Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Certificate Authentication Issue

SOLVED
Go to solution
dcvers_
Regular Contributor
‎03-20-2013 09:44:AM
‎03-20-2013 09:44:AM

Certificate Authentication Issue

We are setting up some new realms that will use certificate based authentication. They all use the same certificate Auth server but have different Directory/Attribute servers and use different groups lookups in the role mappings. Other than that they are essentially identical.

 

If I connect to one realm I get a failed authentication. Log message: "Login failed. Reason: WrongCert"

If I connect to another realm with the same certificate I get authenticated without any issue.

 

On the production box 1 out of 4 is working and in my test lab 2 out of 4 work. But not the same ones.

I did an xml export of the config and as far as I can see everything is configured the same for each realm.

 

Any ideas?

 

Version 7.1R10

0 Kudos
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
dcvers_
Regular Contributor
‎03-21-2013 02:17:AM
‎03-21-2013 02:17:AM

Re: Certificate Authentication Issue

Hello Kita, It's immediately rejecting the authentication and not even extracting the user name from the certificate so a policy trace is no use. Also to be clear the same certificate works on one realm but not on another even though they are configured with the same Authentication server.

 

However, after looking at the xml exports again I have now found a difference.

For the realms where it works in the <certificate> section the <customized> value is set to: allow-all-users

In the admin portal the setting shows as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ.

For the other realms where it does not work in the xml export the <customized> value is set to: require-client-cert

In the portal again the setting shown as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ.

I did some testing on my test box and even if the xml setting is "allow-all-users" it works correctly, i.e. it only allows clients with a valid certificate from one of the trusted CAs and the required attributes. So it appears the value shown in the admin portal is the correct one but whatever it is picking up to fill in the xml is causing the issue. I was able to fix the issue by editing the xml export to have the <customized> value is set to: allow-all-users and then re-importing.

View solution in original post

0 Kudos
Reply
2 REPLIES 2
Kita_
Valued Contributor
‎03-20-2013 12:16:PM
‎03-20-2013 12:16:PM

Re: Certificate Authentication Issue

What does a policy trace state?  This should provide more detail as to why the end user is failing due to a role mapping issue.  Also, are all end user certificate issued from the same CA?  If not, you'll need to make sure all CA's are added to the Trust Client CA tab.

0 Kudos
Reply
dcvers_
Regular Contributor
‎03-21-2013 02:17:AM
‎03-21-2013 02:17:AM

Re: Certificate Authentication Issue

Hello Kita, It's immediately rejecting the authentication and not even extracting the user name from the certificate so a policy trace is no use. Also to be clear the same certificate works on one realm but not on another even though they are configured with the same Authentication server.

 

However, after looking at the xml exports again I have now found a difference.

For the realms where it works in the <certificate> section the <customized> value is set to: allow-all-users

In the admin portal the setting shows as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ.

For the other realms where it does not work in the xml export the <customized> value is set to: require-client-cert

In the portal again the setting shown as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ.

I did some testing on my test box and even if the xml setting is "allow-all-users" it works correctly, i.e. it only allows clients with a valid certificate from one of the trusted CAs and the required attributes. So it appears the value shown in the admin portal is the correct one but whatever it is picking up to fill in the xml is causing the issue. I was able to fix the issue by editing the xml export to have the <customized> value is set to: allow-all-users and then re-importing.

0 Kudos
Reply
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.