Solved: Re: 6.0R5 and Certificates Authentication

vpnjunkie_ · ‎05-13-2008

Hi guys,

I need to verify presence of machine certificate on a windows machine before allowing them to access intranet resources. I got it working with Host checker but I was wondering if there was a way to check machine certificate without invoking HC as it seems slow and fails on random machines. I am using AD for username/password authentication acting as first factor.

thanks in advance,

kenlars_ · ‎05-17-2008

The user's browser presents the certificate during connection setup time. Host Checker does not need to be run.

View solution in original post

kenlars_ · ‎05-14-2008

I don't have experience with machine certificates, but do check for a user certificate with certificate restictions in the realm definition. You can either require the certificate have specific field values before login is successful, or accept any certificate and use certificate fields in role mapping.

Paul_Slager_ · ‎05-16-2008

Like Kenlars I use User Certificates that are pushed out through Group Policy that seem to work well. If you need assistance I can help.

vpnjunkie_ · ‎05-16-2008

Hi Paul

Thanks for your reply but I have one question:

DOes this User certificate presents itself to IVE via browser during connection setup time? or you still have to run HC on the client machine to find it?

thanks,

Shahid

kenlars_ · ‎05-17-2008

The user's browser presents the certificate during connection setup time. Host Checker does not need to be run.

vpnjunkie_ · ‎05-18-2008

thanks do much kelnars!!!

PhillyEagles_ · ‎05-20-2008

So, what happens if the users is coming from a Kiosk or a personal PC.

ben_ · ‎05-20-2008

The browser should be able to present the client cert, otherwise the login will not be possible.

E.g. in our case we have the entrust client, so if you try accessing from a machine without entrust client and thus without your personal

cert you won't be able to access.

Another thing would be the the so called "machine certs", that you could carry around on a smart card but then you would need to use the HC.

vpnjunkie_ · ‎05-21-2008

Hi Ben,

So in order to use client certificates, client machine will need another "client" to present this certificate to IVE? I thought if machine has "user certificate", it will offer it via browser to IVE. Is this assumption wrong?

thanks in advance,

ben_ · ‎05-21-2008

Ah sorry. No you were right. I just tried (and wanted, but it did obviously not work ) to point out, that the Browser on the used PC, in your example Kiosk, needs to have this user cert, that's all.

I just went one stept further, for our company's special case where the browser does not "store" the user cert, more than that assumes an entrust client software to be there to present the cert, so if our comp. would use user cert based auth. user's would not be able to authenticate because the may only have the cert in access via the entrust client.