cancel
Showing results for 
Search instead for 
Did you mean: 

Certificate Authentication Issue

SOLVED
dcvers_
Regular Contributor

Certificate Authentication Issue

We are setting up some new realms that will use certificate based authentication. They all use the same certificate Auth server but have different Directory/Attribute servers and use different groups lookups in the role mappings. Other than that they are essentially identical.

 

If I connect to one realm I get a failed authentication. Log message: "Login failed. Reason: WrongCert"

If I connect to another realm with the same certificate I get authenticated without any issue.

 

On the production box 1 out of 4 is working and in my test lab 2 out of 4 work. But not the same ones.

I did an xml export of the config and as far as I can see everything is configured the same for each realm.

 

Any ideas?

 

Version 7.1R10

1 ACCEPTED SOLUTION

Accepted Solutions
dcvers_
Regular Contributor

Re: Certificate Authentication Issue

Hello Kita, It's immediately rejecting the authentication and not even extracting the user name from the certificate so a policy trace is no use. Also to be clear the same certificate works on one realm but not on another even though they are configured with the same Authentication server.

 

However, after looking at the xml exports again I have now found a difference.

For the realms where it works in the <certificate> section the <customized> value is set to: allow-all-users

In the admin portal the setting shows as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ.

For the other realms where it does not work in the xml export the <customized> value is set to: require-client-cert

In the portal again the setting shown as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ.

I did some testing on my test box and even if the xml setting is "allow-all-users" it works correctly, i.e. it only allows clients with a valid certificate from one of the trusted CAs and the required attributes. So it appears the value shown in the admin portal is the correct one but whatever it is picking up to fill in the xml is causing the issue. I was able to fix the issue by editing the xml export to have the <customized> value is set to: allow-all-users and then re-importing.

View solution in original post

2 REPLIES 2
Kita_
Valued Contributor

Re: Certificate Authentication Issue

What does a policy trace state?  This should provide more detail as to why the end user is failing due to a role mapping issue.  Also, are all end user certificate issued from the same CA?  If not, you'll need to make sure all CA's are added to the Trust Client CA tab.

dcvers_
Regular Contributor

Re: Certificate Authentication Issue

Hello Kita, It's immediately rejecting the authentication and not even extracting the user name from the certificate so a policy trace is no use. Also to be clear the same certificate works on one realm but not on another even though they are configured with the same Authentication server.

 

However, after looking at the xml exports again I have now found a difference.

For the realms where it works in the <certificate> section the <customized> value is set to: allow-all-users

In the admin portal the setting shows as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ.

For the other realms where it does not work in the xml export the <customized> value is set to: require-client-cert

In the portal again the setting shown as: Only allow users with a client-side certificate signed by Trusted Client CAs to sign inÓ.

I did some testing on my test box and even if the xml setting is "allow-all-users" it works correctly, i.e. it only allows clients with a valid certificate from one of the trusted CAs and the required attributes. So it appears the value shown in the admin portal is the correct one but whatever it is picking up to fill in the xml is causing the issue. I was able to fix the issue by editing the xml export to have the <customized> value is set to: allow-all-users and then re-importing.