Previous Topic: X.509 Client Certificate and HTML Forms Authentication SchemesNext Topic: X.509 Client Certificate or HTML Forms Scheme Prerequisites


X.509 Client Certificate or HTML Forms Authentication Schemes

he X.509 Client Certificate or HTML Forms authentication scheme allows either HTML Forms authentication or X.509 Client Certificate authentication to establish a user identity. For a user to authenticate successfully, one of the following two events must occur:

When a user requests a protected resource, the Web Agent challenges the browser to present a certificate. The scheme has the following effect:

If...

then...

A certificate is presented

The certificate is processed

The certificate is not accepted

The browser issues error 500

No certificate is presented

The browser presents a form

The form is rejected

The browser prompts again for a form

This scheme is useful if you must deploy X.509 certificates gradually. For example, in a company with 50,000 users, it is a challenge to issue and deploy 50,000 certificates simultaneously. This scheme allows you to issue certificates as you see fit (500 or 5,000 at a time). During this transition period, your resources can be protected with certificates for those users who already have them, allowing other authorized users to access resources based on HTML forms credentials.

Note: If you implement multiple certificate-based authentication schemes that include a mixture of X509 Certificate OR Forms schemes, a browser caching limitation may cause unexpected behavior. When a user does not use the certificate-based authentication for accessing a resource in a realm protected by a Certificate or Forms authentication scheme, the browser automatically caches this decision. If the same user (using the same browser session) then attempts to access a resource that is protected by an authentication scheme with a mandatory certificate portion, such as X509 Certificate, X509 Certificate and Basic, or X509 Certificate and Form, the user receives a " Forbidden " error message.

Because the user chose not to send a certificate for the certificate-based authentication when accessing the first resource, and the browser cached that decision, the user is automatically rejected when accessing the realm that requires the certificate.

Encourage users who have valid certificates to use them when accessing resources in a deployment that includes a mixture of realms protected by certificate-based authentication schemes that include X509 Certificate or Forms schemes and other certificate-based schemes that do not allow a user to choose whether to send a certificate for authentication.

More information:

X.509 Client Certificate Authentication Schemes