|
|
|
The X.509 Client Certificate or Basic authentication scheme allows either Basic authentication or X.509 Client Certificate authentication to establish a user’s identity. For a user to authenticate successfully, one of the following two events must occur:
OR
With this scheme, when a user requests a protected resource, the Web Agent challenges the user’s browser to present a certificate. If the user does not have a certificate or chooses not to provide one (by clicking Cancel), the Web Agent challenges the user with the HTTP Basic protocol to obtain a user name and password.
This scheme is useful when you must gradually deploy X.509 certificates. For example, in a company with 50,000 users, it is a challenge to issue and deploy 50,000 certificates simultaneously. This scheme allows you to issue certificates as you see fit (500 or 5,000 at a time). During this transition period, your resources can be protected with certificates for those users who already have them, allowing other authorized users to access resources based on directory user names and passwords.
This scheme gives you the option of configuring the Basic authentication exchange to require an SSL connection.
Note: If you implement multiple certificate-based authentication schemes that include a mixture of X509 Certificate OR Basic schemes, a browser caching limitation can cause unexpected behavior. When a user chooses not to use the certificate-based authentication for accessing a resource in a realm protected by a Certificate or Basic authentication scheme, the browser automatically caches this decision not to send the certificate. If the same user (using the same browser session) then attempts to access a resource that is protected by an authentication scheme with a mandatory certificate portion, such as X509 Certificate, X509 Certificate and Basic, or X509 Certificate and Form, the user receives a " Forbidden " error message.
Because the user did not send a certificate for the certificate-based authentication when accessing the first resource, and the browser cached that decision, the user is automatically rejected when accessing the realm that requires the certificate.
Users who have valid certificates can be encouraged to use them when accessing resources in a deployment that includes a mixture of realms protected by certificate-based authentication schemes, including X509 Certificate or Basic schemes and other certificate-based schemes that do not give the user a choice about send a certificate for authentication.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |