IKEv2 with certificates

Similar Messages

• Issue with SharePoint foundation 2010 to use Claims Based Auth with Certificate authentication method with ADFS 2.0

  I would love some help with this issue.  I have configured my SharePoint foundation 2010 site to use Claims Based Auth with Certificate authentication method with ADFS 2.0  I have a test account set up with lab.acme.com to use the ACS.
  When I log into my site using Windows Auth, everything is great.  However when I log in and select my ACS token issuer, I get sent, to the logon page of the ADFS, after selected the ADFS method. My browser prompt me which Certificate identity I want
  to use to log in   and after 3-5 second
   and return me the logon page with error message “Authentication failed” 
  I base my setup on the technet article
  http://blogs.technet.com/b/speschka/archive/2010/07/30/configuring-sharepoint-2010-and-adfs-v2-end-to-end.aspx
  I validated than all my certificate are valid and able to retrieve the crl
  I got in eventlog id 300
  The Federation Service failed to issue a token as a result of an error during processing of the WS-Trust request.
  Request type: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
  Additional Data
  Exception details:
  Microsoft.IdentityModel.SecurityTokenService.FailedAuthenticationException: MSIS3019: Authentication failed. ---> System.IdentityModel.Tokens.SecurityTokenValidationException:
  ID4070: The X.509 certificate 'CN=Me, OU=People, O=Acme., C=COM' chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed
  correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  --- End of inner exception stack trace ---
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.BeginGetScope(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService.BeginIssue(IClaimsPrincipal principal, RequestSecurityToken request, AsyncCallback callback, Object state)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.DispatchRequestAsyncResult..ctor(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginDispatchRequest(DispatchContext dispatchContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.ProcessCoreAsyncResult..ctor(WSTrustServiceContract contract, DispatchContext dispatchContext, MessageVersion messageVersion, WSTrustResponseSerializer responseSerializer, WSTrustSerializationContext
  serializationContext, AsyncCallback asyncCallback, Object asyncState)
  at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustServiceContract.BeginProcessCore(Message requestMessage, WSTrustRequestSerializer requestSerializer, WSTrustResponseSerializer responseSerializer, String requestAction, String responseAction, String
  trustNamespace, AsyncCallback callback, Object state)
  System.IdentityModel.Tokens.SecurityTokenValidationException: ID4070: The X.509 certificate 'CN=Me, OU=People, O=acme., C=com' chain building
  failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. 'A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
  at Microsoft.IdentityModel.X509CertificateChain.Build(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509NTAuthChainTrustValidator.Validate(X509Certificate2 certificate)
  at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
  at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
  at Microsoft.IdentityServer.Service.SecurityTokenService.MSISSecurityTokenService.GetOnBehalfOfPrincipal(RequestSecurityToken request, IClaimsPrincipal callerPrincipal)
  thx
  Stef71

  This is perfectly correct on my case I was not adding the root properly you must add the CA and the ADFS as well, which is twice you can see below my results.
  on my case was :
  PS C:\Users\administrator.domain> $root = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ad0001.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "domain.ad0001" -Certificate $root
  Certificate                 : [Subject]
                                  CN=domain.AD0001CA, DC=domain, DC=com
                                [Issuer]
                                  CN=domain.AD0001CA, DC=portal, DC=com
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  22/07/2014 11:32:05
                                [Not After]
                                  22/07/2024 11:42:00
                                [Thumbprint]
                                  blablabla
  Name                        : domain.ad0001
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : domain.ad0001
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17164
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.domain> $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\
  cer\SP2K10\ADFS_Signing.cer")
  PS C:\Users\administrator.domain> New-SPTrustedRootAuthority -Name "Token Signing Cert" -Certificate $cert
  Certificate                 : [Subject]
                                  CN=ADFS Signing - adfs.domain
                                [Issuer]
                                  CN=ADFS Signing - adfs.domain
                                [Serial Number]
                                  blablabla
                                [Not Before]
                                  23/07/2014 07:14:03
                                [Not After]
                                  23/07/2015 07:14:03
                                [Thumbprint]
                                  blablabla
  Name                        : Token Signing Cert
  TypeName                    : Microsoft.SharePoint.Administration.SPTrustedRootAuthority
  DisplayName                 : Token Signing Cert
  Id                          : blablabla
  Status                      : Online
  Parent                      : SPTrustedRootAuthorityManager
  Version                     : 17184
  Properties                  : {}
  Farm                        : SPFarm Name=SharePoint_Config
  UpgradedPersistedProperties : {}
  PS C:\Users\administrator.PORTAL>

• Windows Server 2008 R2 with multiple Roles OS Rebuild, Need help with Certificates.

  Hi,
  I have rebuilt a Server for my client and I require help with certificates..
  I am unsure exactly what to do to get this server working as it was.
  Example, The Windows Server 2008 R2 has Microsoft Exchange, DNS, DHCP, ADDS, FileServices,Network Policy and access Services and Webservices roles installed on a single box.
  Since the Server OS Rebuild I am getting 2 issues that pop up usually when Outlook in opened on a client Workstation,
  I have not dont anything certificate wise to the server since OS Install, and the messages I get and best described here
  I seen on a backdrive, a few certificate files I dont know if we can use these files for anything but we have the following files of drive E (Backup)
  e:\server.xxxx.com.au\gd_iis_intermediates.p7b
  e:\server.xxxx.com.au\server.xxxx.com.au.crt
  e:\ssl\2013-2018.cer
  1st Message is about a Proxy certificate I dont get this often but saw it today and my client clicked ok too quickly.
  I have seen it and didnt see it again after trying to close outlook and reopen
  I looked up google images and tried to find it...
  It's like this, (There is a problem with the proxy server's security certificate.
  The security certificate is not from a trusted certifying authority.)
  2nd Message is about Security Alert, Autodiscover.xxxx.com.au Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.
  -X- The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certificating authority
  -TICK- The security certificate date is valid
  -X- The name on the security certificate is invalid or does not match the name of the site
  Do you want to preceed
  [Yes][No][View Certificate ...]
  3rd Message is very Close to the 2nd Message, is about Security Alert, xxxx-server.xxxx.local, Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.
  -X- The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certificating authority
  -TICK- The security certificate date is valid
  -TICK- The name on the security certificate is invalid or does not match the name of the site
  Do you want to preceded
  [Yes][No][View Certificate ...]
  If you can help guide me thou this as I'm very new to setting up certificates. I had a friend tell me about something in DNS.. but he has been super busy and I want to learn what to do.
  Thank-You.

  Hiya,
  quite a lot has the same confusions as you do, so I've written a simple explanation on the subjet of certificates
  http://jesperarnecke.wordpress.com/2014/03/22/certificates-simple-explanation/
  Let me know if that helps you and if you need further assistance.

• Error in authentication with ldap server with certificate

  Hi,
  i have a problem in authentication with ldap server with certificate.
  here i am using java API to authenticate.
  Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed.
  I issued the new certificate which is having the up to 5 years valid time.
  is java will authenticate up to one year only?
  Can any body help on this issue...
  Regards
  Ranga

  sorry i am gettting ythe same error
  javax.naming.CommunicationException: simple bind failed: servername:636 exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: timestamp check failed]
  here when i am using the old certificate and changing the system date means i can get the authentication.
  can you tell where we can concentrate and solve the issue..
  where is the issue
  1. need to check with the ldap server only
  2. problem in java code only.
  thanks in advance

• Office 2010 created PDF only bringing up Work with Certificates option with Signing

  When creating PDF documents with Microsoft Word 2010, the only Sign option showing is Work With Certificates and is greyed, I Need To Sign and Get Others to Sign is missing.  My previous PC with Windows 7/Office 2010 and Reader Xi was able to sign documents.  I'm also able on my old XP machine to create a dummy pdf in Word 2010 and sign it in Reader, and on my Windows8/Office 2013/Reader Xi PC.  Any idea as to where this might have been broken?
  With the PDF file created in 2013, I Ctrl+D'd to get the security settings as it's commonly suggested that electronic signatures is failing because of a setting there, however I'm still able to sign it with Signing: Not Allowed and get the full signing menu instead of the Work With Certificates.

  Hi,
  If you meet any problems when using our products, you can post the question here. Please post one question in a single thread, and the question should be posted in the proper forum.
  The current forum is for Office 2010 - Planning, Deployment, and Compatibility.
  Just as Don mentioned, you may have multiple questions and some of them are not well placed, post them to the correct forum to get the specific support.
  Regards,
  Melon Chen
  TechNet Community Support

• File to SOAP (Synchronous) with certificates Encryption and Descryption

  Hi,
  Can anybody advice me how can I develop the scenario file to SOAP (Synchronous Process) with certificates encryption and descryption.
  Thanks,
  Naidu.

  For file to soap sync scenario without using BPM, you need to use the following adapter modules.
  http://help.sap.com/saphelp_nw04/helpdata/en/45/20c210c20a0732e10000000a155369/content.htm
  http://help.sap.com/saphelp_nw04/helpdata/en/45/20cc5dc2180733e10000000a155369/content.htm
  For applying certificates, you need to configure SSL on java stack.
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/197e6aec-0701-0010-4cbe-ad5ff6703c16
  Regards,
  Prateek

• MfE with Certificate Based Authentication on E6

  Hello,
  I've been trying to setup MfE on my E6 but I can't find a way to configure it to use a personal certificate, I even tried using "Nokia Configuration Tool" but it tells me that my device does not support MfE with Certificate Based Authentication, I get "Invalid Credentials" when using a username & password.
  I get the same error on both Anna and Belle.
  Any help would be appreciated.
  Thanks

  Better give the MfE configuration in detail.
  Also please advise the if the server is a real Microsoft Exchange Server or a third-party mail service such as Gmail or Live.
  bbao
  * If this post helped you, please click the white Kudo star.
  * If this post has solved your issue, please click Accept as Solution.

• ActiveSync with Certificate-Based Authentication

  We are trying to setup ActiveSync with certificate-based authentication against Exchange 2010 SP2, but with no luck.
  What has been done so far:
  OWA over https works fine. A public, trusted certificate is in place.
  Setup ActiveSync against this Exchange server: works fine, using user name/password.
  Issued a user cert, signed with an internal CA, CA-cert successfully imported into al client devices.
  Created a new OWA-site with cert-based authentication (just to make sure it works), imported user certificate into a mac, visit this OWA site - cert-based authentication works fine.
  Now, with the configuration utility, created configuration profile with that user cert and an ActiveSync account, left password blank and chose the imported cert (p12) as authentication means.
  After installing that last profile the device keeps asking for a password and refuses to synchronize. Logs on the server show error 401.2, so I assume iPhone is ignoring the cert and is trying to use password-authentication instead.
  The devices tested were iPhone 3G with IOS 4 and iPad 2 with IOS 5.
  Any help will be greatly appreciated.
  Roman.

  No-one with this experience?
  We've done some network analysis (as much as was possible to decrypt) and could see, that the server sends an SSL-Alert (rejection?) to the client after the client presents the certificate.
  That explains why the client falls back to password-authentication, but it does not tell us why the server rejects the cert (that is accepted perfectly when accessed from a browser) in first place.

• 802.1x wireless authentication with certificates

  Hi.
  I have configured and working 802.1x authentication with certificates for Wired connections. with no problem.
  when i try to authenticate the same machine with 802.1x and certificates , on Wirelss, the ACS rejects it  with:
  "12520  EAP-TLS failed SSL/TLS handshake because the client rejected the ACS local-certificate."
  the ACS is the same, the certificate the same, and the root ca is the same.
  what's hapenning????
  Antero Vasconcelos

  What supplicant are we using for wireless authentication? Do we have complete chain of certificates installed on the client machine? Can you check if we have root CA/intermediate correctly installed in client and ACS.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• When I click Sign, Adobe Reader XI v 11.0.4, my only option is Sign with Certificate, how do I also get the "I need to Sign" option that allow me to place a signature?

  When I click Sign, Adobe Reader XI v 11.0.4, my only option is Sign with Certificate, how do I also get the “I need to Sign” option that allow me to place a signature? I need screen shots to develop a customized training pamphlet.

  Hi,
  Please update the Reader to 11.0.07 and then check the options.
  Go to Help -> Check for updates.
  Regards,
  Anoop

• Flash win projector - signing with certificate

  Hi,
  One of my client want to sign an exe file with certificate.
  I bought a certificate "standard code signing" and i want to use signtool.exe to sign the aplication, but all the time i get an error.
  has any one try to sign an exe app??
  I will be greatfull for any help.

  If you fish through the answer to this persons post to get 1.5 working and then read about the update to 2.6 it should give you enough information on how to attempt to get AIR4 to work, but I'm not sure if it will:
  http://stackoverflow.com/questions/5529666/setting-up-flash-cs4-to-use-adobe-air-2-6
  TBH I'd honestly only be using Flash CS4 for animation assets and be entirely using a different code editor, esp one that has better code completion like FlashDevelop or even better, eclipse with FDT.
  Let me know if you get AIR4 working in CS4 just out of curiosity. (I use Flash Builder 4.7 myself).

• Why unable to sign PDF with certificate after applying Nitro PDF password protection? (despite it explicitly allowing signing with certificates)

  I used Adobe Reader XI to sign PDFs with certificate, which worked perfectly. Except that the PDF could still be edited by other programs (for example, Nitro PDF) after the signing (but not the fill out fields and the signature). To apply password protection makes sense to avoid changes in the PDF being made after it has been signed. So I applied password protection via Nitro PDF that allows only enter fill-out fields and signing. But when I open it with Adobe Reader, the filling out works fine, but the signing part is not available to click on it (all of the buttons under "Sign" tab are grey). When I go on the Security properties with Adobe Reader, I can explicitly see that signing of this PDF is allowed and yet the option is not open to use for me anymore.
  Any ideas on why it is the case and what I could do about that?
  Many thanks!
  O.

  Actually yes, I just asked my colleague to assist me with this, he password-protected the PDF with Acrobat 8, explicitly allowing for signing and fill-out functions, it also appears in Adobe Reader under security properties as "allowed", but it is not open to use in the Reader for me anymore (grey buttons).

• Issues with certificates with both Firefox and chromium

  I tried everything ... I reinstalled both of them.
  I canceled the profile and made new ones.
  I check with all my other computer if they have issues with certificates: no problem at all.
  Checked the date, is ok.
  Finally I checked what is installed on the system related to the problem ..
  # pacman -Q|egrep '(openssl|curl|ca-cert)'
  ca-certificates 20140325-1
  ca-certificates-java 20140324-3
  curl 7.37.1-1
  lib32-curl 7.37.1-1
  lib32-openssl 1.0.1.i-1
  openssl 1.0.1.i-1
  python2-pyopenssl 0.14-3
  or if there is an issued with a library ..
  # ldd `which curl`
  linux-vdso.so.1 (0x00007fffd2a48000)
  libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f8a1c4d9000)
  libz.so.1 => /usr/lib/libz.so.1 (0x00007f8a1c2c3000)
  libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f8a1c0a5000)
  libc.so.6 => /usr/lib/libc.so.6 (0x00007f8a1bcf7000)
  libssh2.so.1 => /usr/lib/libssh2.so.1 (0x00007f8a1bace000)
  libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f8a1b860000)
  libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f8a1b44e000)
  libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00007f8a1b203000)
  libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x00007f8a1af22000)
  libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00007f8a1acf0000)
  libcom_err.so.2 => /usr/lib/libcom_err.so.2 (0x00007f8a1aaec000)
  /lib64/ld-linux-x86-64.so.2 (0x00007f8a1c747000)
  libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f8a1a8e8000)
  libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0x00007f8a1a6db000)
  libkeyutils.so.1 => /usr/lib/libkeyutils.so.1 (0x00007f8a1a4d7000)
  libresolv.so.2 => /usr/lib/libresolv.so.2 (0x00007f8a1a2c0000)
  I try to use a virtual machine on the same machine with ubuntu installed: no problem.
  Any idea?
  Last edited by saronno (2014-08-15 12:37:44)

  # curl -v https://areaclienti187.telecomitalia.it
  * Rebuilt URL to: https://areaclienti187.telecomitalia.it/
  * Hostname was NOT found in DNS cache
  * Trying 62.77.57.164...
  * Connected to areaclienti187.telecomitalia.it (62.77.57.164) port 443 (#0)
  * successfully set certificate verify locations:
  * CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using TLSv1.0 / AES128-SHA
  * Server certificate:
  * subject: C=IT; ST=Italy; L=Pomezia; O=Telecomitalia; OU=ADM.AP.PM.WO; CN=areaclienti187.telecomitalia.it; emailAddress=[email protected]
  * start date: 2013-10-08 10:06:37 GMT
  * expire date: 2014-10-08 10:06:37 GMT
  * common name: areaclienti187.telecomitalia.it (matched)
  * issuer: C=IT; O=I.T. Telecom; OU=Servizi di certificazione; CN=I.T. Telecom Global CA
  * SSL certificate verify ok.
  With curl no problem at all.
  Last edited by saronno (2014-08-15 19:10:09)

• How to authenticate with certificate?

  I wanna try to build a more secure LAN. I want every client (wired/wireless) to connect the network used a certificate not a user/password pair.
  But now, as i am a newbie, I don't know what to choose between TACACS+ and RADIUS. Because I have a Mac mini, maybe RADIUS is more suitable, but i don't know how to establish the CA.
  Any help or suggestion will be appreciated!

  We most typically do this in the context of implementing a product like Cisco's Identity Services Engine (ISE). ISE uses 802.1x and has the ability to check clients for things like a certificate during the authentication / posture assessment / remediation process.
  It also acts as a RADIUS server and can dynamically push out Change of Authorization (CoA) to the authenticator (i.e switch or Wireless controller) in order to control things like client VLAN assignment and any access-lists you may want to apply.
  On the client side, a supplicant is used to interact with the authenticator. You can use native supplicants from OS X or Windows etc. but we generally recommend use of Cisco's AnyConnect Secure Mobility client with its Network Access Module (NAM) as it's much more full-featured for that purpose.
  You could also do 802.1x with certificate authentication and use a different backend authentication server (like a regular Cisco ACS or Microsoft Network Policy Server) but you would just get more basic authentication vs. the rich functionality ISE gives (albeit ISE costs a lot more ;) ).
  Have a look at this Youtube video for an example of setting up certificate authentication on ACS: 
       https://www.youtube.com/watch?v=U7qWJ7bIMHA

• Cannot sign - get and error with "Sign with Certificate"

  I am trying to sign a document using "Sign with Certificate".  I have created an electronic signature.  I click the button that says "sign with certificate".  I then drag and draw the signature box.  The pop up the appears with a place to "save" the signed document.  I navigate to the proper folder and then I name the document.  When I click OK, I get and error that reads "there was an error when attempting to commit this signature.  the document was not saved.  the file may be read-only, or another user may have it open.  Please save this document with a different name or in a different folder."  I then tried to re-name the original document.  No luck.  I then printed the original document to a new pdf and tried again, no luck.  I tried to save it to a different folder, no luck.  I tried to save it with a different name, nl luck.  I restarted the computer and tried again, no luck. what should i do?

  No.  I am solo and doing this on my stand alone PC, I do not have any of those platforms that you mentioned.  BTW, because of another technical glitch, I only recently – within the last month  - re-installed Adobe on my local machine
  jcc
  John C Carrozzella, MD
  Phone: (813) 659-2897
  Fax:      (888) 552-7536
  Email:    <mailto:[email protected]> [email protected]
  Web:  <http://www.hormonesandwellness.com/> www.HormonesAndWellness.com