Basic LDAP with Crypto API and Internet Explorer

We have set up Squid box to authenticate users using Basic LDAP scheme. Access from Internet Explorer to most of the sites works fine. But checks for certificate revocation in Internet Explorer are failing. Why?

When user tries to access the remote site Internet Explorer shows a pop up box asking the user to authenticate. After typing correct credentials into that box user is able to browse the site.

Each time HTTPS server is accessed, Internet Explorer tries to validate the certificate that server presented using online validation checks (OSCP for example). Unfortunately this is done by Microsoft Crypto API and not by IE itself. Microsoft Crypto API cannot show a popup to the user and thus fails to authenticate.

This is clearly visible in the following sample certificate validation request in Wireshark:

GET http://crl4.digicert.com/sha2-ha-server-g4.crl HTTP/1.1\r\n
Accept: */*\r\n
User-Agent: Microsoft-CryptoAPI/6.1\r\n
Proxy-Connection: Keep-Alive\r\n
Host: crl4.digicert.com\r\n
\r\n

Doing the search on Google we see the following two articles.

• https://blogs.msdn.microsoft.com/ieinternals/2012/08/03/proxy-authentication-breaks-many-applications/

• https://blogs.msdn.microsoft.com/jpsanders/2011/02/21/certificate-revocation-list-crl-check-and-winhttp-proxy-settings/

Recommendations

1. Use Kerberos as method of AD authentication (recommended).

2. Bypass authentication for Microsoft Crypto API. In order to do that, add “Microsoft-CryptoAPI/6.1” as User Agent bypass string in UI / Squid / User Agent . Please note it is very easy to forge this value.