cancel
Showing results for 
Search instead for 
Did you mean: 

Help with certificates on SA

devs_
Occasional Contributor

Help with certificates on SA

Hello all

 

Was hoping someone could lend me a hand. The whole issue of certificates quite frankly gives me a headache. A dark art some would call it.

 

The requirements are that the user's machine should be checked to ensure it has a valid certificate signed/issued by the internal PKI. So to simulate this I have setup a Server 2008 root CA (single tier) with which I have created my root cert and private key. In order to simulate the machine certificate verification I have created a certificate template on the PKI using the template 'Workstation Authentication' that has the following properties:

 

Algorithm: ECDH 256, HASH: SHA256
Subject Name: Format: Common Name, Include UPN
Permissions: Domain Computers - Read, Autoenroll

 

I then use a GPO to push this out to my lab Windows 8.1 VM.

 

My thinking now is that the machine now has a client/machine certificate. Using the MMC snap-in I can verify that the cert has indeed been sent to the Windows 8 machine signed by the CA. With this I now upload the root CA cert to the SA under the [b]System > Configuration > Certificates > Trusted Client CA[/b] section. I then enable the certificate check under the [b]User Realms > Realm Name > Authentication Policy > Certificate[/b] section.

 

With this my hope is that prior to authentication the host machine will have the certificate checked, the SA then compares this to the uploaded root CA and sees it has been signed by the same internal PKI and voila, it's passed.

 

Unfortunately that is not the case as I just keep getting the dreaded "Error 1332 Missing or invalid certificate error" when trying to log in.

 

I'm at a loss here. Can someone shed a light on how to fix this?

 

Many thanks

1 REPLY 1
filbert_
Frequent Contributor

Re: Help with certificates on SA

It sounds like you've provisioned a machine certificate. Authentication via a browser or  NetworkConnect can only check a client certificate. You can setup a HostChecker policy to check for the machine certificate which will accomplish the same thing.

With the Pulse client you can configure a machine certficate for authentication, you just need to enable it in the Pulse Connection set under "User Connection Preferences".