{"id":11298,"date":"2020-07-27T17:20:18","date_gmt":"2020-07-27T15:20:18","guid":{"rendered":"https:\/\/www.xiting.de\/?p=11298"},"modified":"2026-02-13T17:42:56","modified_gmt":"2026-02-13T16:42:56","slug":"cba-microsoft-edge","status":"publish","type":"post","link":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/","title":{"rendered":"CBA (certifcate-based authentication): Warum dieses Feature im neuen Edge Browser so n\u00fctzlich ist"},"content":{"rendered":"\n<p>Bei Verwendung von CBA (certificate-based authentication) k\u00f6nnen sich Benutzer mithilfe eines Clientzertifikats authentifizieren. Das Zertifikat wird anstelle des Benutzernamens und Kennworts verwendet. Durch die Verwendung der zertifikatbasierten Authentifizierung k\u00f6nnen Administratoren ihren Benutzern den Zugriff auf SAP und Non-SAP Ressourcen erm\u00f6glichen, ohne dass Anmeldeinformationen eingegeben werden m\u00fcssen. So weit so gut!<\/p>\n\n\n\n<p>Ich hatte in meinen SAP-Security-Projekten in der Vergangenheit schon h\u00e4ufiger den Fall, dass sich w\u00e4hrend (und manchmal auch nach) der Einf\u00fchrung von SAP Single Sign-On auf Basis von X.509 Zertifikaten, folgendes bestimmtes Problem ergab:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>Die Clients des Unternehmens melden sich mit einem TLS-Client-Zertifikat bei SAP an.<\/li><li>Durch den SAP Secure Login Server werden dazu tempor\u00e4re Zertifikate ausgestellt.<\/li><li>Der Secure Login Server wird als Sub CA 1 zur vorhandenen Corporate Root CA betrieben.<\/li><li>Zur Absicherung der WLAN-Infrastruktur (802.1x EAP-TLS) stellt das Unternehmen den Anwendern nun ein weiteres Benutzer-Zertifikat per Auto-Enrollment bereit.<\/li><li>Aussteller dieses WLAN-Zertifikats ist die Sub CA 2 der vorhandenen Corporate Root CA.<\/li><li>Beide Zertifikate enthalten aufgrund deren Anforderungen die erforderlichen Eigenschaften f\u00fcr eine TLS-Client-Authentifizierung, insbesondere die EKU \u201eClient Authentication\u201c.<\/li><\/ul>\n\n\n\n<p><strong>Da haben wir den Salat!<\/strong><\/p>\n\n\n\n<p>Beim Client ergibt sich aus dieser Situation ein Usability-Problem, das sehr unsch\u00f6n werden kann. Beide Zertifikate akzeptiert der Browser \u2013 oder um genau zu sein der TLS f\u00e4hige Webanwendungsserver \u2013 als verwendbares TLS-Client-Authentifizierungszertifikat. \u00d6ffnet der Anwender nun beispielsweise sein Fiori Launchpad, erscheint ein Auswahldialog. Erschwerend kommt meist dazu, dass die beiden Zertifikate im Auswahldialog nur schwer zu unterscheiden sind. Problematisch wird es dann, wenn der SAP-Anwender nun (versehentlich) sein WLAN-Zertifikat verwendet, und schon erscheint ungewollt der Anmeldebildschirm.<\/p>\n\n\n\n<p>Das Problem habe ich im Mai 2019 in einem Blog beschrieben und auch m\u00f6gliche L\u00f6sungen dazu. Den Blog findet Ihr <a href=\"https:\/\/www.xiting.us\/sap-single-sign-on-insider-tips-volume-5\/\">hier<\/a>.<\/p>\n\n\n\n<p>Damals konnten wir keine L\u00f6sung finden, um die Zertifikatsauswahl \u00fcber einen Browser (Internet Explorer, Chrome) einzuschr\u00e4nken bzw. zu steuern. Der neue Browser Microsoft&nbsp;Edge&nbsp;Browser basiert auf&nbsp;Chrome&nbsp;und wurde im Januar 2020 ver\u00f6ffentlicht. Diese Version l\u00e4sst sich mittels Richtlinien (GPO) &nbsp;konfigurieren.<\/p>\n\n\n\n<p>An sich nichts berauschend Neues, aber das hat mich auf die F\u00e4hrte gebracht. Hintergrund war auch hier ein Kundenprojekt, wobei das Unternehmen hier ein zentrales TLS-Client-Authentifizierungszertifikat nutzte. Doch der neue Edge Browser ist da etwas \u201ezickig\u201c und verlangt, dass eine bestimmte Policy AutoSelectCertificateForUrls aktiv konfiguriert wird, ansonsten wird f\u00fcr keine Site eine automatische Auswahl durchgef\u00fchrt. Dieses nette Feature liefert uns also die L\u00f6sung f\u00fcr unser Problem. Basierend auf URL-Mustern kann der Microsoft Edge Browser f\u00fcr eine Liste von Websites automatisch das korrekte Client-Zertifikat ausw\u00e4hlen, wenn die Site eines anfordert, herrlich! ?<\/p>\n\n\n\n<p>Ich lasse Euch mit diesem Blog an meinen Erkenntnissen teilhaben, vielleicht st\u00f6\u00dft ja auch jemand beim Googlen nach einer L\u00f6sung auf diesen Blog!<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-der-testaufbau\">Der Testaufbau<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-clientsystem-windows-10-client-pc\"><strong>Clientsystem: Windows 10 Client PC<\/strong><\/h3>\n\n\n\n<p>Bereitstellung eines Benutzerzertifikats im Windows-Zertifikatsspeicher<\/p>\n\n\n\n<p>Das Zertifikat wurde von einem SAP Secure Login Server ausgestellt, dies spielt jedoch keine Rolle, da die hier gezeigten Vorgaben mit allen Zertifikaten funktionieren.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"1143\" height=\"343\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_1-1.png\" alt=\"\" class=\"wp-image-11339\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_1-1.png 1143w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_1-1-300x90.png 300w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_1-1-1024x307.png 1024w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_1-1-768x230.png 768w\" sizes=\"(max-width: 1143px) 100vw, 1143px\" \/><\/figure>\n\n\n\n<p><strong>Zielsystem: SAP NW AS ABAP<\/strong><\/p>\n\n\n\n<p><strong>URL: <\/strong><a href=\"https:\/\/icm.sapnwsso.local:50444\/sap\/bc\/gui\/sap\/its\/webgui?sap-client=001&amp;sap-language=DE\">https:\/\/icm.sapnwsso.local:50444\/sap\/bc\/gui\/sap\/its\/webgui?sap-client=001&amp;sap-language=DE<\/a><\/p>\n\n\n\n<p>Das Zielsystem ist f\u00fcr die Authentifizierung mit Client Zertifikaten konfiguriert.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"1188\" height=\"424\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_2-1.png\" alt=\"\" class=\"wp-image-11352\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_2-1.png 1188w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_2-1-300x107.png 300w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_2-1-1024x365.png 1024w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_2-1-768x274.png 768w\" sizes=\"(max-width: 1188px) 100vw, 1188px\" \/><\/figure>\n\n\n\n<p><strong>Benutzerzertifikat: CN=COLT, OU=Demo, O=Xiting GmbH, C=DE<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"835\" height=\"460\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_3.png\" alt=\"\" class=\"wp-image-11341\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_3.png 835w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_3-300x165.png 300w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_3-768x423.png 768w\" sizes=\"(max-width: 835px) 100vw, 835px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-das-nachgestellte-problemverhalten\">Das nachgestellte Problemverhalten<\/h2>\n\n\n\n<p>Sobald die URL aufgerufen wird, erscheint am Edge die Zertifikatsauswahl, obwohl nur ein passendes Zertifikat vorhanden ist.<\/p>\n\n\n\n<p>Ganz genau, an exakt dieser Stelle w\u00fcrden im Problemfall jetzt alle passenden TLS-Zertifikate angezeigt werden und der Benutzer m\u00fcsste die Auswahl treffen.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1905\" height=\"746\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_4.png\" alt=\"\" class=\"wp-image-11343\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_4.png 1905w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_4-300x117.png 300w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_4-1024x401.png 1024w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_4-768x301.png 768w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_4-1536x601.png 1536w\" sizes=\"(max-width: 1905px) 100vw, 1905px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-technischer-hintergrund-der-policy-beschreibung-von-microsoft\">Technischer Hintergrund der Policy \u2013 Beschreibung von Microsoft<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-autoselectcertificateforurls\"><strong>AutoSelectCertificateForUrls<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Policy Name: &nbsp;&nbsp; <strong>AutoSelectCertificateForUrls<\/strong><\/p>\n\n\n\n<p>Description: &nbsp;&nbsp;&nbsp;&nbsp; Automatically select client certificates for these sites<\/p>\n\n\n\n<p>Policy Path: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Microsoft Edge\\Content settings<\/p>\n\n\n\n<p>Compatibility: &nbsp; Microsoft Edge version 77 Windows 7 or later<\/p>\n\n\n\n<p>Machine: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Yes | HKLM\\Software\\Policies\\Microsoft\\Edge\\AutoSelectCertificateForUrls<\/p>\n\n\n\n<p>User: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Yes | HKCU\\Software\\Policies\\Microsoft\\Edge\\AutoSelectCertificateForUrls<\/p>\n\n\n\n<p>Specify a list of sites, based on URL patterns, for which Microsoft Edge should automatically select a client certificate, if the site requests one.<\/p>\n\n\n\n<p>The value must be an array of stringified JSON dictionaries. Each dictionary must have the form { &#8222;pattern&#8220;: &#8222;$URL_PATTERN&#8220;, &#8222;filter&#8220; : $FILTER }, where $URL_PATTERN is a content setting pattern. $FILTER restricts from which client certificates the browser will automatically select.<\/p>\n\n\n\n<p>Independent of the filter, only certificates will be selected that match the server&#8217;s certificate request. For example, if $FILTER has the form { &#8222;ISSUER&#8220;: { &#8222;CN&#8220;: &#8222;$ISSUER_CN&#8220; } }, additionally only client certificates are selected that are issued by a certificate with the CommonName $ISSUER_CN.<\/p>\n\n\n\n<p>If $FILTER contains an &#8222;ISSUER&#8220; and a &#8222;SUBJECT&#8220; section, a client certificate must satisfy both conditions to be selected. If $FILTER specifies an organization (&#8222;O&#8220;), a certificate must have at least one organization which matches the specified value to be selected. If $FILTER specifies an organization unit (&#8222;OU&#8220;), a certificate must have at least one organization unit which matches the specified value to be selected. If $FILTER is the empty dictionary {}, the selection of client certificates is not additionally restricted.<\/p>\n\n\n\n<p>If you don&#8217;t configure this policy, auto-selection isn&#8217;t done for any site.<\/p>\n\n\n\n<p><strong>EXAMPLES<\/strong><\/p>\n\n\n\n<p>SOFTWARE\\Policies\\Microsoft\\Edge\\AutoSelectCertificateForUrls\\1 = {&#8222;pattern&#8220;:&#8220;https:\/\/www.contoso.com&#8220;,&#8220;filter&#8220;:{&#8222;ISSUER&#8220;:{&#8222;CN&#8220;:&#8220;certificate issuer name&#8220;, &#8222;L&#8220;: &#8222;certificate issuer location&#8220;, &#8222;O&#8220;: &#8222;certificate issuer org&#8220;, &#8222;OU&#8220;: &#8222;certificate issuer org unit&#8220;}, &#8222;SUBJECT&#8220;:{&#8222;CN&#8220;:&#8220;certificate subject name&#8220;, &#8222;L&#8220;: &#8222;certificate subject location&#8220;, &#8222;O&#8220;: &#8222;certificate subject org&#8220;, &#8222;OU&#8220;: &#8222;certificate subject org unit&#8220;}}}<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-konfiguration-microsoft-edge-mittels-richtlinien\">Konfiguration Microsoft Edge mittels Richtlinien<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-download-der-admx-templates-fur-edge\"><strong>Download der ADMX-Templates f\u00fcr Edge<\/strong><\/h3>\n\n\n\n<p>Infos z. B. hier: <a href=\"https:\/\/www.prajwaldesai.com\/admx-templates-for-microsoft-edge\/\">https:\/\/www.prajwaldesai.com\/admx-templates-for-microsoft-edge\/<\/a><\/p>\n\n\n\n<p>Erstellen einer neuen GPO<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"614\" height=\"292\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_5.png\" alt=\"\" class=\"wp-image-11345\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_5.png 614w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_5-300x143.png 300w\" sizes=\"(max-width: 614px) 100vw, 614px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1387\" height=\"610\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_6.png\" alt=\"\" class=\"wp-image-11347\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_6.png 1387w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_6-300x132.png 300w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_6-1024x450.png 1024w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_6-768x338.png 768w\" sizes=\"(max-width: 1387px) 100vw, 1387px\" \/><\/figure>\n\n\n\n<p>Konfigurierte Regel: <strong>{&#8222;pattern&#8220;:&#8220;https:\/\/icm.sapnwsso.local&#8220;,&#8220;filter&#8220;:{&#8222;ISSUER&#8220;:{&#8222;CN&#8220;:&#8220;SSO3 SLS User-CA&#8220;}, &#8222;SUBJECT&#8220;:{&#8222;O&#8220;: &#8222;Xiting GmbH&#8220;}}}<\/strong><\/p>\n\n\n\n<p>Ergebnis: Das User-Zertifikat muss <strong>O=Xiting GmbH<\/strong> beinhalten und von der Issuing CA <strong>SSO3 SLS User-CA<\/strong> ausgestellt worden sein.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-finaler-test-am-client\">Finaler Test am Client<\/h2>\n\n\n\n<p>Anwenden der Policy<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"725\" height=\"129\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_7.png\" alt=\"\" class=\"wp-image-11349\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_7.png 725w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_7-300x53.png 300w\" sizes=\"(max-width: 725px) 100vw, 725px\" \/><\/figure>\n\n\n\n<p>Kontrolle der Policy<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"896\" height=\"484\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_8.png\" alt=\"\" class=\"wp-image-11360\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_8.png 896w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_8-300x162.png 300w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_8-768x415.png 768w\" sizes=\"(max-width: 896px) 100vw, 896px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1150\" height=\"412\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_9.png\" alt=\"\" class=\"wp-image-11358\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_9.png 1150w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_9-300x107.png 300w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_9-1024x367.png 1024w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_9-768x275.png 768w\" sizes=\"(max-width: 1150px) 100vw, 1150px\" \/><\/figure>\n\n\n\n<p>Test 1: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Aufruf einer anderen Website f\u00fcr welche keine Policy existiert.<\/p>\n\n\n\n<p>Ergebnis: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Zertifikatsauswahldialog (!)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1185\" height=\"442\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_10.png\" alt=\"\" class=\"wp-image-11356\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_10.png 1185w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_10-300x112.png 300w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_10-1024x382.png 1024w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_10-768x286.png 768w\" sizes=\"(max-width: 1185px) 100vw, 1185px\" \/><\/figure>\n\n\n\n<p>Test 2: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Aufruf der gew\u00fcnschten Website<\/p>\n\n\n\n<p>Ergebnis: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Automatische Anmeldung (!)<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1401\" height=\"356\" src=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_11.png\" alt=\"\" class=\"wp-image-11354\" srcset=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_11.png 1401w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_11-300x76.png 300w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_11-1024x260.png 1024w, https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/cba_edge_11-768x195.png 768w\" sizes=\"(max-width: 1401px) 100vw, 1401px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Bei Verwendung von CBA (certificate-based authentication) k\u00f6nnen sich Benutzer mithilfe eines Clientzertifikats authentifizieren. Das Zertifikat wird anstelle des Benutzernamens und Kennworts verwendet. Durch die Verwendung der zertifikatbasierten Authentifizierung k\u00f6nnen Administratoren ihren Benutzern den Zugriff auf SAP und Non-SAP Ressourcen erm\u00f6glichen, ohne dass Anmeldeinformationen eingegeben werden m\u00fcssen. So weit so gut! Ich hatte in meinen SAP-Security-Projekten [&hellip;]<\/p>\n","protected":false},"author":9,"featured_media":11249,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[1826],"tags":[1067,1068],"class_list":["post-11298","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sicherheit","tag-cba","tag-microsoft-edge"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v26.2 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>CBA (certificate-based authentication): Neues Feature im Edge Browser<\/title>\n<meta name=\"description\" content=\"CBA erm\u00f6glicht Benutzern sich mithilfe eines Clientzertifikats zu authentifizieren. Dieses wird anstelle eines Benutzernamens und Kennworts verwendet.\" \/>\n<meta name=\"robots\" content=\"noindex, follow\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CBA (certifcate-based authentication): Warum dieses Feature im neuen Edge Browser so n\u00fctzlich ist\" \/>\n<meta property=\"og:description\" content=\"Bei Verwendung von CBA (certificate-based authentication) k\u00f6nnen sich Benutzer mithilfe eines Clientzertifikats authentifizieren. Das Zertifikat wird\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiting\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/XitingAG\" \/>\n<meta property=\"article:published_time\" content=\"2020-07-27T15:20:18+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-13T16:42:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/shutterstock_1022824408-scaled.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"2560\" \/>\n\t<meta property=\"og:image:height\" content=\"1383\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Carsten Olt\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@jsterr@xiting.de\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Carsten Olt\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/\"},\"author\":{\"name\":\"Carsten Olt\",\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/#\\\/schema\\\/person\\\/3c32c7de1132d012e263720a9f3300a2\"},\"headline\":\"CBA (certifcate-based authentication): Warum dieses Feature im neuen Edge Browser so n\u00fctzlich ist\",\"datePublished\":\"2020-07-27T15:20:18+00:00\",\"dateModified\":\"2026-02-13T16:42:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/\"},\"wordCount\":1067,\"publisher\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/shutterstock_1022824408-scaled.jpg\",\"keywords\":[\"CBA\",\"Microsoft Edge\"],\"articleSection\":[\"SAP Sicherheit\"],\"inLanguage\":\"de-DE\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/\",\"url\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/\",\"name\":\"CBA (certificate-based authentication): Neues Feature im Edge Browser\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/shutterstock_1022824408-scaled.jpg\",\"datePublished\":\"2020-07-27T15:20:18+00:00\",\"dateModified\":\"2026-02-13T16:42:56+00:00\",\"description\":\"CBA erm\u00f6glicht Benutzern sich mithilfe eines Clientzertifikats zu authentifizieren. Dieses wird anstelle eines Benutzernamens und Kennworts verwendet.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/#breadcrumb\"},\"inLanguage\":\"de-DE\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de-DE\",\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/#primaryimage\",\"url\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/shutterstock_1022824408-scaled.jpg\",\"contentUrl\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2020\\\/07\\\/shutterstock_1022824408-scaled.jpg\",\"width\":2560,\"height\":1383},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/news\\\/cba-microsoft-edge\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/xiting.com\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CBA (certifcate-based authentication): Warum dieses Feature im neuen Edge Browser so n\u00fctzlich ist\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/xiting.com\\\/de\\\/\",\"name\":\"Xiting\",\"description\":\"Your Expert for SAP Security\",\"publisher\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/xiting.com\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de-DE\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/#organization\",\"name\":\"Xiting\",\"url\":\"https:\\\/\\\/xiting.com\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de-DE\",\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2019\\\/08\\\/xiting-logo.svg\",\"contentUrl\":\"https:\\\/\\\/xiting.com\\\/wp-content\\\/uploads\\\/2019\\\/08\\\/xiting-logo.svg\",\"width\":1,\"height\":1,\"caption\":\"Xiting\"},\"image\":{\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/XitingAG\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/1345129\\\/\",\"https:\\\/\\\/www.instagram.com\\\/xiting.global\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/xiting.com\\\/de\\\/#\\\/schema\\\/person\\\/3c32c7de1132d012e263720a9f3300a2\",\"name\":\"Carsten Olt\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de-DE\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g\",\"caption\":\"Carsten Olt\"},\"description\":\"Carsten Olt has been working as a Managing SAP Security Consultant since 2016, responsible for Secure Authentication &amp; SSO and SAP Cloud Security Services at Xiting in Germany. As a member of the IAM team, he is also a team leader who conveys the company's goals and strategies to employees and has organizational responsibility. With a security-minded approach, Carsten has international project and IT security experience in many industries. He has been working in IT-Security since 2001, specializing in SAP security since 2010. He is a subject matter expert for SAP Single Sign-On 3.0 and a trainer for the WDESSO course. His current focus is on supporting customers in solving authentication and security challenges within hybrid SAP landscapes, as well as designing and implementing holistic authentication concepts. Carsten is an ISACA CISA and a former MCP and RHCE with an ISP background, and he looks at security from different angles. He also translates between SAP and IT security vocabulary. Carsten has in-depth experience in multi-vendor architectures and MSFT\\\/Azure components, dealing with all the requirements concerning SAML 2.0, OAuth, OpenID Connect, SCIM, X.509 CBA &amp; PKI, MFA, SAP SSO, and Secure Network Communications, Kerberos\\\/SPNEGO, data security and encryption, as well as digital signatures. Carsten is experienced in SAP on-premises components such as S\\\/4HANA, ABAP, and Java, as well as security solutions like SSO 3.0. Since 2019, he has focused on SAP-Cloudified environments, specifically the SAP Cloud Identity Services and SAP BTP, as well as SaaS integrations concerning IAM. He deals with hybrid SAP security in conjunction with Azure Active Directory, ADDS, ADFS, ADCS, Reverse Proxies\\\/WAF, SAP Web Dispatcher, SAP Cloud Connector, third-party products, and infrastructure components.\",\"sameAs\":[\"https:\\\/\\\/x.com\\\/jsterr@xiting.de\"],\"url\":\"https:\\\/\\\/xiting.com\\\/de\\\/author\\\/carsten-olt\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"CBA (certificate-based authentication): Neues Feature im Edge Browser","description":"CBA erm\u00f6glicht Benutzern sich mithilfe eines Clientzertifikats zu authentifizieren. Dieses wird anstelle eines Benutzernamens und Kennworts verwendet.","robots":{"index":"noindex","follow":"follow"},"og_locale":"de_DE","og_type":"article","og_title":"CBA (certifcate-based authentication): Warum dieses Feature im neuen Edge Browser so n\u00fctzlich ist","og_description":"Bei Verwendung von CBA (certificate-based authentication) k\u00f6nnen sich Benutzer mithilfe eines Clientzertifikats authentifizieren. Das Zertifikat wird","og_url":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/","og_site_name":"Xiting","article_publisher":"https:\/\/www.facebook.com\/XitingAG","article_published_time":"2020-07-27T15:20:18+00:00","article_modified_time":"2026-02-13T16:42:56+00:00","og_image":[{"width":2560,"height":1383,"url":"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/shutterstock_1022824408-scaled.jpg","type":"image\/jpeg"}],"author":"Carsten Olt","twitter_card":"summary_large_image","twitter_creator":"@jsterr@xiting.de","twitter_misc":{"Verfasst von":"Carsten Olt","Gesch\u00e4tzte Lesezeit":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/#article","isPartOf":{"@id":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/"},"author":{"name":"Carsten Olt","@id":"https:\/\/xiting.com\/de\/#\/schema\/person\/3c32c7de1132d012e263720a9f3300a2"},"headline":"CBA (certifcate-based authentication): Warum dieses Feature im neuen Edge Browser so n\u00fctzlich ist","datePublished":"2020-07-27T15:20:18+00:00","dateModified":"2026-02-13T16:42:56+00:00","mainEntityOfPage":{"@id":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/"},"wordCount":1067,"publisher":{"@id":"https:\/\/xiting.com\/de\/#organization"},"image":{"@id":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/#primaryimage"},"thumbnailUrl":"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/shutterstock_1022824408-scaled.jpg","keywords":["CBA","Microsoft Edge"],"articleSection":["SAP Sicherheit"],"inLanguage":"de-DE"},{"@type":"WebPage","@id":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/","url":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/","name":"CBA (certificate-based authentication): Neues Feature im Edge Browser","isPartOf":{"@id":"https:\/\/xiting.com\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/#primaryimage"},"image":{"@id":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/#primaryimage"},"thumbnailUrl":"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/shutterstock_1022824408-scaled.jpg","datePublished":"2020-07-27T15:20:18+00:00","dateModified":"2026-02-13T16:42:56+00:00","description":"CBA erm\u00f6glicht Benutzern sich mithilfe eines Clientzertifikats zu authentifizieren. Dieses wird anstelle eines Benutzernamens und Kennworts verwendet.","breadcrumb":{"@id":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/#breadcrumb"},"inLanguage":"de-DE","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/"]}]},{"@type":"ImageObject","inLanguage":"de-DE","@id":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/#primaryimage","url":"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/shutterstock_1022824408-scaled.jpg","contentUrl":"https:\/\/xiting.com\/wp-content\/uploads\/2020\/07\/shutterstock_1022824408-scaled.jpg","width":2560,"height":1383},{"@type":"BreadcrumbList","@id":"https:\/\/xiting.com\/de\/news\/cba-microsoft-edge\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiting.com\/de\/"},{"@type":"ListItem","position":2,"name":"CBA (certifcate-based authentication): Warum dieses Feature im neuen Edge Browser so n\u00fctzlich ist"}]},{"@type":"WebSite","@id":"https:\/\/xiting.com\/de\/#website","url":"https:\/\/xiting.com\/de\/","name":"Xiting","description":"Your Expert for SAP Security","publisher":{"@id":"https:\/\/xiting.com\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiting.com\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de-DE"},{"@type":"Organization","@id":"https:\/\/xiting.com\/de\/#organization","name":"Xiting","url":"https:\/\/xiting.com\/de\/","logo":{"@type":"ImageObject","inLanguage":"de-DE","@id":"https:\/\/xiting.com\/de\/#\/schema\/logo\/image\/","url":"https:\/\/xiting.com\/wp-content\/uploads\/2019\/08\/xiting-logo.svg","contentUrl":"https:\/\/xiting.com\/wp-content\/uploads\/2019\/08\/xiting-logo.svg","width":1,"height":1,"caption":"Xiting"},"image":{"@id":"https:\/\/xiting.com\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/XitingAG","https:\/\/www.linkedin.com\/company\/1345129\/","https:\/\/www.instagram.com\/xiting.global\/"]},{"@type":"Person","@id":"https:\/\/xiting.com\/de\/#\/schema\/person\/3c32c7de1132d012e263720a9f3300a2","name":"Carsten Olt","image":{"@type":"ImageObject","inLanguage":"de-DE","@id":"https:\/\/secure.gravatar.com\/avatar\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2c35c3b7ce5d81579234be25ef570938712ba95e2cb8e87f2a79b81be928499a?s=96&d=mm&r=g","caption":"Carsten Olt"},"description":"Carsten Olt has been working as a Managing SAP Security Consultant since 2016, responsible for Secure Authentication &amp; SSO and SAP Cloud Security Services at Xiting in Germany. As a member of the IAM team, he is also a team leader who conveys the company's goals and strategies to employees and has organizational responsibility. With a security-minded approach, Carsten has international project and IT security experience in many industries. He has been working in IT-Security since 2001, specializing in SAP security since 2010. He is a subject matter expert for SAP Single Sign-On 3.0 and a trainer for the WDESSO course. His current focus is on supporting customers in solving authentication and security challenges within hybrid SAP landscapes, as well as designing and implementing holistic authentication concepts. Carsten is an ISACA CISA and a former MCP and RHCE with an ISP background, and he looks at security from different angles. He also translates between SAP and IT security vocabulary. Carsten has in-depth experience in multi-vendor architectures and MSFT\/Azure components, dealing with all the requirements concerning SAML 2.0, OAuth, OpenID Connect, SCIM, X.509 CBA &amp; PKI, MFA, SAP SSO, and Secure Network Communications, Kerberos\/SPNEGO, data security and encryption, as well as digital signatures. Carsten is experienced in SAP on-premises components such as S\/4HANA, ABAP, and Java, as well as security solutions like SSO 3.0. Since 2019, he has focused on SAP-Cloudified environments, specifically the SAP Cloud Identity Services and SAP BTP, as well as SaaS integrations concerning IAM. He deals with hybrid SAP security in conjunction with Azure Active Directory, ADDS, ADFS, ADCS, Reverse Proxies\/WAF, SAP Web Dispatcher, SAP Cloud Connector, third-party products, and infrastructure components.","sameAs":["https:\/\/x.com\/jsterr@xiting.de"],"url":"https:\/\/xiting.com\/de\/author\/carsten-olt\/"}]}},"_links":{"self":[{"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/posts\/11298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/comments?post=11298"}],"version-history":[{"count":10,"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/posts\/11298\/revisions"}],"predecessor-version":[{"id":20199,"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/posts\/11298\/revisions\/20199"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/media\/11249"}],"wp:attachment":[{"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/media?parent=11298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/categories?post=11298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiting.com\/de\/wp-json\/wp\/v2\/tags?post=11298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}