cancel
Showing results for 
Search instead for 
Did you mean: 

6.0R5 and Certificates Authentication

SOLVED
vpnjunkie_
Occasional Contributor

6.0R5 and Certificates Authentication

Hi guys,

I need to verify presence of machine certificate on a windows machine before allowing them to access intranet resources. I got it working with Host checker but I was wondering if there was a way to check machine certificate without invoking HC as it seems slow and fails on random machines. I am using AD for username/password authentication acting as first factor.

thanks in advance,

1 ACCEPTED SOLUTION

Accepted Solutions
kenlars_
Super Contributor

Re: 6.0R5 and Certificates Authentication

The user's browser presents the certificate during connection setup time. Host Checker does not need to be run.

View solution in original post

19 REPLIES 19
kenlars_
Super Contributor

Re: 6.0R5 and Certificates Authentication

I don't have experience with machine certificates, but do check for a user certificate with certificate restictions in the realm definition. You can either require the certificate have specific field values before login is successful, or accept any certificate and use certificate fields in role mapping.
Paul_Slager_
Occasional Contributor

Re: 6.0R5 and Certificates Authentication

Like Kenlars I use User Certificates that are pushed out through Group Policy that seem to work well. If you need assistance I can help.
vpnjunkie_
Occasional Contributor

Re: 6.0R5 and Certificates Authentication

Hi Paul

Thanks for your reply but I have one question:

DOes this User certificate presents itself to IVE via browser during connection setup time? or you still have to run HC on the client machine to find it?

thanks,

Shahid

kenlars_
Super Contributor

Re: 6.0R5 and Certificates Authentication

The user's browser presents the certificate during connection setup time. Host Checker does not need to be run.

View solution in original post

vpnjunkie_
Occasional Contributor

Re: 6.0R5 and Certificates Authentication

thanks do much kelnars!!!
PhillyEagles_
Contributor

Re: 6.0R5 and Certificates Authentication

So, what happens if the users is coming from a Kiosk or a personal PC.
ben_
Frequent Contributor

Re: 6.0R5 and Certificates Authentication

The browser should be able to present the client cert, otherwise the login will not be possible.

E.g. in our case we have the entrust client, so if you try accessing from a machine without entrust client and thus without your personal

cert you won't be able to access.

Another thing would be the the so called "machine certs", that you could carry around on a smart card but then you would need to use the HC.

vpnjunkie_
Occasional Contributor

Re: 6.0R5 and Certificates Authentication

Hi Ben,

So in order to use client certificates, client machine will need another "client" to present this certificate to IVE? I thought if machine has "user certificate", it will offer it via browser to IVE. Is this assumption wrong?

thanks in advance,

ben_
Frequent Contributor

Re: 6.0R5 and Certificates Authentication

Ah sorry. No you were right. I just tried (and wanted, but it did obviously not work Smiley Wink ) to point out, that the Browser on the used PC, in your example Kiosk, needs to have this user cert, that's all.

I just went one stept further, for our company's special case where the browser does not "store" the user cert, more than that assumes an entrust client software to be there to present the cert, so if our comp. would use user cert based auth. user's would not be able to authenticate because the may only have the cert in access via the entrust client.