Re: Client Certificate Authentication - Missing ce...

alicain_ · ‎07-10-2015

Hello, I am attempting to configuring Client Certificate Authentication on a Pulse Connect Secure 8.1R1 On the Windows 7 client device, I am getting the error : Missing certificate. Check that your certificate is valid and up-to-date, and try again In the User Access logs I am getting: ... user1(CertUserRealm)[] - Login failed using auth server CertAuthn(Certificate Server). Reason: No Certificate ... Primary authentication failed for /CertAuthn from 192.168.1.123 A Device Certificate has been created and loaded which is sucesfully validated by the client when connecting to the device with a browser. Valid certificates for the Trusted client CAs, a root and an issuing CA, have been loaded. An Authentication Server of type Certificate Server has been created, User Name Template left as default A Sign-in policy has been created and linked to an Active Directory Authentication User Realm, which works successfully. Another sign-in policy has also been created and linked to the Certificate Authentication Realm. The User Authentication Realm - Authentication Policy - Certificate setting is configured to: Only allow users with a client-side certificate... These are the instructions that have been followed: http://www.juniper.net/techpubs/software/ive/guides/howtos/How_To_Certificates.pdf The Windows 7 client device, is enrolled with my CA and has a valid certificate with Client Authentication and Server Authentication Purposes. I am about to start trawling through a TCP dump but is there anything obvious I have missed, or auth troubleshooting at the client side that would be helpful? Thank you, Alastair.

filbert_ · ‎07-10-2015

If you are using a browser to intiate the VPN you cannot use device certificates for authentication. Only User certificates are supported. However, you can create a Hostchcker policy to check for a device certificate and then assign that policy the Realm.

If you are using the Pulse client you can configure it to use the machine certificate store instead of the user store. Go into your Pulse connection set, and under "User Connection prefeernces" select "Select client certificate from machine certificate store".

Kita_ · ‎07-10-2015

I think the main question to answer is how was the client certificate installed. A common mistake is installing a certificate that is no designed for client authentication or installing a certificate without the private key. Could you provide the steps you used to request and install your client certificate?

alicain · ‎07-31-2015

Hi Filbert,

Thank you for the reply and Sorry for the delay in replying.

I was indeed confusing the fact that it is a user certificate, not a device certificate that is used for the browser initiated authentication.

Once I'd set up the user to enroll with the CA, the authentication worked as required.

Regards,
Alastair.

ermias01 · ‎02-15-2018

I run into similar conundrum. I wanted to check device also got chekced when loggin in. So we do have the option of hostcheck - however, you can also do it via custom certificate request.

It might be a bit cumbersome - but it seems to get the job done.

Assuming you have a User certificate template (Microsoft internal PKI) - users can enroll certificate via MMC or https://servername/certsrv URL.

Once you create the certificate, you can allow accessing roles on realm level.

Client Certificate Authentication - Missing certificate.

Client Certificate Authentication - Missing certificate.

Re: Client Certificate Authentication - Missing certificate.

Re: Client Certificate Authentication - Missing certificate.

Re: Client Certificate Authentication - Missing certificate.

Re: Client Certificate Authentication - Missing certificate.