Certificate based authentifaction with fallback

Hello at all,
I have a problem that I want to discuss with you experts.
I'am quite new to cisco ASA and need a little help to enlighten me.
We have a Cisco ASA 5510 cluster (active-passive) which only purpose it is to work as an ssl-vpn endpoint for our mobile devices (such as iPad, iPhone, various Android clients).
Until now we use our LDAP username and password to open the vpn tunnel. This was okay cause we had no certificate authority and no radius server in our environment. But this has changed one week ago.
We enrolled 802.1X and 802.11i (with EAP-TLS) with a Microsoft CA and a Microsoft NPS (radius) server for our whole network.
Sadly we actually don't have our mobile device mangement set up and ready. So we are fighting certificate enrolement on Android devices cause they don't seem to support SCEP.
Due to this fact, I can't just switch from authentification with username/password to certificate based authentication.
So I would like to know if there is a way to support both. If certificate based authentication is not supported by the client (or fails) it asks for ldap username/password as a fallback.
Is this possible? If yes, what do I have to change in our config?
Kind Regards
René

Anyone have any ideas? If debugs are needed, I can post them here. I followed the instructions in the Enterprise Deployment guide related to the subjectAltName as well, and that didn't seem to help.
Has anyone ran into this before?
Thanks!
Ian

Similar Messages

Certificate based authentication with sender SOAP adapter. Please help!

Hi Experts,
I have a scenario where first a .Net application makes a webservice call to XI via SOAP Adapter. Then the input from the .Net application is sent to the R/3 system via RFC adapter.
.Net --->SOAP -
>XI -
>RFC -
R/3 System
Now as per client requirement I have to implement certificate based authentication in the sender side for the webservice call. In this case the .Net application is the "client" and XI is the "server". In other words the client has to be authenticated by XI server. In order to accomplish this I have setup the security level in the SOAP sender channel as "HTTPS with client authentication". Additionally I have assigned a .Net userid in the sender agreement under "Assigned users" tab.
I have also installed the SSL certificate in the client side. Then generated the public key and loaded it into the XI server's keystore.
When I test the webservice via SOAPUI tool I am always getting the "401 Unauthorized" error. However if I give the userid/password for XI login in the properties option in the SOAPUI tool then it works fine. But my understanding is that in certificate based authentication, the authentication should happen based on the certificate and hence there is no need for the user to enter userid/password. Is my understanding correct? How to exactly test certificate based authentication?
Am I missing any steps for certificate based authentication?
Please help
Thanks
Gopal
Edited by: gopalkrishna baliga on Feb 5, 2008 10:51 AM

Hi!
Although soapUI is a very goot SOAP testing tool, you can't test certificate based authentication with it. There is no way (since I know) how to import certificat into soapUI.
So, try to find other tool, which can use certificates or tey it directly with the sender system.
Peter

X.509 certificate based authentication with load balancer

I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

Hi George,
If you want the client's cert, the server has to ask for it and this
implies two-way SSL. Normal one-way SSL the server provides the cert to
the client and the client decides if it wants to continue the handshake.
If the client is OK with the server certs and two-way SSL is configured
on the server, then the server will request the client send it's certs.
If the client certs are OK, then the pipe is established.
Concerning the load balancer I'm assuming it is simply providing a
tunnel, but I don't have the experience to comment and it is something I
would suggest that you that you seek guidance from our outstanding
support team [1] or drop a note in the security newsgroup [2] for the
experts to review.
Regards,
Bruce
[1]
http://support.bea.com
[email protected]
[2]
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=xover&group=weblogic.developer.interest.security
George Coller wrote:
>
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

Certificate based authentication with iOS Client

Hello experts,
I have a question regarding the certificate based authentication in SAP Mobile Documents. With the Android Client it is "easy" possible to use certificate based authentication by just sending the user certificate to the Android device (using mail, MDM or whatever).
For the iOS App it is written that the user has to sync the certificate to the device using iTunes sync. Is this really the only possibility to bring the certificate to the iOS device so that the App can use it? I have successfully tested by adding the certificate using iTunes, but I cannot make it working using MDM to push the certificate to the device. SAP Mobile Documents just cant see the installed certificate.
Am I doing something wrong here?
Thanks for your help.
Ernst

Hi, I don't think this is supported on iOS right now. Something for future ....

DPS attempting certificate based authentication with Directory Servers

I'm running DPS 6.3 and DS 6.3.
I have DPS configured to always connect to the directory servers over SSL. This is working, however, all of the Direectory server error logs are showing certificate based bind attempts originating from the DPS. This results in err=32, since the certificate isn't stored in the ldap server. Anyone else seeing this type of behavior?
I checked the DPS Security config, and under the "Certificate to use with Data Sources" I have it set to 'None'.
Thanks.

Hello,
Certificate-based authentication cannot be proxied (it was designed to prevent man-in-the-middle attacks).
When the proxy receives a certificate-based bind (SASL EXTERNAL authentication method), it first validates the client certificate (signature, validity,trust etc), and map the certificate identity (subject) onto a LDAP identity. This is done by doing some LDAP lookups against the directory server. Then, that LDAP identity is used for subsequent LDAP requests to the directory servers. As the password is not available, the proxy must be configured to contact the directory server using proxied authorization method or using fixed credentials (used in conjunction with acis set on the proxy)
DPS 6.3 never uses the SASL/EXTERNAL (certificate-based) authentication method when it contacts directory servers.
When SSL is used between the proxy and the server, the proxy may present its own certificate to the directory server (controlled by the DPS security property you mentioned). It is possible to check if DPS stashes its own certificate when it establish a SSL channel to the directory server by using the ssltap tool [http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html] . If a certificate is passed, the No-Such-Object error you see might be generated during certificate validation by the directory server.
Hope this helps
-Sylvain

Certificate based authentication with SSL load balancer

I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

I think the simplest and most secure way is to have the servers configured for
2-way ssl, since this would ensure that the certificate they receive and use for
authentication has been validated during the ssl handshake. In this case the load
balancer itself does not need to and cannot do the handshaking, and would need
to pass the entire SSL connection through to the WLS server (ie: act similar to
a router)
Pavel.
"George Coller" <[email protected]> wrote:
>
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

Certificate based authentication with Cisco WLC and Juniper IC

Hi
I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
i have also looked at this article :
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
All your help is appreciated.

Hi,
Since you use an external radius server you don't have to worry for this.
The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
The doc you refer is only for Local Radius on WLC.
Hope this helps
Regards,
Christos

Certificate based authentication with Anyconnect

Dears,
i successfully configured ASA to be used as VPN gateway with anyconnect using certificate in authentication , my issue my be not realted to Cisco directly.
i am using CA server installed on Windows 2008 R2 , when i checked the issued certicate i found that all certicates requester name is "CAadmin" .
i need to differeniate between users certificate using thier domain users as requester name.
Thanks,
Ibrahim

John,
Reference the RFC for TLS (in this case 1.0)
http://www.ietf.org/rfc/rfc2246.txt
Server send certificate_list and certificate request, containing certificate_authorities, which is the key info here.
when client responds it can send a certificate
Client certificates are sent
using the Certificate structure defined in Section 7.4.2.
same section describing server certificate.
Server sends its certificate, certificate_list and list of acceptable signers of certificates it will accept (certificate_authorities), client responds with a (one) corresponding cert and certificate_list.
If server has client's signer certificate I do not believe it needed a whole chain sent.
Client still needs to send certificate list but can ommit signing root.
About CRL, you authenticate root and subCA, i.e. implicitly trust.
AFAIR you only perform revocation check of certs you do not implicitly trust.
(My PKI is a bit rusty, feel free to challange)
HTH,
M.
Message was edited by: Marcin Latosiewicz, re-read parts of RFC and adapted my answer.

Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

I would love some help with this issue. I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0 I have a test account set up with lab.acme.com to use the ACS.
When I log into my site using Windows Auth, everything is great. However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
to use to log in and after 3-5 second
and return me the logon page with error message “Authentication failed”
I base my setup on the technet article
http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
I validated than all my certificate are valid and able to retrieve the crl
I got in eventlog id 300
The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Additional Data
Exception details:
Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
--- End of inner exception stack trace ---
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
serializationContext, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
trustNamespace, AsyncCallback callback, Object state)
System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
thx
Stef71

This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
on my case was :
PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ad0001.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
Certificate : [Subject]
CN=domain.AD0001CA, DC=domain, DC=com
[Issuer]
CN=domain.AD0001CA, DC=portal, DC=com
[Serial Number]
blablabla
[Not Before]
22/07/2014 11:32:05
[Not After]
22/07/2024 11:42:00
[Thumbprint]
blablabla
Name : domain.ad0001
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : domain.ad0001
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17164
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
cer\SP2K10\ADFS_Signing.cer")
PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
Certificate : [Subject]
CN=ADFS Signing - adfs.domain
[Issuer]
CN=ADFS Signing - adfs.domain
[Serial Number]
blablabla
[Not Before]
23/07/2014 07:14:03
[Not After]
23/07/2015 07:14:03
[Thumbprint]
blablabla
Name : Token Signing Cert
TypeName : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
DisplayName : Token Signing Cert
Id : blablabla
Status : Online
Parent : SPTrustedRootAuthorityManager
Version : 17184
Properties : {}
Farm : SPFarm Name=SharePoint_Config
UpgradedPersistedProperties : {}
PS C:\Users\administrator.PORTAL>

MfE with Certificate Based Authentication on E6

Hello,
I've been trying to setup MfE on my E6 but I can't find a way to configure it to use a personal certificate, I even tried using "Nokia Configuration Tool" but it tells me that my device does not support MfE with Certificate Based Authentication, I get "Invalid Credentials" when using a username & password.
I get the same error on both Anna and Belle.
Any help would be appreciated.
Thanks

Better give the MfE configuration in detail.
Also please advise the if the server is a real Microsoft Exchange Server or a third-party mail service such as Gmail or Live.
bbao
* If this post helped you, please click the white Kudo star.
* If this post has solved your issue, please click Accept as Solution.

ActiveSync with Certificate-Based Authentication

We are trying to setup ActiveSync with certificate-based authentication against Exchange 2010 SP2, but with no luck.
What has been done so far:
OWA over https works fine. A public, trusted certificate is in place.
Setup ActiveSync against this Exchange server: works fine, using user name/password.
Issued a user cert, signed with an internal CA, CA-cert successfully imported into al client devices.
Created a new OWA-site with cert-based authentication (just to make sure it works), imported user certificate into a mac, visit this OWA site - cert-based authentication works fine.
Now, with the configuration utility, created configuration profile with that user cert and an ActiveSync account, left password blank and chose the imported cert (p12) as authentication means.
After installing that last profile the device keeps asking for a password and refuses to synchronize. Logs on the server show error 401.2, so I assume iPhone is ignoring the cert and is trying to use password-authentication instead.
The devices tested were iPhone 3G with IOS 4 and iPad 2 with IOS 5.
Any help will be greatly appreciated.
Roman.

No-one with this experience?
We've done some network analysis (as much as was possible to decrypt) and could see, that the server sends an SSL-Alert (rejection?) to the client after the client presents the certificate.
That explains why the client falls back to password-authentication, but it does not tell us why the server rejects the cert (that is accepted perfectly when accessed from a browser) in first place.

L2TP based VPN with OpenS/WAN server, OpenSSL machine certificates

I cannot seem to get OSX to accept the machine certificates for a VPN connection using Internet Connect.
I have generated OpenSSL x509 certificates for the server and client side, the same process has generated certificates that work just dandy with WindowsXP. The certificates have "subjectAltName=" key/value pairs assigned to the IP address of the VPN server.
Once generated I import the certificates into OS X (you have to run KeyChain Access with "sudo" from the console to get this to work). The certificate authority seems to be ok, the CA has been added to the x509Roots, and when I examine the machine certificate for my OS X install using KeyChain Access the certificate is marked valid.
I generated the hash link for the certificate:
ln -s /etc/racoon/certs/certname.pem /etc/racoon/certs/'openssl x509 -noout -in certname.pem'.0
From the console I run '
openssl verify certname.pem
It fails unless I specify '-CAPath /etc/racoon/certs', then it passes.
When Internet Connect is setup to use the certificates I can see in the OpenS/WAN logs that the OS X box connects and negotiates IPSEC to MAIN_3. At this point pluto logs the following:
ignoring informational payload, type INVALIDCERTAUTHORITY
This repeats for several re-tries before the OS X side gives up. No useful logging is generated on the OS X side for me to debug, and everything from the OpenS/WAN side seems to be kosher, it appears to be an oakley/racoon issue with validating the machine certificate provided by OpenS/WAN to the OS X side, with the OS X side unable to verify the certificate.
Has anyone solved this? Any ideas on how to improve the logging output from OS X so I can see what racoon/oakley is carping about in the certificate files it is using?

I'm having the same problem. I've got a machine cert on my Mac OS 10.4.6 client that was issued by my Win2003 CA. When I try and connect, it just hangs and then dies. In the Security Logs on the 2003 L2TP server, I even see a successful IKE negotiation (MS Event ID 541 and 543 below).
EventID 541:
IKE security association established.
Mode:
Key Exchange Mode (Main Mode)
Peer Identity:
Certificate based Identity.
Peer Subject C=US, S=City, L=State, O=Company, OU=group, CN=machine.subdomain.company.com, E=[email protected]
Peer SHA Thumbprint peerthumbrint
Peer Issuing Certificate Authority O=company.com, CN=Certificate Authority
Root Certificate Authority O=company.com, CN=Certificate Authority
My Subject CN=server.subdomain.company.com
My SHA Thumbprint mythumbrint
Peer IP Address: x.x.x.x
Filter:
Source IP Address x.x.x.x
Source IP Address Mask 255.255.255.255
Destination IP Address x.x.x.x
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr x.x.x.x
IKE Peer Addr x.x.x.x
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Parameters:
ESP Algorithm Triple DES CBC
HMAC Algorithm SHA
Lifetime (sec) 3600
MM delta time (sec) 1
EventID 543:
IKE security association ended.
Mode: Key Exchange (Main mode)
Filter:
Source IP Address X.X.X.X
Source IP Address Mask 255.255.255.255
Destination IP Address X.X.X.X
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr X.X.X.X
IKE Peer Addr X.X.X.X
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
At least give me a some methods to debug with.

Exchange 2010 SP3 OWA with certificate based authentication

Hi,
I have a bizarre problem in my customer’s environment. Maybe someone has an idea.
Exchange 2010 with SP3, latest cumulative Update installed.
The problem I’m having is that when I enable Certificate based authentication (require client certificate option in IIS) on OWA and ECP virtual directories in conjunction with forms based authentication (this is the requirement – the user
must have a client certificate and type in username and password to log in to OWA), the result is that after the user selects the certificate he wants to use, he is logged into OWA automatically, but cannot use the website, because it’s being constantly automatically
refreshed (or redirected to itself or something like that). The behavior occurs with all users, with any browser. If client certificate is on required, forms based authentication works just fine. If I switch to “Basic Authentication” and enable client certificate
requirement, then OWA act’s as it should be – so no problems. The problem only occurs when authentication type is forms based and client certificates are required.
I have tried the exact same settings (as far as I can tell) on one other production server and one test server, and encountered no such problems.
Anyone – any ideas?

Hi McWax,
According to your description and test, I understand that all accounts cannot login OWA when select require client certificate.
Is there any error message when open OWA or login? For example, return error ”HTTP error: 403 - Forbidden”. Please post relative error for further troubleshooting.
I want to confirm which authentication methods are used for OWA, Integrated Windows authentication or Digest authentication? More details about it, for your reference:
http://technet.microsoft.com/en-us/library/bb430796(v=exchg.141).aspx
If you select another authentication method, please check whether Client Certificate Mapping Authentication services is installed, and also enabled in IIS, please refer to:
http://www.iis.net/configreference/system.webserver/security/authentication/clientcertificatemappingauthentication
To prevent firewall factor, please try to sign in OWA at CAS server. Besides, I find a FAQ about certificate:
http://technet.microsoft.com/en-us/library/aa998424(v=exchg.80).aspx
Best Regards,
Allen Wang

Certificate Based Authentication - Questions and Authentication Modules

Hi Everyone
I'm trying to achieve a specific configuration using AM . I've installed the AM Server 7.1 on a AS9.1EE container and have another AS91EE container on another machine that has the agent configured.
The AM server is using a DS rep for configurations and dynamic profiles and using a AD rep for authentication.
What I now need to achieve is authentication base on one of these two way :
- user and password authentication (which is working)
- Certificate based authentication ( working on it )
To configure the Cert. Auth I've started reconfiguring the containers and agent to work in SSL, as said in the manuals. The manuals also say that the containers must have "Client Authentication Enabled", they don't say which ( either the server or agent container or both ) . Also I assume that "Client Authentication Enabled" is refering to the Http Listener configuration of that container.
When I enable it ( the Client Authentication ) on the http listener for either containers the https connection to that container stops working. In Firefox it simply prompts an error saying that the connection was "interrupted while the page was loading." . On IE, it prompts for a Certificate to be sent to the container and when I provide none, then it gives me the same error as Firefox. In both cases no page was presented.
Basically what I need is for both authentication methods described before to work! So, asking the certificate ( specially if it wasn't the AM asking for it ) without giving the user a chance to use a user/password combination isn't what is wanted.
From what I gathered the "Client Authentication" makes this http listener need a certificate to be presented always .
So, my first question is : is the documentation correct? Does this "Client Authentication" thingy need to be enabled at the listener level?
2- I'll probably need to code a costum module for this scenario I'm working in because of client requisits, but if possible I would like to use the provided module. Still, in case I need to make on, has anyone made a cert. auth module that they can provide me with so I have a working base to start with?
3- Is there a tested how-to anywhere on how to configure Cert. Based Authentication?
All for now,
Thank you all for your help
Rp

Hi Rp,
We are using AM 7.1 with Certificate Authentication and LDAP Authentication. To answer your question, yes it is possible to use both method at the same time i.e. Use certificate first and then fallback to LDAP.
First you need to configure AM's webcontainer to accept the certificate. From your message it is clear that you have done that. The only mistake that you did is "made the Client Authentication required". I have done this in Sun WebServer 7.0 and Sun Application Server 7.0 (yeah that is old!!). You need to make the Client Authentication as optional. It means that Certificate will be transferred only when it is available otherwise Web Container will not ask for the Certificate. You will have to search Glassfish website or ASEE 9.1 manual to learn how to make the Client-Authentication Optional. You definitely need this authentication optional as Web Agent will be connecting to this AM and as far as I know they do not have any mechanism to do the Client Authentication.
Secondly, In AM 7.1, you will have to Set up the Authentication chaining. Where you can make Certificate Module as Sufficient and LDAP module as REQUIRED.
Thirdly, if you are using an non ocsp based certificate then change the ocsp checking in AMConfig.properties to false.
Fourth, You may have to write a small custom code to get the profile from your external sources. (if you need to then I can tell you how).
HTH,
Vivek

Certificate based authentication for Exchange ActiveSync in Windows 8.* Mail app

I have a Surface Pro and want to setup access to my company's Exchange server that accepts only Exchange ActiveSync certificate-based authentication.
I've installed server certificates to trusted pool and my certificate as personal.
Then I can connect thru Internet Explorer, but this is not comfortable to use.
I don't have a password because of security politics of our company. When I'm setting up this account on my Android phone I'm using any digit for password and it works perfectly.
Can someone help to setup Windows 8 metro-style Mail application? Does it supports this type of auth? When I'm trying to add account with type Outlook, entering server name, domain name, username, 1 as a password then I've got a message like "Can't
connect. Check your settings."
Is there any plans to implement this feature?

For what it's worth we have CBA working with Windows 8.1 Pro. In our case we have a MobileIron Sentry server acting as an ActiveSync reverse-proxy, so it verifies the client cert then uses Kerberos Constrained Delegation back to the Exchange CAS, however
it should work exactly the same to the Exchange server directly. I just used the CA to issue a User Certificate, exported the cert, private key and root CA cert, copied to the WinPro8.1 device and into the Personal Store. Configured the Mail app
to point at the ActiveSync gateway, Mail asked if I would like to allow it access the certificate (it chose it automatically) and mail synced down immediately...
So it definitely works with Windows Pro 8.1.

Certificate based authentifaction with fallback

Similar Messages

Maybe you are looking for