Certificate based wireless connection

Hi
I work for a Government as a Technician and we are in a Novell environment. We have a Wireless network which is setup using Wifi Certificates on the Laptops. It has been working fine with this setup until windows 8 came out. Then some things didn't work
properly but it could still connect.
Now I have windows 8.1 laptops that we just procured and the wireless certificate setup doesn't work at all. I can install the certificates and configure the wireless connection but it just doesn't connect. I notice that when I install the certificate I
had 2 options, Local User and Local Computer. I played around with different options but it didn't work.
Is there any specific way I need to setup the certificate based connection or has anyone been able to connect using certificates? We are in the process of upgrading our systems and this will be a big problem if it doesn't work.
Thanking you in advance.
Mthuthu (South Africa)
PS: We have the same problem with the windows 8 phones.

Hi,
Firstly, please try to use network troubleshooter to diagnose this problem.
Control Panel\All Control Panel Items\Troubleshooting
Secondly, if this problem actually caused by Certificates problem, please refer to the link below to install Certificate for test.
http://blogs.technet.com/b/sbs/archive/2007/04/10/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx
Roger Lu
TechNet Community Support

Similar Messages

Make certificate-based wireless unavailable at login?

Error: "Unable to log in with a network account" appears because the wireless connection goes offline. WEP networks work okay, but our internal network uses wireless with EAP certificate-based authentication. Since the Macbook does not come with ethernet jack, I have no other option. How do I get it to connect to the wireless prior to login?

does this article help.
http://support.apple.com/kb/ht4772

How can I ignore server certificate for wireless connection?

I just got a Treo 800w and can't get it connected to my work wireless. It uses PEAP MS-CHAPV2. How can I get the device to ignore the server certificate?
Thanks,
Adam
Post relates to: Treo 800w (Sprint)

You can't. You would need to have your IT to setup the wireless with the certificate on the device.
Post relates to: Palm Z22

AX resets wireless connection to "require a certificate"

I've established connection but, apparently, the Airport Utility resets my wireless network to require a certificate and can't "validate identity" something my Linksys wireless is not set up to do. Is there a Utility setting that does not require or force the certificate? The connection goes on and off, much more off than on apparently looking for the certificate

kilometro, Welcome to the discussion area!
There is nothing on Apple's base stations that cause such a prompt. What is the AirPort Express (AX) connected to?

IPad Wireless Connection

Hi, I am using IPad and trying to connect to corporate Wireless network. The Corporate Radius server is configured for Certificate based authentication. I have installed user cert in IPad but when trying to connect it is saying wrong credentials. I hv checked the logs of RADIUS server and it is saying that wrong authentication method used.
The same user cert is working in Laptops. The IPad is not added to any domain. I need to configure PEAP with Certificate authentication in IPad.
Please suggest

updating the firmware for better compatibility is adviced

Certificate based authentication for Exchange ActiveSync in Windows 8.* Mail app

I have a Surface Pro and want to setup access to my company's Exchange server that accepts only Exchange ActiveSync certificate-based authentication.
I've installed server certificates to trusted pool and my certificate as personal.
Then I can connect thru Internet Explorer, but this is not comfortable to use.
I don't have a password because of security politics of our company. When I'm setting up this account on my Android phone I'm using any digit for password and it works perfectly.
Can someone help to setup Windows 8 metro-style Mail application? Does it supports this type of auth? When I'm trying to add account with type Outlook, entering server name, domain name, username, 1 as a password then I've got a message like "Can't
connect. Check your settings."
Is there any plans to implement this feature?

For what it's worth we have CBA working with Windows 8.1 Pro. In our case we have a MobileIron Sentry server acting as an ActiveSync reverse-proxy, so it verifies the client cert then uses Kerberos Constrained Delegation back to the Exchange CAS, however
it should work exactly the same to the Exchange server directly. I just used the CA to issue a User Certificate, exported the cert, private key and root CA cert, copied to the WinPro8.1 device and into the Personal Store. Configured the Mail app
to point at the ActiveSync gateway, Mail asked if I would like to allow it access the certificate (it chose it automatically) and mail synced down immediately...
So it definitely works with Windows Pro 8.1.

Unable to access wireless connection with linksys rooter WRT54GS

Hi,
I just installed a wireless rooter Linksys WRT54GS on my connection, The problem I have is being able to access it with my wireless on my laptop.
I kept getting a message stating "connection unindentified" "access limited". I've done most of what is already suggested on your forum such has turning the power off of my rooter, my modem and such and still nothing. I'm able to access the wireless with my girlfriend Mac Notebook, my playstation 3 and my desktop computer which uses Windows X. First I thought that it my be a problem with my security but even when the connection is unprotected I still get that error. I try to disable the IpV6but that didn'tdo anything either.
My laptop is a Toshiba Qosmio X300 PQX32C-033019 with Vista and my rooter is a Linksys WRT54GS vers. 6
Here's my connection log, sorry if it's in French:
Informations sur l'ordinateur
Vendor:TOSHIBA
Machine Name:Qosmio X300
VersionQX32C-033019
CPU Maker:GenuineIntel
CPU Name:Intel(R) Core(TM)2 Duo CPU P8400 @ 2.26GHz
CPU Clock:2267
CPU Base Clock:2267
OS:Microsoft® Windows Vista™ Édition Familiale Premium
OS Build:6001
OS SPervice Pack 1
Ram:4188120
Début de la page
Informations IP
ipconfig /all
Configuration IP de Windows
Nom de l'h“te . . . . . . . . . . : PC-de-ThomasMur
Suffixe DNS principal . . . . . . :
Type de noeud. . . . . . . . . . : Mixte
Routage IP activ‚ . . . . . . . . : Non
Proxy WINS activ‚ . . . . . . . . : Non
Liste de recherche du suffixe DNS.: phub.net.cable.rogers.com
Carte r‚seau sans fil Connexion r‚seau sans filÿ:
Suffixe DNS propre … la connexion. . . :
Description. . . . . . . . . . . . . . : Intel(R) Wireless WiFi Link 5100
Adresse physique . . . . . . . . . . . : 00-21-5D-3D-9C-08
DHCP activ‚. . . . . . . . . . . . . . : Oui
Configuration automatique activ‚e. . . : Oui
Adresse IPv6 de liaison locale. . : fe80::a9d9:4618:2ae4:d7e5%11(pr‚f‚r‚)
Adresse d'autoconfiguration IPv4 . . . : 169.254.215.229(pr‚f‚r‚)
Masque de sous-r‚seau. . . .ÿ. . . . . : 255.255.0.0
Passerelle par d‚faut. . . .ÿ. . . . . :
Serveurs DNS. . . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS sur Tcpip. . . . . . . . . . . : Activ‚
Carte Ethernet Connexion au r‚seau local :
Suffixe DNS propre … la connexion. . . : phub.net.cable.rogers.com
Description. . . . . . . . . . . . . . : Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Adresse physique . . . . . . . . . . . : 00-1E-EC-3F-7B-CF
DHCP activ‚. . . . . . . . . . . . . . : Oui
Configuration automatique activ‚e. . . : Oui
Adresse IPv6 de liaison locale. . : fe80::4da:b21b:843c:7bfd%10(pr‚f‚r‚)
Adresse IPv4. . . . . . . . . . . : 192.168.1.100(pr‚f‚r‚)
Masque de sous-r‚seau. . . .ÿ. . . . . : 255.255.255.0
Bail obtenu. . . . . . . . .ÿ. . . . . : 8 juin 2009 18:11:58
Bail expirant. . . . . . . . .ÿ. . . . : 9 juin 2009 18:11:58
Passerelle par d‚faut. . . .ÿ. . . . . : 192.168.1.1
Serveur DHCP . . . . . . . . . . . . . : 192.168.1.1
Serveurs DNS. . . . . . . . . . . . . : 64.71.255.198
NetBIOS sur Tcpip. . . . . . . . . . . : Activ‚
Carte Tunnel Connexion au r‚seau local* :
Statut du m‚dia. . . . . . . . . . . . : M‚dia d‚connect‚
Suffixe DNS propre … la connexion. . . : phub.net.cable.rogers.com
Description. . . . . . . . . . . . . . : isatap.phub.net.cable.rogers.com
Adresse physique . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP activ‚. . . . . . . . . . . . . . : Non
Configuration automatique activ‚e. . . : Oui
Carte Tunnel Connexion au r‚seau local* 6 :
Statut du m‚dia. . . . . . . . . . . . : M‚dia d‚connect‚
Suffixe DNS propre … la connexion. . . :
Description. . . . . . . . . . . . . . : Carte Microsoft ISATAP #2
Adresse physique . . . . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP activ‚. . . . . . . . . . . . . . : Non
Configuration automatique activ‚e. . . : Oui
Début de la page Informations de routage
route print
===========================================================================
Liste d'Interfaces
11 ...00 21 5d 3d 9c 08 ...... Intel(R) Wireless WiFi Link 5100
10 ...00 1e ec 3f 7b cf ...... Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
1 ........................... Software Loopback Interface 1
13 ...00 00 00 00 00 00 00 e0 isatap.phub.net.cable.rogers.com
12 ...00 00 00 00 00 00 00 e0 Carte Microsoft ISATAP #2
===========================================================================
IPv4 Table de routage
===========================================================================
Itin‚raires actifsÿ:
Destination r‚seau Masque r‚seau Adr. passerelle Adr. interface M‚trique
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.100 20
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
169.254.0.0 255.255.0.0 On-link 169.254.215.229 281
169.254.215.229 255.255.255.255 On-link 169.254.215.229 281
169.254.255.255 255.255.255.255 On-link 169.254.215.229 281
192.168.1.0 255.255.255.0 On-link 192.168.1.100 276
192.168.1.100 255.255.255.255 On-link 192.168.1.100 276
192.168.1.255 255.255.255.255 On-link 192.168.1.100 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.100 276
224.0.0.0 240.0.0.0 On-link 169.254.215.229 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.100 276
255.255.255.255 255.255.255.255 On-link 169.254.215.229 281
===========================================================================
Itin‚raires persistantsÿ:
Aucun
IPv6 Table de routage
===========================================================================
Itin‚raires actifsÿ:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
10 276 fe80::/64 On-link
11 281 fe80::/64 On-link
10 276 fe80::4da:b21b:843c:7bfd/128
On-link
11 281 fe80::a9d9:4618:2ae4:d7e5/128
On-link
1 306 ff00::/8 On-link
10 276 ff00::/8 On-link
11 281 ff00::/8 On-link
===========================================================================
Itin‚raires persistantsÿ:
Aucun
Début de la page Informations de protocole
Protocol Bind Information
SSTP based VPN
Microsoft TCP/IP version 6 - Tunnels
isatap.{DF6498ED-F5F7-4E96-9496-10C8BB95FA20}
isatap.phub.net.cable.rogers.com
Internet Protocol (TCP/IP) - Tunnels
Microsoft NetbiosSmb
Internet Protocol Version 4 (TCP/IPv4)
Intel(R) Wireless WiFi Link 5100
Internet Protocol Version 4 (TCP/IPv4)
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Internet Protocol Version 6 (TCP/IPv6)
isatap.{DF6498ED-F5F7-4E96-9496-10C8BB95FA20}
Internet Protocol Version 6 (TCP/IPv6)
isatap.phub.net.cable.rogers.com
Internet Protocol Version 6 (TCP/IPv6)
Intel(R) Wireless WiFi Link 5100
Internet Protocol Version 6 (TCP/IPv6)
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Remote Access IP ARP Driver
Miniport WAN (IP)
Message-oriented TCP/IP Protocol (SMB session)
WINS Client(TCP/IP) Protocol
Internet Protocol Version 4 (TCP/IPv4)
Intel(R) Wireless WiFi Link 5100
Internet Protocol Version 4 (TCP/IPv4)
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Internet Protocol Version 6 (TCP/IPv6)
isatap.{DF6498ED-F5F7-4E96-9496-10C8BB95FA20}
Internet Protocol Version 6 (TCP/IPv6)
isatap.phub.net.cable.rogers.com
Internet Protocol Version 6 (TCP/IPv6)
Intel(R) Wireless WiFi Link 5100
Internet Protocol Version 6 (TCP/IPv6)
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Internet Protocol Version 6 (TCP/IPv6)
isatap.{DF6498ED-F5F7-4E96-9496-10C8BB95FA20}
isatap.phub.net.cable.rogers.com
Intel(R) Wireless WiFi Link 5100
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Internet Protocol Version 4 (TCP/IPv4)
Intel(R) Wireless WiFi Link 5100
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Remote Access IPv6 ARP Driver
Miniport réseau étendu WAN (IPv6)
Point to Point Protocol Over Ethernet
Intel(R) Wireless WiFi Link 5100
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Point to Point Tunneling Protocol
Layer 2 Tunneling Protocol
Remote Access NDIS WAN Driver
WAN Miniport (SSTP)
Carte asynchrone RAS
Miniport WAN (PPPOE)
Miniport réseau étendu WAN (PPTP)
Miniport réseau étendu WAN (L2TP)
Link-Layer Topology Discovery Mapper I/O Driver
Intel(R) Wireless WiFi Link 5100
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Link-Layer Topology Discovery Responder
Intel(R) Wireless WiFi Link 5100
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
NDIS Usermode I/O Protocol
Intel(R) Wireless WiFi Link 5100
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Début de la page Informations sur les équipements
Realtek RTL8168C/8111C Family PCI-E Gigabit Ethernet NIC (NDIS 6.0)
Device ID : PCI\VEN_10EC&DEV_8168&SUBSYS_FF001179&REV_02\4&492937F&0&00E2
Status : Enable
Driver Vender : Realtek
Driver Version : 6.205.403.2008
Driver Date : 4-3-2008
Intel(R) Wireless WiFi Link 5100
Device ID : PCI\VEN_8086&DEV_4232&SUBSYS_12018086&REV_00\4&3905AE0C&0&00E3
Status : Enable
Driver Vender : Intel
Driver Version : 12.0.0.73
Driver Date : 4-27-2008
Bluetooth
Device ID : ACPI\TOS6205\5&F592293&0
Status : Disable
Bluetooth Version : v6.10.07.2(T)
Début de la page Statut du commutateur de communications sans fil et de la touche d'accès direct pour réseau sans fil
Wireless Communication Switch : On
Wireless Hotkey (Fn + F8)
Wireless LAN : On
Solved!
Go to Solution.

Try this -
Open an Internet Explorer browser page on your wired computer(desktop).In the address bar type - 192.168.1.1 and press Enter...
Leave username blank & in password use admin in lower case...
For Wireless Settings, please do the following : -
Click on the Wireless tab
- Here select manual configuration...Wireless Network mode should be mixed...
- Provide a unique name in the Wireless Network Name (SSID) box in order to differentiate your network from your neighbours network...
- Set the Radio Band to Standard-20MHz and change the Standard channel to 11-2.462GHz...Wireless SSID broadcast should be Enabled and then click on Save Settings...
Please make a note of Wireless Network Name (SSID) as this is the Network Identifier...
For Wireless Security : -
Click on the Sub tab under Wireless > Wireless Security...
Change the Wireless security mode to WEP, Encryption should be 64 bit.Leave the passphrase blank, don't type in anything...
Under WEP Key 1 type in any 10 numbers please(numbers only and no letters eg: your 10 digit phone number) and click on save settings...
Please make a note of WEP Key 1 as this is the Security Key for the Wireless Network...
Click on Advanced Wireless Settings
Change the Beacon Interval to 75 >>Change the Fragmentation Threshold to 2304, Change the RTS Threshold to 2304 >>Click on "Save Settings"...
On your Vista Laptop, first disable the Wireless Network Connection and restart the Laptop, then Enable the Wireless Connection...
Then Click on Start >> Control Panel >> Network and Sharing Center >> Manage Wireless Network and click on Add, select Manually Create a Network Profile and click Next, enter your Network SSID/Network Name, select WEP for Security type and enter your 10 digit Network Key and click on Next, it should say "Successfully Connected to ____" close all the Windows and restart the Laptop, now see if you can connect to Internet Wirelessly...

Urgent! T420 with N6205 keeps dropping wireless connection and cannot recover

Hello everyone,
I bought my T420 model with N6205 network card last December, since then, the wireless connection never functions well. Here's the problem(it happens in my apartment):
Every once in a while (normally within four to five days), my wireless connection drops automatically. It would first appear as no connection and it'll try to reconnect, then it appears as successful connected for 5 to 10 seconds(but definitely no internet access), and it'll drop the connection completely again, then automatically repeat :reconnect, drop,reconnect, drop ... never stops. Though I can still use cable to connect to my router to have internet access.
This problem occurs to none of my smartphones, ipad, ipod touch, my old laptop and my roomates' wireless devices under the same wirless environment. They always have solid wireless connection.
Of course, regular approaches have been taken trying to solve the problem:
1. manually disable wireless functionality on my T420, and enable it again
failed
2. reboot computer
failed
3. go to power manager and turn PCI express off
failed
4. uncheck allow the wireless LAN radio to be turned off when inactive
failed
5.updated to the latest driver through lenovo
failed
6. restart router
successful
So it may be that I've got a bad router? This is why I didn't post my problem in the first place, since I was hoping it may disappear with other routers.
I changed to a new router, the problem persists.
There's no way I can restart the router every time when my laptop looses connection, it'll affect the other users.
Based on the description of my problem, I believe there's a great chance there's something wrong with my T420 rather than with my router.
Is there anybody who can help me with this?
Can lenovo staff see this post?
Any suggestion about who I should turn to?
Thanks a lot.
T420,
i7 2640M, N6205
Windows 7 professional, 64 bit

What security mode are you using.
WPA or WPA2? You could change the router to WPA only and see if that helps. I have see some portable devices that don't negotiate the protcol properly but never a notebook. If you have Bluetooth turn it off. It seems to affect my 1x1.
I have the 1x1 card and it pretty bad connecting at 24 to 48 Mbps only with a good signal. I don't know why Realtek is used in a Business class notebook. Maybe some others can add what they have and is working 100%.
T520 Model 4239 Intel(R) Core(TM) i7-2860QM CPU @ 2.50GHz
Intel Sandy Bridge & Nvidia NVS 4200M graphics Intel N 6300 Wi-Fi adapter
Windows 7 Home Prem - 64bit w/8GB DDR3

Multiple Wireless Connections?

We recently moved into a friend's house (temporarily, thank goodness!) and they already have a Windows-based wireless network in place. Their wireless router is some sort of Cisco/LinkSys device. Our two iMacs and my MacBook Air connect to the Internet via their network just fine.
Prior to moving in with them, I had my own wireless network in our home, using an Airport Extreme with a USB-2 connected 1TB hard drive for Time Machine. I was able to back up all three of our Macs to that hard drive, plus get to the Internet, and life was good.
I can connect to their network for Internet access, but not to my Airport Extreme at the same time. When I tell one of my Macs to connect to my Airport Extreme, it tosses out the other network, making it impossible to stay connected to the Internet while doing Time Machine backups. When I then tell the Mac to connect to our friend's network for Internet access, it tosses out my Airport Extreme connection, making the scheduled Time Machine backups fail.
Is there any way to have OS X connect to two wireless networks at the same time?

Hi Martin - thanks for the quick reply!
I had a feeling that the answer was gonna be "no", but thought I'd ask anyway. Additional wireless cards/adapters in the iMac can't happen so I'll have to go the other route.
Their LinkSys unit has several Ethernet ports on the back and I probably could connect the Airport Extreme to it. I had been using a LinkSys DSL modem and getting my IP address via DHCP from it, so it "should" be fairly transparent to the Airport Extreme. Where I'll run into issues with this connection scheme is with electrical power. I took a look at their setup and they have three 117VAC plug strips hooked together, into a wall outlet - ughhhh!!!
Guess I'll have to weigh the benefits of routine backups against having yet another pair of devices hooked into their rat's nest of cables & plug strips.
Thanks for the info - wish me luck!

Has anybody solved the slow wireless connections speeds of the new Imacs

I have just purchased the new imac...and was made aware of the disastrous connections speeds using wireless.. Does anybody know if apple have come up with a solution...or are they just not dealing with the problem?

I am a brand new Mac user with a new 24 inch iMac purchase. Macs are supposed to be hassle free right? Right. No question I was about ready to throw it out the window because the wireless connection to the expensive AP base station was, oh, 100x slower than my Dell laptop side by side about 1 foot away. Nothing changed even if I connected directly to the AP using an ethernet cable. My connection consists of an Actiontec DSL gateway connected directly to my AP extreme that allows wireless to my PC laptop as well as my new iMac. Hours and hours go by until I find this help link on Mac Orchard Forums:
+" Re: My New Intel Based iMac is SLOW+
+« Reply #7 on: May 18th, 2007, 4:57am » Quote Quote Modify Modify+
+WOW!! everyone else with this problem read this! i was having these same huge speed problems using the internet with my new 24" dual core intel imac with 2 gigs of ram and found a posting on another site's thread that fixed it completely.+
+"Try setting your DNS servers to OpenDNS (208.67.222.222 and 208.67.220.220) and see if that helps at all. Maybe the ISP's changes increased the load on their DNS servers."+
+my guess is that somehow these DNS servers work the way tiger likes them to while others dont, i have no clue other than to say it works!!+
+heres a site i found that helped me understand how to change the settings:+
+http://portforward.com/networking/static-Mac10.4.htm "+
With the new Leopard installed I went to the "portforward" link first and followed the instructions exactly to set a static IP address, then I reset my DNS servers with the exact numbers you see above - IT WORKED IMMEDIATELY!!!!! I didn't have to call my ISP or anything, it just worked exactly as it should with both Safari and Firefox. Now this Mac is flying and I will not be tossing it back to Jobs.
Good Luck!

Certificate based authentication

I have a client application that requires certificate based authentication.
I could not find any instructions on how to set this up in the 11g manuals. So I reverted to the 5.2 manual (http://docs.oracle.com/cd/E19850-01/816-6698-10/ssl.html#18500), and followed some instructions found online.
I have completed the setup, and the client is able to authenticate using his certificate, and I have verified this in the logs.
[22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuing,DC=corp,DC=company,DC=lan
[22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
[22/Mar/2012:13:13:33 -0500] conn=34347 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
When adding the usercertificate attribute to the ID I used the following LDIF:
version: 1
dn: uid=userid,ou=employees,o=company
changetype: modify
replace: userCertificate
usercertificate: < file:///home/user/Certs/usercert.bin
the file was a binary encoded certificate file.
Here is the part that I don't understand when I do a search (or LDIF export) of the user object with the certificate it just returns a short base64 encoded string. when I decode this string, it is just the literal string of "< file:///home/user/Certs/usercert.bin".
So it appears that the certificate has not been stored on the user object in binary, and yet the certificate authentication still works. The file mentioned, does not exist on the LDAP server (the cert was loaded from another server), so there is no way that it is reading the cert from the file.
Anyone have any idea what is going on here? And why certificate auth works, when there appears to be not cert stored in LDAP?
If by chance this is how it is all suppose to work, then how do I go about backing up the usercertificate attribute when I do my LDAP data backups?
Thanks
Brian

Cyril,
Thanks for the reply.
I believe I am doing both types of certificate authentication, you are describing. My issue is that when I perform the steps to store the PEM formatted cert into the directory server, rather than storing a binary value of the cert, it appears to be storing the path to the file I attempted to import. The odd part is that I can still authenticate even after this is done.
I tried to post as much info as I could before without posting any sensitive data, I'll try and expand on that below.
Here is my documentation of the steps taken to configure the server and setup a user, for what I believe to be certificate based authentication, where the user is authenticated solely on the certificate that they provide (no password is sent).
1. Server must be running SSL, all connections for Certificate Auth are done over SSL (just a note)
2. From the DSCC
----a. Directory Servers Tab -> Servers Tab -> Click Server Name
----b. Security Tab -> General Tab
----c. In "Client Authentication" section, select:
--------i. LDAP Settings: "Allow Certificate-Based Client Authentication"
--------ii. This should be the default setting.
3. On the directory server setup the /ldap/dsInst/alias/certmap.conf file:
----a. certmap default default
----default:DNComps
----default:FilterComps uid,cn
4. restart the directory server
5. Do the following to setup the user who will be connecting. On their unix account (or similar)
----a. Create a directory to hold the certDB
--------i. mkdir certdb
----b. Create a CertDB
--------i. /ldap/dsee7/bin/certutil -N -d certdb
------------1) Enter a password when prompted
----c. Import the CA cert
--------i. /ldap/dsee7/bin/certutil -A -n "OurRootCA" -t "C,," -a -I ~/OurRootCA.cer -d certdb
----d. Create a cert request
--------i. /ldap/dsee7/bin/certutil -R -s "cn=userid,ou=company,l=city,st=state,c=US" -a -g 2048 -d certdb
----e. Send the cert request to the PKI Team to generate a user cert
----f. Take the text of the generated cert & save it to a file
----g. Import the new cert into your certdb
--------i. /ldap/dsee7/bin/certutil -A -n "certname" -t "u,," -a -i certfile.cer -d certdb
----h. Create a binary version of cert
--------i. /ldap/dsee7/bin/certutil -L -n "certname" -d certdb -r > userid.bin
----i. Add the binary cert to the user's LDAP entry (version: 1 must be included - I read this in a doc somewhere, but it doesn't seem to matter)
--------i. ldapmodify
------------1) ldapmodify -h host -D "cn=directory manager" -w password -ac
------------2)
------------version: 1
------------dn: uid=userid,ou=employees,o=company
------------sn: Service Account
------------givenName: userid
------------uid: userid
------------description: Service Account for LDAP
------------objectClass: top
------------objectClass: person
------------objectClass: organizationalPerson
------------objectClass: inetorgperson
------------cn: Service Account
------------userpassword: password
------------usercertificate: < file:///home/userid/Certs/userid.bin
------------nsLookThroughLimit: -1
------------nsSizeLimit: -1
------------nsTimeLimit: 180
After doing this setup I am able to perform a search using the certificate:
ldapsearch -h host -p 1636 -b "o=company" -N "certname" -Z -W CERTDBPASSWORD -P certdb/cert8.db "(uid=anotherID)"
This search is successful, and I can see it logged, as having been a certificate based authentication:
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - fd=136 slot=136 LDAPS connection from x.x.x.x:53574 to x.x.x.x
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuer,DC=corp,DC=company,DC=lan
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
[23/Mar/2012:13:25:20 -0500] conn=44605 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
If I understand correctly that would be using the part 2 of your explanation as using the binary encoded PEM to authenticate the user. If I am not understanding that corretly please let me know.
Now the part that I am really not getting is that the usercertificate that is stored on the ID is as below:
dn: uid=userid,ou=employees,o=company
usercertificate;binary:: PCBmaWxlOi8vL2hvbWUvdXNlcmlkL0NlcnRzL3VzZXJpZC5iaW4
which decodes as: < file:///home/userid/Certs/userid.bin
So I'm still unclear as to what is going on here, or what I've done wrong. Have I set this up incorrectly such that Part 2 as you described it is not what I have setup above? Or am I missunderstanding part 2 entirely?
Thanks
Brian
Edited by: BrianS on Mar 23, 2012 12:14 PM
Just adding ---- to keep my instruction steps indented.

Certificate based authentication with SSL load balancer

I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

I think the simplest and most secure way is to have the servers configured for
2-way ssl, since this would ensure that the certificate they receive and use for
authentication has been validated during the ssl handshake. In this case the load
balancer itself does not need to and cannot do the handshaking, and would need
to pass the entire SSL connection through to the WLS server (ie: act similar to
a router)
Pavel.
"George Coller" <[email protected]> wrote:
>
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

Certificate Based Authentication - Questions and Authentication Modules

Hi Everyone
I'm trying to achieve a specific configuration using AM . I've installed the AM Server 7.1 on a AS9.1EE container and have another AS91EE container on another machine that has the agent configured.
The AM server is using a DS rep for configurations and dynamic profiles and using a AD rep for authentication.
What I now need to achieve is authentication base on one of these two way :
- user and password authentication (which is working)
- Certificate based authentication ( working on it )
To configure the Cert. Auth I've started reconfiguring the containers and agent to work in SSL, as said in the manuals. The manuals also say that the containers must have "Client Authentication Enabled", they don't say which ( either the server or agent container or both ) . Also I assume that "Client Authentication Enabled" is refering to the Http Listener configuration of that container.
When I enable it ( the Client Authentication ) on the http listener for either containers the https connection to that container stops working. In Firefox it simply prompts an error saying that the connection was "interrupted while the page was loading." . On IE, it prompts for a Certificate to be sent to the container and when I provide none, then it gives me the same error as Firefox. In both cases no page was presented.
Basically what I need is for both authentication methods described before to work! So, asking the certificate ( specially if it wasn't the AM asking for it ) without giving the user a chance to use a user/password combination isn't what is wanted.
From what I gathered the "Client Authentication" makes this http listener need a certificate to be presented always .
So, my first question is : is the documentation correct? Does this "Client Authentication" thingy need to be enabled at the listener level?
2- I'll probably need to code a costum module for this scenario I'm working in because of client requisits, but if possible I would like to use the provided module. Still, in case I need to make on, has anyone made a cert. auth module that they can provide me with so I have a working base to start with?
3- Is there a tested how-to anywhere on how to configure Cert. Based Authentication?
All for now,
Thank you all for your help
Rp

Hi Rp,
We are using AM 7.1 with Certificate Authentication and LDAP Authentication. To answer your question, yes it is possible to use both method at the same time i.e. Use certificate first and then fallback to LDAP.
First you need to configure AM's webcontainer to accept the certificate. From your message it is clear that you have done that. The only mistake that you did is "made the Client Authentication required". I have done this in Sun WebServer 7.0 and Sun Application Server 7.0 (yeah that is old!!). You need to make the Client Authentication as optional. It means that Certificate will be transferred only when it is available otherwise Web Container will not ask for the Certificate. You will have to search Glassfish website or ASEE 9.1 manual to learn how to make the Client-Authentication Optional. You definitely need this authentication optional as Web Agent will be connecting to this AM and as far as I know they do not have any mechanism to do the Client Authentication.
Secondly, In AM 7.1, you will have to Set up the Authentication chaining. Where you can make Certificate Module as Sufficient and LDAP module as REQUIRED.
Thirdly, if you are using an non ocsp based certificate then change the ocsp checking in AMConfig.properties to false.
Fourth, You may have to write a small custom code to get the profile from your external sources. (if you need to then I can tell you how).
HTH,
Vivek

Certificate Based Authentication and SSL

To whom it may concern,
I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
I am running my Messenger express (http) like this :
http://testing.xyz.com:8100
(I am using port 8100 for http access to mails). After restarting the mail server, I tried :
https://testing.xyz.com:8100 also,
http://testing.xyz.com:443 also,
https://testing.xyz.com:443 also,
but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
Thanking you,
Farhan Ahmed,
System Engineer
Dubai, UAE.

Dear jay,
I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
[29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
i got this line from the http log:
[29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
Thanking you,
Farhan Ahmed,
System Engineer,
Dubai Internet City, Dubai, UAE.

C4C to CRM integration using HCI Certificate-based Authentication - 403 Forbidden

Hi Experts,
In reference from the discussion in this link (Quick Guide on using Certificates for Integrating C4C and ECC using HCI), we need suggestions on why we're getting 403-Forbidden error, what steps did we miss for our communication from C4C to CRM using HCI.
We already imported the necessary certificates in the iFlows/SSL Server/Client PSEs signed by Entrust (which is one of the supported CAs and our communication from CRM to C4C certificate-based authentication configuration is working fine) for HCI. We also mapped the HCI client certificate to the CRM user that we created (CODINTEG). Service IDOC is also registered and activated (SICF and SRTIDOC).
Below are the roles assigned to the user CODINTEG, and the mapping of HCI client certificate in SM30 and also the certificates imported in our SSL Server PSE. Just a note that we're not using SAP webdispatcher as a reverse proxy here for our C4C to CRM connection.
Thanks in advance.
Regards,
Rajiv

Hello Rajiv,
for test purpose and for eliminating error reasosns caused by user authorization rights you could assign first SAP_ALL to your communication user. If this works, you should reduce the rights again to a minimum...
Goto SU01 and edit the user CODINTEG. Goto Tab Profiles and within F4 help tab "Composite Profiles" search for SAP_ALL.
Best regards,
Berthold

Certificate based wireless connection

Similar Messages

Maybe you are looking for