consoll
asked on
DRM license request using SSL client certificate - fails
We are running IIS 6.0 on Windows Server 6.0. And use Windows Media Player (WMP) 11 as client.
We have set up a DRM License Provider Service (license server) that issues DRM licenses upon requests from WMP (a .NET web-app). WMP requests a license from the this server when it tries to play our DRM protected media content.
Before issuing a license, we wish to authenticate the client using an SSL client certificate. So we create a CA-certificate which we install on the server. Then we install a client certificate signed by this CA on the client. Using Internet Explorer (IE) 6 or 7 we can access our web with no problem. The Client Authentication dialog box pops up, we select our client certificate, and get access to resources on the license server.
When WMP pops up a browser window to acquire a DRM license however, the SSL process seems to fail. We only get a page announcing: "HTTP Error 403.7 - Forbidden: SSL client certificate is required." The Client Authentication dialog box never pops up. This is tested with WMP 11.
I have tried the remedies suggested in http://support.microsoft.com/kb/332077, with no luck.
We have set up a DRM License Provider Service (license server) that issues DRM licenses upon requests from WMP (a .NET web-app). WMP requests a license from the this server when it tries to play our DRM protected media content.
Before issuing a license, we wish to authenticate the client using an SSL client certificate. So we create a CA-certificate which we install on the server. Then we install a client certificate signed by this CA on the client. Using Internet Explorer (IE) 6 or 7 we can access our web with no problem. The Client Authentication dialog box pops up, we select our client certificate, and get access to resources on the license server.
When WMP pops up a browser window to acquire a DRM license however, the SSL process seems to fail. We only get a page announcing: "HTTP Error 403.7 - Forbidden: SSL client certificate is required." The Client Authentication dialog box never pops up. This is tested with WMP 11.
I have tried the remedies suggested in http://support.microsoft.com/kb/332077, with no luck.
Last Comment
ASKER
I can't find the tool IISCA in <%SystemRoot%>\System32\In
ASKER
A strange thing here is that after having accessed the protected page through the Media Player's DRM license window, trying to access the page through IE 6 also fails with the same 403.7 error ! As mentionned in the initial post this does not fail when accessing the page directly (in freshly opened IE).
ASKER
I have discovered that one can avoid this "bug" (if it is indeed a bug...) by unchecking the "Acquire licenses automatically for protected content" option in MediaPlayer in the Privacy tab (on WMP 9, similar on 10 I think). In WMP 10 this results in a warning being shown to the user when a media requires a license. The user must confirm that a third party site should be contacted to retrieve license. If the user confirms, the media player contacts the site and client side certificate authentication works.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup Zone:
PAQ - Refund
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
cj_1969 - Experts Exchange Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup Zone:
PAQ - Refund
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
cj_1969 - Experts Exchange Cleanup Volunteer
ASKER
I have worked on this and found that there probably is no real solution. What happens is:
1. MediaPlayer (MP) sees that a media resource requires a license. It reads the license acquisition url.
2. MP tries to retrieve a license by silent delivery, ie with no user interaction. A request is sent to license server (at acquisition url).
3. The license server is set up to require client side authentication. It therefore responds with a client certificate request (not quite into the details and terminology of ssl handshake here, but I think this should give the general picture).
4. MP does not respond to this request (which is the cause of the whole problem). MP does not recognize the response as a license so it pops up an IE window and sends the same request (license challenge) again, this time for a non-silent delivery. The server is not very impressed with this client that seems to be ignoring its request for a client certificate, and gives an error message.
I have found a work-around to the problem: I now let the first page that the MediaPlayer request be unprotected (this is the license acquisition url), so that it is correctly displayed in the IE popup. This page merely redirects the client to the protected page. Now we are in an IE window and the client therefore responds correctly to the servers client certificate request.
1. MediaPlayer (MP) sees that a media resource requires a license. It reads the license acquisition url.
2. MP tries to retrieve a license by silent delivery, ie with no user interaction. A request is sent to license server (at acquisition url).
3. The license server is set up to require client side authentication. It therefore responds with a client certificate request (not quite into the details and terminology of ssl handshake here, but I think this should give the general picture).
4. MP does not respond to this request (which is the cause of the whole problem). MP does not recognize the response as a license so it pops up an IE window and sends the same request (license challenge) again, this time for a non-silent delivery. The server is not very impressed with this client that seems to be ignoring its request for a client certificate, and gives an error message.
I have found a work-around to the problem: I now let the first page that the MediaPlayer request be unprotected (this is the license acquisition url), so that it is correctly displayed in the IE popup. This page merely redirects the client to the protected page. Now we are in an IE window and the client therefore responds correctly to the servers client certificate request.
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASP.NET
The successor to Active Server Pages, ASP.NET websites utilize the .NET framework to produce dynamic, data and content-driven web applications and services. ASP.NET code can be written using any .NET supported language. As of 2009, ASP.NET can also apply the Model-View-Controller (MVC) pattern to web applications
128K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
The Internet Explorer client certificate and the Internet Information Server (IIS) client certificate need to be synchronized.
Run the following three commands from a command prompt in the <%SystemRoot%>\System32\In
IISCA
Net Stop IISAdmin /y
Net Start W3SVC