Discussion:
WinInet error 12046 - ERROR_INTERNET_CLIENT_AUTH_NOT_SETUP
(too old to reply)
D.J. Heap
2005-03-17 15:33:09 UTC
Permalink
We have an application that has been working fine for months, but that
is now getting this error (on a SetOption for
INTERNET_OPTION_CLIENT_CERT_CONTEXT call in the MFC WinInet wrapper for
CHttpFile) when we are trying to assign a client certificate to a session.

The machines have been locked down fairly tightly, and since it works
fine on other nearly identical machines it seems obvious it is some
security setting or something similar somewhere, but we have tried
numerous settings in Windows and IE and not been able to find the
correct one.

Simply browsing to the site with IE correctly brings up the 'choose
client certificate' dialog and works fine.

Google searches turn up nothing but the description for the error which is:

ERROR_INTERNET_CLIENT_AUTH_NOT_SETUP
12046
Client authorization is not set up on this computer.

Does anyone know why this error occurs (the setting or option or
whatever) and how to correct it?

Thanks!

DJ
TxITGuy
2005-03-17 18:25:02 UTC
Permalink
This means that the server you are contacting expects your computer to prove
that its current user is who they claim to be by sending a client
certificate. If the current user has not purchased such a certificate and
installed it on that computer, then you get this error.

To correct the problem, either locate and install the correct certificate,
or disable client authentication on the web server.

Ben
Post by D.J. Heap
We have an application that has been working fine for months, but that
is now getting this error (on a SetOption for
INTERNET_OPTION_CLIENT_CERT_CONTEXT call in the MFC WinInet wrapper for
CHttpFile) when we are trying to assign a client certificate to a session.
The machines have been locked down fairly tightly, and since it works
fine on other nearly identical machines it seems obvious it is some
security setting or something similar somewhere, but we have tried
numerous settings in Windows and IE and not been able to find the
correct one.
Simply browsing to the site with IE correctly brings up the 'choose
client certificate' dialog and works fine.
ERROR_INTERNET_CLIENT_AUTH_NOT_SETUP
12046
Client authorization is not set up on this computer.
Does anyone know why this error occurs (the setting or option or
whatever) and how to correct it?
Thanks!
DJ
D.J. Heap
2005-03-17 22:21:07 UTC
Permalink
I must not have explained the problem clearly...the certificate is on
the machine in the Personal store and works fine with the browser. The
application also works great on many many other nearly identical machines.

It is not the error you get when you don't have a cert -- that is
ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED.

We are getting ERROR_INTERNET_CLIENT_AUTH_NOT_SETUP as we call the
MFC/WinInet SetOption function to assign the client cert to the session.

The machines have been locked down pretty tightly, so I suspect it's a
machine security setting or perhaps a missing component...but we have
been unable to find any information on this error at all aside from the
unhelpful description.

Does anyone have any docs or references that may shed any light? Do MS
folks frequent these forums at all anymore?

Thanks!

DJ
Post by TxITGuy
This means that the server you are contacting expects your computer to prove
that its current user is who they claim to be by sending a client
certificate. If the current user has not purchased such a certificate and
installed it on that computer, then you get this error.
To correct the problem, either locate and install the correct certificate,
or disable client authentication on the web server.
Ben
Post by D.J. Heap
We have an application that has been working fine for months, but that
is now getting this error (on a SetOption for
INTERNET_OPTION_CLIENT_CERT_CONTEXT call in the MFC WinInet wrapper for
CHttpFile) when we are trying to assign a client certificate to a session.
The machines have been locked down fairly tightly, and since it works
fine on other nearly identical machines it seems obvious it is some
security setting or something similar somewhere, but we have tried
numerous settings in Windows and IE and not been able to find the
correct one.
Simply browsing to the site with IE correctly brings up the 'choose
client certificate' dialog and works fine.
ERROR_INTERNET_CLIENT_AUTH_NOT_SETUP
12046
Client authorization is not set up on this computer.
Does anyone know why this error occurs (the setting or option or
whatever) and how to correct it?
Thanks!
DJ
Stephen Sulzer
2005-03-19 10:55:18 UTC
Permalink
Just to confirm, are you getting the CLIENT_AUTH_NOT_SETUP error setting
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
or
INTERNET_OPTION_CLIENT_CERT_CONTEXT ?

If you get this error setting the SECURITY_SELECT_CLIENT_CERT option, then
it means that there is currently no client certificate associated with the
request handle. Setting the SELECT_CLIENT_CERT option assumes there are one
or more client certificates associated with the request handle (e.g.,
supplied using the CLIENT_CERT_CONTEXT option).

If you are getting the error when setting the CLIENT_CERT_CONTEXT option,
then the problem is more difficult to diagnose. What version of Internet
Explorer (including service pack level) is this happening on? When you get
the error, is your application running in the same context as a regular
user? (That is, your application is started by the logged-on user, and is
not running as an NT service?)

- Stephen
D.J. Heap
2005-03-20 01:14:57 UTC
Permalink
Yes, we are doing a CLIENT_CERT_CONTEXT and getting the
CLIENT_AUTH_NOT_SETUP.

The application is a normal GUI app started by the logged on user (not a
service) who is a local administrator..

The 2 machines that are getting the error are running Win2k (latest SP) and
IE6 -- I don't think any IE SP is installed, although I'm not positive -- I
had already asked them to update to the latest IE6 by Monday so I will check
that. But since I couldn't find any KB articles or hotfixes mentioning this
error I wasn't confident it would really help. Were there knowns issues
with these symptoms?

Thanks!

DJ
Post by Stephen Sulzer
Just to confirm, are you getting the CLIENT_AUTH_NOT_SETUP error setting
INTERNET_OPTION_SECURITY_SELECT_CLIENT_CERT
or
INTERNET_OPTION_CLIENT_CERT_CONTEXT ?
If you get this error setting the SECURITY_SELECT_CLIENT_CERT option, then
it means that there is currently no client certificate associated with the
request handle. Setting the SELECT_CLIENT_CERT option assumes there are
one or more client certificates associated with the request handle (e.g.,
supplied using the CLIENT_CERT_CONTEXT option).
If you are getting the error when setting the CLIENT_CERT_CONTEXT option,
then the problem is more difficult to diagnose. What version of Internet
Explorer (including service pack level) is this happening on? When you
get the error, is your application running in the same context as a
regular user? (That is, your application is started by the logged-on user,
and is not running as an NT service?)
- Stephen
Stephen Sulzer
2005-03-22 07:08:48 UTC
Permalink
I am not aware of any known issues related to the CLIENT_AUTH_NOT_SETUP
error, and there is little to none information about this error on the web,
that I can find, unfortunately.

Try IE6 SP1 on those Win2K machines and see if that helps.

Does the CLIENT_AUTH_NOT_SETUP error occur the very first time your client
application sets the CLIENT_CERT_CONTEXT option?

The very first time WinInet needs to do something with SSL or client
certificates, it needs to load some Windows DLLs, such as crypt32.dll,
schannel.dll and wintrust.dll. I wonder if the problem is related to loading
and initializing one of these DLLs. Presumably, your application already has
at least crypt32.dll loaded in order to load a certificate from the Personal
certificate store, correct ?

Also, when does your application set the CLIENT_CERT_CONTEXT option?
1) before sending the HTTPS/SSL request, or
2) after receiving an ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED (12044)
error? (Then setting the option and resending the request.)

If your code is currently doing #1, try #2 instead. I can understand that
#1 provides a nice optimization: avoiding the first HTTPS/SSL request
round-trip which the client knows is going to fail.

That's all the ideas I have. If the problem persists, you will need to
contact Microsoft PSS for help.

- Stephen
D.J. Heap
2005-03-22 18:53:22 UTC
Permalink
Yes, we get CLIENT_AUTH_NOT_SETUP the first time we try to set the
CLIENT_CERT_CONTEXT option and we have already successfully loaded the
certificate.

We are setting the CLIENT_CERT_CONTEXT option before sending the request
precisely to avoid the inital failure you mentioned, but we can change
the code to do it later if upgrading the machines to the latest IE6 does
not help. The IE6 update has not been done yet, so I'm waiting for the
results of that.

I will follow up with any more info once I have it (probably in a few
days), and take it up with PSS if we're still not working.

Thanks very much for your info and help!

DJ
Post by Stephen Sulzer
I am not aware of any known issues related to the CLIENT_AUTH_NOT_SETUP
error, and there is little to none information about this error on the web,
that I can find, unfortunately.
Try IE6 SP1 on those Win2K machines and see if that helps.
Does the CLIENT_AUTH_NOT_SETUP error occur the very first time your client
application sets the CLIENT_CERT_CONTEXT option?
The very first time WinInet needs to do something with SSL or client
certificates, it needs to load some Windows DLLs, such as crypt32.dll,
schannel.dll and wintrust.dll. I wonder if the problem is related to loading
and initializing one of these DLLs. Presumably, your application already has
at least crypt32.dll loaded in order to load a certificate from the Personal
certificate store, correct ?
Also, when does your application set the CLIENT_CERT_CONTEXT option?
1) before sending the HTTPS/SSL request, or
2) after receiving an ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED (12044)
error? (Then setting the option and resending the request.)
If your code is currently doing #1, try #2 instead. I can understand that
#1 provides a nice optimization: avoiding the first HTTPS/SSL request
round-trip which the client knows is going to fail.
That's all the ideas I have. If the problem persists, you will need to
contact Microsoft PSS for help.
- Stephen
D.J. Heap
2005-04-27 16:46:55 UTC
Permalink
For the record, we were not able to test updating to the latest SP and IE on
the win2k machines that did not work. The client nuked the machines and
installed XP before trying the updates.

DJ
Post by D.J. Heap
Yes, we get CLIENT_AUTH_NOT_SETUP the first time we try to set the
CLIENT_CERT_CONTEXT option and we have already successfully loaded the
certificate.
We are setting the CLIENT_CERT_CONTEXT option before sending the request
precisely to avoid the inital failure you mentioned, but we can change the
code to do it later if upgrading the machines to the latest IE6 does not
help. The IE6 update has not been done yet, so I'm waiting for the
results of that.
I will follow up with any more info once I have it (probably in a few
days), and take it up with PSS if we're still not working.
Thanks very much for your info and help!
DJ
Continue reading on narkive:
Search results for 'WinInet error 12046 - ERROR_INTERNET_CLIENT_AUTH_NOT_SETUP' (Questions and Answers)
5
replies
how to access Internet throw mobile phone to PC? pls tell me names of mobiles?
started 2007-03-13 04:14:49 UTC
internet
Loading...