cancel
Showing results for 
Search instead for 
Did you mean: 

Machine Cert Host Checker Policy

SOLVED
Highlighted
Super Contributor

Machine Cert Host Checker Policy

So i did a search and it came up with alot of information but none has helped me so far.

as one of the host checks I am trying to validate the computer has a valid Machine Cert issued by our internal CA.

I have imported the whole chain from our root CA to the CA that is issuing machine certs to system -> configuration -> Certificates -> Trusted Client CAs

On the machine (windows 7) the cert is at Certificate (Local Computer) -> Personal -> Certificates

when i do a check for this host checker policy that basically says if the cert is issued by either of our internal CAs pass i get the following error

'Machine certificate validation failed (3); Machine certificate was not found'

Any help will result in Kudos Smiley Happy

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Regular Contributor

Re: Machine Cert Host Checker Policy

Your config is correct. Also the error message you are getting indicates that the actual machine certificate checks are happening but failing. You may want to open a  JTAC case to get to the bottom.

 

One other thing: The '3' in your error message indicates the check may be failing due to CRL related issues. Can you check your CRL settings and also check the SA event log for any CRL download failure messages?

View solution in original post

10 REPLIES 10
Highlighted
Contributor

Re: Machine Cert Host Checker Policy

I am in the same boat and would like to know too.

Highlighted
Valued Contributor

Re: Machine Cert Host Checker Policy

Hey Ifran - just ran a quick test on a Win-7 machine. Running against a back end W2K8 box. I did not have any problems using a realm level machine cert host check.

Curious - have you validated the server cert by setting up a test realm and doing a login using a certificate for authentication? Good way to test your cert chain.

Highlighted
Super Contributor

Re: Machine Cert Host Checker Policy

I still can not get this stupid thing to work Smiley Sad

so far this is how i have evertyhing setup

1. I have imported my certs chain in system -> configuration -> Certificates -> Treusted Client CAs upto the root

2. Setup a sign in page https://x.x.x.x/pulse

3. setup a sign in page policy that sends me to pulse realm

4. in the realm i am not doing any restrictions

4. and there is a role called pulse which has the option to do only pulse nothing else

5. there is a host checker policy called cert where i am looking for Machine cert -> Machine Certificate and the only thing checked in there is Criteria and that is my issuer cert. That is the CA that signed my machine cert. Nothing in the optional.

6. I have setup primary authentication in the realm PULSE as LDAP

6. There is a * for anyone who wants to connect to opulse realm will get the pulse role if they have the machine cert

7. every time i do this i get

8. so when i go to my pulse client try to connect i get the login prompt for LDAP i type that in and than i get You are not allowed to login and off course the reason is no Roles as the Host checker policy does not find a machine cert signed by my CA.

Please help i am thinking there is something really simple i am messing up.

Highlighted
Respected Contributor

Re: Machine Cert Host Checker Policy

Was this created as a personal cert/browser cert? Or was it created as an IPSec cert?
Highlighted
Regular Contributor

Re: Machine Cert Host Checker Policy

What is the behaviour from a browser?

Highlighted
Super Contributor

Re: Machine Cert Host Checker Policy

when i try the browser i get

Reasons:Machine certificate validation failed (3)

the cert Key Usage is

Digital Signature, Key Encipherment (a0)

Intended Purposes

Server Authentication, Client Authentication

Highlighted
Frequent Contributor

Re: Machine Cert Host Checker Policy

I bet Juniper does not have access to were the certs are kept

Highlighted
Super Contributor

Re: Machine Cert Host Checker Policy

anyone ?

Highlighted
Regular Contributor

Re: Machine Cert Host Checker Policy

Your config is correct. Also the error message you are getting indicates that the actual machine certificate checks are happening but failing. You may want to open a  JTAC case to get to the bottom.

 

One other thing: The '3' in your error message indicates the check may be failing due to CRL related issues. Can you check your CRL settings and also check the SA event log for any CRL download failure messages?

View solution in original post