Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

"Failed to authenticate client certificate..." after upgrading to 7.1R2

elawford_
Occasional Contributor
‎05-12-2011 03:29:AM
‎05-12-2011 03:29:AM

"Failed to authenticate client certificate..." after upgrading to 7.1R2

Hi,

We've just upgraded an IVE to 7.1R1 to 7.1R2 but ever since none of our iOS devices can do clientless activesync with certificate authentication any more. We keep seeing an error message in the logs that we've never seen before:

Failed to authenticate client certificate, issuer='O=xxxx, OU=xxxx, CN=xxxxx'; subject='[email protected], CN=xxxxx, OU=xxxx, O=xxxxx', on the virtual port with IP address 'y.y.y.y' due to the following reason: Unknown certificate error, error code=24

We've tried re-importing the CA certificate, checking all of the trust settings, checking the clientless activesync config, SSL options etc but to no avail. This seems like a bug introduced in 7.1R2 as this setup has been working perfectly for the past few months on 7.1R1.

One error that we've noticed when re-importing the CA certificate that may have something to do with it:

"ERR23036 Invalid certificate purpose on \'O=xxxx OU=xxxx, CN=xxxxx\"

Has anyone else run across this problem with 7.1R2?

0 Kudos
36 REPLIES 36
srigelsford_
Contributor
‎05-12-2011 08:30:AM
‎05-12-2011 08:30:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

It sounds as though you might be missing an intermediate CA cert, just a thought though.

Sam.

0 Kudos
Niol_
Contributor
‎05-12-2011 02:23:PM
‎05-12-2011 02:23:PM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB2641

The enforcement of 'purpose check' before importing a certificate has been removed in IVE OS versions 4.2R1 and above.

The 'purpose check' could have been reintroduced in 7.1R2 ?

0 Kudos
zanyterp_
Respected Contributor
‎05-16-2011 09:50:PM
‎05-16-2011 09:50:PM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

If you don't use the virtual port, does it work?

0 Kudos
elawford_
Occasional Contributor
‎05-17-2011 07:31:PM
‎05-17-2011 07:31:PM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

We've done some more testing and it looks like this isn't just affecting ActiveSync - cert auth in Junos Pulse for iOS isn't working either. It's definitely looking like a generic issue with this build verifying and authenticating our certificates.

I'd be interested to know if anyone else has run into this. One possibility is that it's the CA we're using isn't issuing certificates with the correct purpose flags set. There doesn't appear to be any documentation, configuration or log messages that make this clear so I'm wondering if anyone else has successfully used certificate auth in 7.1R2? If so, which CA are you using and what purpose are your certificates provisioned for (IPSec, Client Authentication, Smart Card etc)?

0 Kudos
zanyterp_
Respected Contributor
‎05-18-2011 09:20:AM
‎05-18-2011 09:20:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

Using an internal CA I am able to have cert auth work without an issue in Pulse.

The purpose is "client authentication" on the certificate.

Are you seeing failure on all ports (internal, external, and virtual on either)?

0 Kudos
Asema_
Occasional Contributor
‎05-18-2011 07:39:PM
‎05-18-2011 07:39:PM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

We currently use 7.0R4_ with Self-signed certificate for client auth.

We tried to upgrade to 7.1R2.0 and out of nowhere it is not possible to log-in anymore.

We only get "WrongCert" error in the log. We re-imported the TrustedClient-CA and there is no error.

We rolled-back to 7.0R4 and instantly login worked again.

Then we tried 7.1R1.0 with same result. Roll-Back.

We tried 7.0R6.0 : Same result, roll back.

We tried 7.0R5.1 : Same result, roll back.

We checked all settings. Added new auth server and realms, compared all settings. Imported settings+certs from backup.

But nothing. We are really cluless here.

Maybe someone can solve the riddle ?

0 Kudos
zthiel_
Contributor
‎05-31-2011 10:57:AM
‎05-31-2011 10:57:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

We upgraded to 7.1 R2 and now all of our client certs are broke, opening call with support.

0 Kudos
zthiel_
Contributor
‎05-31-2011 05:37:PM
‎05-31-2011 05:37:PM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

Support tier one = no idea, having me reboot my cluster. Did that problem still exists. Ahh the good old days when a "reboot" actually fixed a problem.

0 Kudos
Asema_
Occasional Contributor
‎06-01-2011 07:53:AM
‎06-01-2011 07:53:AM

Re: "Failed to authenticate client certificate..." after upgrading to 7.1R2

Hopefully they can find the problem. Our clients are asking for Firefox 4 Support all the time now and we are unable to

upgrade to 7.1R2 :-(

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.