DPS attempting certificate based authentication with Directory Servers

I'm running DPS 6.3 and DS 6.3.
I have DPS configured to always connect to the directory servers over SSL. This is working, however, all of the Direectory server error logs are showing certificate based bind attempts originating from the DPS. This results in err=32, since the certificate isn't stored in the ldap server. Anyone else seeing this type of behavior?
I checked the DPS Security config, and under the "Certificate to use with Data Sources" I have it set to 'None'.
Thanks.

Hello,
Certificate-based authentication cannot be proxied (it was designed to prevent man-in-the-middle attacks).
When the proxy receives a certificate-based bind (SASL EXTERNAL authentication method), it first validates the client certificate (signature, validity,trust etc), and map the certificate identity (subject) onto a LDAP identity. This is done by doing some LDAP lookups against the directory server. Then, that LDAP identity is used for subsequent LDAP requests to the directory servers. As the password is not available, the proxy must be configured to contact the directory server using proxied authorization method or using fixed credentials (used in conjunction with acis set on the proxy)
DPS 6.3 never uses the SASL/EXTERNAL (certificate-based) authentication method when it contacts directory servers.
When SSL is used between the proxy and the server, the proxy may present its own certificate to the directory server (controlled by the DPS security property you mentioned). It is possible to check if DPS stashes its own certificate when it establish a SSL channel to the directory server by using the ssltap tool [http://www.mozilla.org/projects/security/pki/nss/tools/ssltap.html] . If a certificate is passed, the No-Such-Object error you see might be generated during certificate validation by the directory server.
Hope this helps
-Sylvain

Similar Messages

Certificate based authentication with sender SOAP adapter. Please help!

Hi Experts,
I have a scenario where first a .Net application makes a webservice call to XI via SOAP Adapter. Then the input from the .Net application is sent to the R/3 system via RFC adapter.
.Net --->SOAP -
>XI -
>RFC -
R/3 System
Now as per client requirement I have to implement certificate based authentication in the sender side for the webservice call. In this case the .Net application is the "client" and XI is the "server". In other words the client has to be authenticated by XI server. In order to accomplish this I have setup the security level in the SOAP sender channel as "HTTPS with client authentication". Additionally I have assigned a .Net userid in the sender agreement under "Assigned users" tab.
I have also installed the SSL certificate in the client side. Then generated the public key and loaded it into the XI server's keystore.
When I test the webservice via SOAPUI tool I am always getting the "401 Unauthorized" error. However if I give the userid/password for XI login in the properties option in the SOAPUI tool then it works fine. But my understanding is that in certificate based authentication, the authentication should happen based on the certificate and hence there is no need for the user to enter userid/password. Is my understanding correct? How to exactly test certificate based authentication?
Am I missing any steps for certificate based authentication?
Please help
Thanks
Gopal
Edited by: gopalkrishna baliga on Feb 5, 2008 10:51 AM

Hi!
Although soapUI is a very goot SOAP testing tool, you can't test certificate based authentication with it. There is no way (since I know) how to import certificat into soapUI.
So, try to find other tool, which can use certificates or tey it directly with the sender system.
Peter

Certificate based authentication with SSL load balancer

I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

I think the simplest and most secure way is to have the servers configured for
2-way ssl, since this would ensure that the certificate they receive and use for
authentication has been validated during the ssl handshake. In this case the load
balancer itself does not need to and cannot do the handshaking, and would need
to pass the entire SSL connection through to the WLS server (ie: act similar to
a router)
Pavel.
"George Coller" <[email protected]> wrote:
>
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

X.509 certificate based authentication with load balancer

I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

Hi George,
If you want the client's cert, the server has to ask for it and this
implies two-way SSL. Normal one-way SSL the server provides the cert to
the client and the client decides if it wants to continue the handshake.
If the client is OK with the server certs and two-way SSL is configured
on the server, then the server will request the client send it's certs.
If the client certs are OK, then the pipe is established.
Concerning the load balancer I'm assuming it is simply providing a
tunnel, but I don't have the experience to comment and it is something I
would suggest that you that you seek guidance from our outstanding
support team [1] or drop a note in the security newsgroup [2] for the
experts to review.
Regards,
Bruce
[1]
http://support.bea.com
[email protected]
[2]
http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=xover&group=weblogic.developer.interest.security
George Coller wrote:
>
I've been asked to implement certificate-based authentication (CBA)
on a weblogic cluster serving up web services. I've read through
Chapter 10 (security) and understand the "Identity Assertion" concept.
Environment:
Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
uses sticky-sessions.
Question:
If the load balancer is used to handle SSL, do I still need to turn
on SSL on the weblogic cluster in order to use CBA? Is there another
way to request the client's certificate?
If the above is yes, what is the minnimal level of SSL? Does it have
to be two-way?
If SSL has to be turned on is there any reason to use the load
balancer's SSL? Is there still a performance benefit?

Certificate based authentication with iOS Client

Hello experts,
I have a question regarding the certificate based authentication in SAP Mobile Documents. With the Android Client it is "easy" possible to use certificate based authentication by just sending the user certificate to the Android device (using mail, MDM or whatever).
For the iOS App it is written that the user has to sync the certificate to the device using iTunes sync. Is this really the only possibility to bring the certificate to the iOS device so that the App can use it? I have successfully tested by adding the certificate using iTunes, but I cannot make it working using MDM to push the certificate to the device. SAP Mobile Documents just cant see the installed certificate.
Am I doing something wrong here?
Thanks for your help.
Ernst

Hi, I don't think this is supported on iOS right now. Something for future ....

Certificate based authentication with Anyconnect

Dears,
i successfully configured ASA to be used as VPN gateway with anyconnect using certificate in authentication , my issue my be not realted to Cisco directly.
i am using CA server installed on Windows 2008 R2 , when i checked the issued certicate i found that all certicates requester name is "CAadmin" .
i need to differeniate between users certificate using thier domain users as requester name.
Thanks,
Ibrahim

John,
Reference the RFC for TLS (in this case 1.0)
http://www.ietf.org/rfc/rfc2246.txt
Server send certificate_list and certificate request, containing certificate_authorities, which is the key info here.
when client responds it can send a certificate
Client certificates are sent
using the Certificate structure defined in Section 7.4.2.
same section describing server certificate.
Server sends its certificate, certificate_list and list of acceptable signers of certificates it will accept (certificate_authorities), client responds with a (one) corresponding cert and certificate_list.
If server has client's signer certificate I do not believe it needed a whole chain sent.
Client still needs to send certificate list but can ommit signing root.
About CRL, you authenticate root and subCA, i.e. implicitly trust.
AFAIR you only perform revocation check of certs you do not implicitly trust.
(My PKI is a bit rusty, feel free to challange)
HTH,
M.
Message was edited by: Marcin Latosiewicz, re-read parts of RFC and adapted my answer.

Certificate based authentication with Cisco WLC and Juniper IC

Hi
I have a cisco WLC 4400 and Juniper IC which works as the external Radius server.
I want the wireless clients to be authenticated using certificates. I know the Juniper IC can understand certificates.
My question is can cisco WLC understand that the information being presented to it by the client is not username/pwd but a user certificate.
i have also looked at this article :
http://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/100590-ldap-eapfast-config.html
What i don't understand here is the need of WLC authenticating the user with his credentials by LDAP when it has authenticated the user cert.
All your help is appreciated.

Hi,
Since you use an external radius server you don't have to worry for this.
The only config that you need to do on WLC is to define the radius server under Security-AAA-Radius-Authentication and on your WLAN-Security-AAA.
The doc you refer is only for Local Radius on WLC.
Hope this helps
Regards,
Christos

MfE with Certificate Based Authentication on E6

Hello,
I've been trying to setup MfE on my E6 but I can't find a way to configure it to use a personal certificate, I even tried using "Nokia Configuration Tool" but it tells me that my device does not support MfE with Certificate Based Authentication, I get "Invalid Credentials" when using a username & password.
I get the same error on both Anna and Belle.
Any help would be appreciated.
Thanks

Better give the MfE configuration in detail.
Also please advise the if the server is a real Microsoft Exchange Server or a third-party mail service such as Gmail or Live.
bbao
* If this post helped you, please click the white Kudo star.
* If this post has solved your issue, please click Accept as Solution.

ActiveSync with Certificate-Based Authentication

We are trying to setup ActiveSync with certificate-based authentication against Exchange 2010 SP2, but with no luck.
What has been done so far:
OWA over https works fine. A public, trusted certificate is in place.
Setup ActiveSync against this Exchange server: works fine, using user name/password.
Issued a user cert, signed with an internal CA, CA-cert successfully imported into al client devices.
Created a new OWA-site with cert-based authentication (just to make sure it works), imported user certificate into a mac, visit this OWA site - cert-based authentication works fine.
Now, with the configuration utility, created configuration profile with that user cert and an ActiveSync account, left password blank and chose the imported cert (p12) as authentication means.
After installing that last profile the device keeps asking for a password and refuses to synchronize. Logs on the server show error 401.2, so I assume iPhone is ignoring the cert and is trying to use password-authentication instead.
The devices tested were iPhone 3G with IOS 4 and iPad 2 with IOS 5.
Any help will be greatly appreciated.
Roman.

No-one with this experience?
We've done some network analysis (as much as was possible to decrypt) and could see, that the server sends an SSL-Alert (rejection?) to the client after the client presents the certificate.
That explains why the client falls back to password-authentication, but it does not tell us why the server rejects the cert (that is accepted perfectly when accessed from a browser) in first place.

Exchange 2010 SP3 OWA with certificate based authentication

Hi,
I have a bizarre problem in my customer’s environment. Maybe someone has an idea.
Exchange 2010 with SP3, latest cumulative Update installed.
The problem I’m having is that when I enable Certificate based authentication (require client certificate option in IIS) on OWA and ECP virtual directories in conjunction with forms based authentication (this is the requirement – the user
must have a client certificate and type in username and password to log in to OWA), the result is that after the user selects the certificate he wants to use, he is logged into OWA automatically, but cannot use the website, because it’s being constantly automatically
refreshed (or redirected to itself or something like that). The behavior occurs with all users, with any browser. If client certificate is on required, forms based authentication works just fine. If I switch to “Basic Authentication” and enable client certificate
requirement, then OWA act’s as it should be – so no problems. The problem only occurs when authentication type is forms based and client certificates are required.
I have tried the exact same settings (as far as I can tell) on one other production server and one test server, and encountered no such problems.
Anyone – any ideas?

Hi McWax,
According to your description and test, I understand that all accounts cannot login OWA when select require client certificate.
Is there any error message when open OWA or login? For example, return error ”HTTP error: 403 - Forbidden”. Please post relative error for further troubleshooting.
I want to confirm which authentication methods are used for OWA, Integrated Windows authentication or Digest authentication? More details about it, for your reference:
http://technet.microsoft.com/en-us/library/bb430796(v=exchg.141).aspx
If you select another authentication method, please check whether Client Certificate Mapping Authentication services is installed, and also enabled in IIS, please refer to:
http://www.iis.net/configreference/system.webserver/security/authentication/clientcertificatemappingauthentication
To prevent firewall factor, please try to sign in OWA at CAS server. Besides, I find a FAQ about certificate:
http://technet.microsoft.com/en-us/library/aa998424(v=exchg.80).aspx
Best Regards,
Allen Wang

Certificate based authentication

I have a client application that requires certificate based authentication.
I could not find any instructions on how to set this up in the 11g manuals. So I reverted to the 5.2 manual (http://docs.oracle.com/cd/E19850-01/816-6698-10/ssl.html#18500), and followed some instructions found online.
I have completed the setup, and the client is able to authenticate using his certificate, and I have verified this in the logs.
[22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuing,DC=corp,DC=company,DC=lan
[22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
[22/Mar/2012:13:13:33 -0500] conn=34347 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
When adding the usercertificate attribute to the ID I used the following LDIF:
version: 1
dn: uid=userid,ou=employees,o=company
changetype: modify
replace: userCertificate
usercertificate: < file:///home/user/Certs/usercert.bin
the file was a binary encoded certificate file.
Here is the part that I don't understand when I do a search (or LDIF export) of the user object with the certificate it just returns a short base64 encoded string. when I decode this string, it is just the literal string of "< file:///home/user/Certs/usercert.bin".
So it appears that the certificate has not been stored on the user object in binary, and yet the certificate authentication still works. The file mentioned, does not exist on the LDAP server (the cert was loaded from another server), so there is no way that it is reading the cert from the file.
Anyone have any idea what is going on here? And why certificate auth works, when there appears to be not cert stored in LDAP?
If by chance this is how it is all suppose to work, then how do I go about backing up the usercertificate attribute when I do my LDAP data backups?
Thanks
Brian

Cyril,
Thanks for the reply.
I believe I am doing both types of certificate authentication, you are describing. My issue is that when I perform the steps to store the PEM formatted cert into the directory server, rather than storing a binary value of the cert, it appears to be storing the path to the file I attempted to import. The odd part is that I can still authenticate even after this is done.
I tried to post as much info as I could before without posting any sensitive data, I'll try and expand on that below.
Here is my documentation of the steps taken to configure the server and setup a user, for what I believe to be certificate based authentication, where the user is authenticated solely on the certificate that they provide (no password is sent).
1. Server must be running SSL, all connections for Certificate Auth are done over SSL (just a note)
2. From the DSCC
----a. Directory Servers Tab -> Servers Tab -> Click Server Name
----b. Security Tab -> General Tab
----c. In "Client Authentication" section, select:
--------i. LDAP Settings: "Allow Certificate-Based Client Authentication"
--------ii. This should be the default setting.
3. On the directory server setup the /ldap/dsInst/alias/certmap.conf file:
----a. certmap default default
----default:DNComps
----default:FilterComps uid,cn
4. restart the directory server
5. Do the following to setup the user who will be connecting. On their unix account (or similar)
----a. Create a directory to hold the certDB
--------i. mkdir certdb
----b. Create a CertDB
--------i. /ldap/dsee7/bin/certutil -N -d certdb
------------1) Enter a password when prompted
----c. Import the CA cert
--------i. /ldap/dsee7/bin/certutil -A -n "OurRootCA" -t "C,," -a -I ~/OurRootCA.cer -d certdb
----d. Create a cert request
--------i. /ldap/dsee7/bin/certutil -R -s "cn=userid,ou=company,l=city,st=state,c=US" -a -g 2048 -d certdb
----e. Send the cert request to the PKI Team to generate a user cert
----f. Take the text of the generated cert & save it to a file
----g. Import the new cert into your certdb
--------i. /ldap/dsee7/bin/certutil -A -n "certname" -t "u,," -a -i certfile.cer -d certdb
----h. Create a binary version of cert
--------i. /ldap/dsee7/bin/certutil -L -n "certname" -d certdb -r > userid.bin
----i. Add the binary cert to the user's LDAP entry (version: 1 must be included - I read this in a doc somewhere, but it doesn't seem to matter)
--------i. ldapmodify
------------1) ldapmodify -h host -D "cn=directory manager" -w password -ac
------------2)
------------version: 1
------------dn: uid=userid,ou=employees,o=company
------------sn: Service Account
------------givenName: userid
------------uid: userid
------------description: Service Account for LDAP
------------objectClass: top
------------objectClass: person
------------objectClass: organizationalPerson
------------objectClass: inetorgperson
------------cn: Service Account
------------userpassword: password
------------usercertificate: < file:///home/userid/Certs/userid.bin
------------nsLookThroughLimit: -1
------------nsSizeLimit: -1
------------nsTimeLimit: 180
After doing this setup I am able to perform a search using the certificate:
ldapsearch -h host -p 1636 -b "o=company" -N "certname" -Z -W CERTDBPASSWORD -P certdb/cert8.db "(uid=anotherID)"
This search is successful, and I can see it logged, as having been a certificate based authentication:
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - fd=136 slot=136 LDAPS connection from x.x.x.x:53574 to x.x.x.x
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuer,DC=corp,DC=company,DC=lan
[23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
[23/Mar/2012:13:25:20 -0500] conn=44605 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
If I understand correctly that would be using the part 2 of your explanation as using the binary encoded PEM to authenticate the user. If I am not understanding that corretly please let me know.
Now the part that I am really not getting is that the usercertificate that is stored on the ID is as below:
dn: uid=userid,ou=employees,o=company
usercertificate;binary:: PCBmaWxlOi8vL2hvbWUvdXNlcmlkL0NlcnRzL3VzZXJpZC5iaW4
which decodes as: < file:///home/userid/Certs/userid.bin
So I'm still unclear as to what is going on here, or what I've done wrong. Have I set this up incorrectly such that Part 2 as you described it is not what I have setup above? Or am I missunderstanding part 2 entirely?
Thanks
Brian
Edited by: BrianS on Mar 23, 2012 12:14 PM
Just adding ---- to keep my instruction steps indented.

Certificate Based Authentication and SSL

To whom it may concern,
I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
I am running my Messenger express (http) like this :
http://testing.xyz.com:8100
(I am using port 8100 for http access to mails). After restarting the mail server, I tried :
https://testing.xyz.com:8100 also,
http://testing.xyz.com:443 also,
https://testing.xyz.com:443 also,
but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
Thanking you,
Farhan Ahmed,
System Engineer
Dubai, UAE.

Dear jay,
I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
[29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
i got this line from the http log:
[29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
Thanking you,
Farhan Ahmed,
System Engineer,
Dubai Internet City, Dubai, UAE.

Client certificate based authentication

We have a JAVA web start application that needs to connect to an apache server and use client certificate based authentication. When javaws initiates a connection with apache server, it tries to retrieve the certificate/key from the PKCS12 keystore to present it to the apache server. We have made this work, however, javaws is prompting user to enter the password for accessing the keystore password. We do not want our users to enter this password and are looking into ways to either supply the password as one of the javaws deployment property or create an unprotected keystore. Both of our attempts have been unsuccessfull. We have tried the following
1. we passed the 3 discussed properties (javax.net.ssl.keyStore,
javax.net.ssl.keyStorePassword, javax.net.ssl.keyStoreType) in Java
Control Panel, according to the following procedure: open Control Panel,
select Java tab, click View under Java Applet Runtime Settings, set
values in Java Runtime Parameters table column. This operation added the
properties to the user's deployment file (in a new attribute named
deployment.javapi.jre.1.5.0_09.args, which held all 3 properties as a
value), but there was no effect (password window still popped up).
2. We setup the deployment.property file manually with the 3 attributes
[javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword,
javax.net.ssl.keyStoreType], it didn't have any affect either.
3. When launching java applications you can set system properties as
part of the command line using the follwing format
"-D<property_name>=<property_value>", we failed to find the analogous in
javaws.
Has anyone got any ideas on how to workaround this problem? Really appreciate any help here.

Hi, client cert auth is not realy the best way to protect your resources. It needs to install client cert on every workstation to access application. I think it conflict with javaws concept!
I have the same situation (protect resources and avoid password promt on start) and my solution is:
Using tomcat as web server:
Direct structure as follow:
/ApplicationRoot
       /WEB-INF
             /resources
                    - private.jar
                    - private.jnlp
        /resources
             - icon.png
             - public.jarAs you can see there is no direct access to protected resources. All protected resources availiable only thrue ResourceProvider servlet, configured as follow (web.xml):
<servlet-mapping>
        <servlet-name>ResourceProvider</servlet-name>
        <url-pattern>/resources/secret/*</url-pattern>
</servlet-mapping>
<security-constraint>
        <web-resource-collection>
            <web-resource-name>protected resources awailiable from browser</web-resource-name>
            <url-pattern>/resources/secret/browser/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
            <role-name>somerole</role-name>
        </auth-constraint>
        <user-data-constraint>
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
</security-constraint>
<security-role>
        <role-name>somerole</role-name>
</security-role>
<login-config>
        <auth-method>BASIC</auth-method>
        <realm-name></realm-name>
</login-config>Code your ResourceProvider servlet to grant access only if:
- Connection is secure (ssl).
- URL pattern is "/resources/secret/browser/*" and client has pass realm.
- URL pattern is "/resources/secret/javaws/secretkey/*" (where secretkey is a pin kept both by client and server)
To Install app from browser (access private.jnpl) use "/resources/secret/browser/*" url pattern and basic auth.
To download app resources configure jnlp file as follow:
<jnlp spec="1.0+" codebase="https://host:port/AppRoot/resources/" href="secret/javaws/secretkey/private.jnlp
    <information>
         <icon href="icon.png"/>
    </information>
    <resources>
        <j2se version="1.6+"/>
        <jar href="secret/javaws/secretkey/private.jar" />
        <jar href="public.jar" />
    </resources>
</jnlp>
{code}
And last you need to do is configure ssl connector on tomcat server as follow:
{code}
<Connector port="port"
         scheme="https"
         secure="true"
         SSLEnabled="true"
         clientAuth="false"
         sslProtocol="TLS"
/>
{code}
Pay attention to "clientAuth" param. Set it to "false" to avoid javaws splash cert choose dialog on every app update.
Hope it help!

OWA and ActiveSync certificate based authentication

I have Exchange 2013 CU3 installed and want to activate the certificate based authentication for ActiveSync and OWA. But I want to have the login without certificate as well for users without a certificate.
I already found some information how to do that on Exchange 2010 and I already did all steps to activate it.
But at one point I cant find anything to configure in Exchange 2013. So I have activated the AD certificate based authentication in ISS and configured the OWA folder in IIS to accept client certificates. This seems to work as I get asked to use the certificate
when I open the OWA page. But then I am landing on the OWA login page where I have to enter username and password.
So it seems that I am missing something. In the tutorials for Exchange 2010 they activate the certificate based authentication in the Management console. But I cant find anything in ECP to activate.
Can anyone help me?

Hi,
We can create an additional Web Site in IIS to configure additional OWA and ECP virtual directory for external access. And configuring the Default Web Site for internal access.
Then we can configure internal one with Integrated Windows authentication and Basic authentication while the external one configured for forms-based authentication of Domain\user name format. For more information about
Configuring Multiple OWA/ECP Virtual Directories, we can refer to:
https://blogs.technet.com/b/exchange/archive/2011/01/17/configuring-multiple-owa-ecp-virtual-directories-on-exchange-2010-client-access-server.aspx
Thanks,
Winnie Liang
TechNet Community Support

Certificate based authentication for Exchange ActiveSync in Windows 8.* Mail app

I have a Surface Pro and want to setup access to my company's Exchange server that accepts only Exchange ActiveSync certificate-based authentication.
I've installed server certificates to trusted pool and my certificate as personal.
Then I can connect thru Internet Explorer, but this is not comfortable to use.
I don't have a password because of security politics of our company. When I'm setting up this account on my Android phone I'm using any digit for password and it works perfectly.
Can someone help to setup Windows 8 metro-style Mail application? Does it supports this type of auth? When I'm trying to add account with type Outlook, entering server name, domain name, username, 1 as a password then I've got a message like "Can't
connect. Check your settings."
Is there any plans to implement this feature?

For what it's worth we have CBA working with Windows 8.1 Pro. In our case we have a MobileIron Sentry server acting as an ActiveSync reverse-proxy, so it verifies the client cert then uses Kerberos Constrained Delegation back to the Exchange CAS, however
it should work exactly the same to the Exchange server directly. I just used the CA to issue a User Certificate, exported the cert, private key and root CA cert, copied to the WinPro8.1 device and into the Personal Store. Configured the Mail app
to point at the ActiveSync gateway, Mail asked if I would like to allow it access the certificate (it chose it automatically) and mail synced down immediately...
So it definitely works with Windows Pro 8.1.

DPS attempting certificate based authentication with Directory Servers

Similar Messages

Maybe you are looking for