
This means that a chain certificates is missing. Some browsers cache chain certificates when visiting other sites and therefore can work around this problem. Other browsers try to download the missing chain certificate. The rest will fail because the trust chain cannot be built.
To fix this you need to add the missing chain certificate to your server configuration. While doing that you should probably also fix all the other problems shown by the SSLLabs report which lead to a bad Grade F for your site.
We're using Jetty 9.2.x in the embedded mode in conjunction with Restlet 2.3.1 to develop our application sever. Recently we've enabled support for HTTPS, which utilises a certificated signed by a self-established CA.
Everything seemed to be working correctly when connecting to this server from various web browsers under Linux and Mac operating systems. However, when we expended out testing to machines running Windows 7 and 8 (all machines are on the same LAN), we've discovered that the Chrome browser (ver. 42.x) would not establish a connection, reporting
This web page is not available
ERR_FAILED
The webpage at https://host_name:9999/ might be temporarily down or it may have moved permanently to a new web address.
Trying to analyse TCP/IP messages between the browser and the server suggests that HTTPS handshake does not succeed. Surprisingly, everything works correctly under Windows XP.
Unfortunately, we're not sure how to proceed any further in trying to solve this problem. Any suggestions as to a possible cause or a solution to the described situation?
It has also beed observed that Firefox under Windows 7/8 was able to establish the connection, but did not render the page due to lack of HTML5 imports support. This was confirmed by observing the page source from Firefox.
Edit: Configuring Jetty to use a self-signed certificate resolved the connectivity problem. This suggests that there is some issue with signing a certificate by a self-established CA, which seems to be specific to an operating system/web browser combination.
It has been identified that the originally used certificate was at fault. More specifically, its Common Name contained a value, which was not recognised as a suitable domain name. Generating a new certificate, signed with a self-established CA, but providing a suitable (albeit not registered) domain name in property Common Name has solved the problem.
The very original intent for thus issued certificate was to use it for internal development purposes and not for public consumption. Thus, the Common Name property was entered to reflect the local nature of the certificate (e.g. application-name.local).