Event 1073 - Certificate Filtering
- Logged Message
- What Is It?
- When Is This Event Logged?
- Example
- Remediation
- Related topics
Logged Message
Windows Internet Explorer 8 and Internet Explorer 8 use Certificate Filtering to select the appropriate certificate for client authentication. In Internet Explorer 8, this feature has been improved to remove certificates that are likely to be rejected by the server. For instance, explicitly untrusted certificate chains or certificates not associated with a private key will not show up in the list.
What Is It?
Internet Explorer 8 includes improved certificate selection logic than was found in the previous versions of the browser. When a client certificate is called for, Windows Internet Explorer is smart enough to present the user with only those usable certificates that apply to the immediate situation. In many cases, the list of certificates can be automatically reduced to a single one, eliminating the need for the user to make a choice at all.
When Is This Event Logged?
This event is logged when certificate-based authentication occurs when you attempt to access a secured resource.
Example
Perform the following steps to see this event logged in the Internet Explorer Compatibility Test Tool:
Note These steps require the use of Microsoft Internet Information Services (IIS) 7.
Launch Control Panel > Administrative Tools > Internet Information Services (IIS) Manager.
You need to create a test certificate. To do this select the server node in the treeview and double-click the Server Certificates feature in the listview, as shown in the following screen shot.
Click Create Self-Signed Certificate in the Actions pane, as shown in the following screen shot.
Enter a friendly name for the new certificate and click OK. Now you have a self-signed certificate. The certificate is marked for "Server Authentication" use—that is, use as a server-side certificate for HTTP Secure Sockets Layer (SSL) encryption and for authenticating the identity of the server.
You now need to create an SSL Binding. Select the Default Web Site in the left-hand tree view pane and click Bindings in the right Actions pane.
In the Site Bindings dialog box, click Add.
In the Add Site Binding dialog box, select https in the Type drop-down. Select the self-signed certificate you created earlier from the SSL Certificate drop-down menu.
When you're done, the Site Binding dialog box resemble this screen capture.
Create a directory called SecureSite in C:\Inetpub\wwwroot.
In the IIS Manager, select the Default Web Site node in the treeview. Now right-click Default Web Site and select Add Application.
Create the new application called SecureSite with the following path:
\inetpub\wwwroot\SecureSite
In the IIS Manager, select SecureSite. In the central pane under IIS, select SSL Settings, as shown in the following screen shot.
In SSL Settings, select Require SSL and, under Client Certificates, select Accept and then click Apply, as shown in the following screen shot.
Browse to:
https://localhost/SecureSite
You are presented with a page that resembles the following screen shot.
Click Continue to this website (not recommended).
This action causes Internet Explorer to log the event.
Remediation
You change Certificate Filtering to use the old mechanism by using a feature control registry key (FEATURE_CLIENTAUTHCERTFILTER). Windows Internet Explorer (Iexplore.exe) needs to run under this feature control to change the feature and this can be achieved by adding the following registry key:
HKEY_CURRENT_USER
SOFTWARE
Microsoft
Internet Explorer
MAIN
FeatureControl
FEATURE_CLIENTAUTHCERTFILTER = 0x0000002
Generally, there's no reason to go back to the old certificate selection behavior. Unless this is causing a specific issue in your application, leave the default behavior as it is.