Windows 7: The PIN dialog box does not appear when certificate security level set to High

Applies to: Windows 7 EnterpriseWindows 7 Ultimate

Symptoms


Assume that you try to access a Web Distributed Authoring and Versioning (WebDAV) server on a client computer that is running Windows 7 or Windows Server 2008 R2. The WebDAV server requires certificate authentication (Soft-Token). However, you encounter the following issue:
  • If the certificate is setup for high security level and if the authentication process requires a personal identification number (PIN), the PIN dialog box does not appear and the Explorer View fails.

    Note You can access the WebDAV server if the user certificate is not requiring medium or high security level
Note This issue occurs only if the application that you use to access the WebDAV server uses the WebClient service. For example, you use Windows Explorer (i.e. 'Explorer View' within Internet Explorer) or SharePoint designer to access the WebDAV server.

Cause


The current DAV client architecture implemented in Windows 7 does not allow the PIN to be transferred programmatically across different processes.

Microsoft cannot provide a solution for this issue within a hotfix because of major architecture design changes that are beyond the scope of a hotfix.

Resolution


As an alternate solution you use one of the following:
  • Lower certificate security restriction.
  • Use a Smart Card in combination with the following supported hotfix:
    2647954 The PIN dialog box does not appear or you are presented with all the certificates in the store when you try to access a WebDAV server in Windows 7 or in Windows Server 2008 R2

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information


Information on setting Security Level


Open MMC – Certificates – current user – Personal Certificates –context: All tasks – Inport … - [file name: certificate.file ] –

Type the password for the private key.

Password: [ ********** ]

Check next box:

[x] Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option.

[ ] mark this key as exportable. This will allow you to back up or transport your keys at a later time.

[x] Include all extended properties.

[Next> ]

Keep default (= (o) Place all certificates in the following store

Certificate Store: Personal

[Next> ]

[Finish]

Importing a new private exchange key

CryptoAPI Private Key

Security level set to Medium [Set Security Level ..]

Select [Set Security Level ..]

Choose a security level appropriate for this item:

(o) High

Request my permission with a password when this item is to be used.

( ) Medium

Request my permission when this item is to be used.

[Next> ]

Create a password to protect this item.

Create a new password for this item.

Password for: [CryptoAPI Private Key ]

Password: [ ]

Confirm: [ ]

[ Finish ]



Importing a new private exchange key

An application is creating a Protected item.

CryptoAPI Private Key

Security level set to High [Set Security Level .. ]

[OK]



Certificate Import Wizard

The import was successful.

[OK]



Now open IE and go to the secure website hosting the DAV share [https://webdav.domain.com/]

Windows Security

Confirm Certificate

YourCertificateName…

Issuer: Company-Bulk_CA-4:PN

[OK]



Grant or deny this application permission to use this key

Key name:

(o) Grant permission

( ) Deny permission

Key protection password: [********** ]


Rapid publishing disclaimer
Microsoft corporation and/or its respective suppliers make no representations about the suitability, reliability, or accuracy of the information and related graphics contained herein. All such information and related graphics are provided "as is" without warranty of any kind. Microsoft and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information and related graphics, including all implied warranties and conditions of merchantability, fitness for a particular purpose, workmanlike effort, title and non-infringement. You specifically agree that in no event shall Microsoft and/or its suppliers be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, damages for loss of use, data or profits, arising out of or in any way connected with the use of or inability to use the information and related graphics contained herein, whether based on contract, tort, negligence, strict liability or otherwise, even if Microsoft or any of its suppliers has been advised of the possibility of damages.