cancel
Showing results for 
Search instead for 
Did you mean: 

problem with implementing machine auth via certificate

SOLVED
pfrey@lafim.de
Occasional Contributor

problem with implementing machine auth via certificate

Hi,

I'm trying to implement machine authentication with computer certificate. Since I could not find a complete tutorial, I'm relying on the pulse admin guide and information from this forum.
Here ist what I configured so far:
1. created a certificate based auth server and kept the default entry "<certDN.CN>" under "User Name Template"
2. exported our windows ca and then converted the p12 cert+privatekey to PEM format. Then I imported the PEM to the trusted client CAs and deactivated the "Participate in Client Certificate Negotiation" checkbox

3.created a realm with the certificate auth server for authentication und added a role mapping with username = *
4. created a connecttion set with computer only auth

5. installed the connection set on a client

6. the win10 client already has a computer cert via AD auto enroll

 

when I'm trying to connect, I get a "missing or defektive certificate" message from the client (error 1332). The pulse appliance log says "1. Testing Certificate realm restrictions failed for /ma" "2. Login failed. Reason: No Certificate"

I'm not sure what I did wrong. Are windows CA computer certs compatible with pulse secure? I could not find a lot of info on that.
Maybe the problem ist the trusted client CA? Or I configured something wrong?

btw. our other realms via ldap and AD auth are working fine.

I would be very happy for any help. Maybe someone has a complete guide on this?

Thanks!



1 ACCEPTED SOLUTION

Accepted Solutions
zanyterp
Moderator

Re: problem with implementing machine auth via certificate

in order to do certificate authentication, all CAs in the chain need to be installed on the gateway at System>Configuration>Trusted Client CAs and have the option for participating in client certificate negotiation enabled.
does the connection set have the option to check the machine store enabled?

View solution in original post

4 REPLIES 4
pfrey@lafim.de
Occasional Contributor

Re: problem with implementing machine auth via certificate

forget to mention, appliance and client version are both 9.1R11.4 

zanyterp
Moderator

Re: problem with implementing machine auth via certificate

in order to do certificate authentication, all CAs in the chain need to be installed on the gateway at System>Configuration>Trusted Client CAs and have the option for participating in client certificate negotiation enabled.
does the connection set have the option to check the machine store enabled?

View solution in original post

pfrey@lafim.de
Occasional Contributor

Re: problem with implementing machine auth via certificate

Thanks, that did it.

zanyterp
Moderator

Re: problem with implementing machine auth via certificate

you are welcome; glad it is working