Multiple client authentication certificates

Our application interfaces with several vendors using HTTPS. One vendor issued us a certificate to authenticate us and we have successfully implemented the interface by setting the keyStore, keyStoreType and keyStorePassword System properties to use the pkcs12 file. How do you handle a situation when you have two different interfaces that each require a client certificate? Changing the System properties online to use different keystore values is not thread safe. What is the best way to handle this?
Thanks,
Steve

This is where you have to get into the nightmare of using two SSLContexts, or a smart KeystoreManager. Have a good look at http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html

Similar Messages

  • Client Authentication certificate not working in ADFS3.0

    Hi,
    I am currently working on integrating ADFS 3.o for Single Sign On to some 3rd party services along with PKI solution. The basic requirement is that I should be able to choose client authentication certificate as an authentication method in ADFS and then
    federate user credentials to 3rd party trust for single-sign-on.
    I had done this successfully with ADFS 2.0 and that setup is working fine. I have the setup as ADFS 3.0 client authentication method enabled. When I open browser to logon, the ADFS 3.0 page displays a message as "Select a certificate that you want to
    use for authentication. If you cancel the operation, please close your browser and try again." but the certificates are not displayed for selection.
    The certificates are valid and have valid chaining to CA. Could someone help me resolve this issue?
    Thanks!
    -Chinmaya Karve

    I am also having this problem where the certificate dialog (Windows Security is usually the title) is never prompted to the user. I tried it on several computers which are all part of the domain. The same computers can also login on another ADFS, so I have
    working certificates.
    I just get a page where a text says I should select a certificate but I never get the dialog to do so.
    Any updates on this issue?

  • Attempting to use certreq -enroll to enroll to a client authentication certificate works with Windows 8, but not with Windows 7...

    This has been an issue for a while now.  Trying to use certreq -enroll -machine [Template Name] on Windows 7 machines fails with not implemented.  When I run this command with the -q flag I see that the certificate I want is unavailable and displays:
    A valid certification authority (CA) configured to issue certificates based on this template cannot be located, or the CA does not support this operation, or the CA is not trusted.
    When I go into the properties of this certificate and goto the Certification Authority tab and check the "Show all enrollment servers" it shows my server greyed out with this message:
    The system could not determine if you can access this certificate.  Not implemented.
    The template sits on a enterprise 2003 server CA and this process works with Windows 8.1 machines.  Which means that the template has the correct permissions and is issued correctly.
    Is this a known issue with Windows 7 or am I missing something in the config?  Help is greatly appreciated.
    Thanks,

    Hi
    I have done some tests on a Windows 7 Enterprise machine and a Windows 8.1 Enterprise machine, it turns out that I have the same issue with you.
    On the Windows 7 machines, I cannot use Certreq.exe to request machine certificates, but I can successfully request user certificates, and there is no issue with the Windows 8.1 machine.
    Best Regards,
    Amy
    Interesting.  From what I can tell, there are no patches that fix this issue either...

  • Issue with Client Authenication Certificates within Bootable Media

    Hi All,
    I am in the process of deploying SCCM 2012 R2 in our environment parallel to our existing SCCM 2007 R3 environment. So far everything is working well. I have hit, however my first issue. This seems to be related to Client Authentication certificate validation.
    The problem occurs when booting from SCCM 2012 Task Sequence Bootable media and attempting to contact a local Management Point. I am using a USB Boot key at this point as I do not want to overlap with our existing PXE environment.
    The SMSTS.LOG shows the error 0x80072f8f. Specifically the error that I need to get past is:
    [TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    [TSMESSAGING]                : dwStatusInformationLength is 4
     TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    [TSMESSAGING]                : *lpvStatusInformation is 0x10
     TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    [TSMESSAGING]            :
    WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
     TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    [TSMESSAGING] AsyncCallback(): ----------------------------------------------------------------- TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    I have followed all of the recommended steps that I can think of so far. I have:
    Ensured that the Server Authentication and client authentication certificate on all Site systems is correct (I.e. all certificates are based on Certificate Templates as per the TechNet documentation)
    Ensured the Root and Issuing CA's are registered within the SCCM 2012 Site
    The Distribution Point role and Bootable Media are using a dedicated Client Authentication certificate that has been imported via a .PFX
    Ensured this certificate is in a "Not blocked" state
    Ensured the Date and Time of each Site System and of WinPE during the boot process is in sync.
    Checked the MPControl.LOG on each of our 2 Management Points looking for errors. These logs are all clear.
    Checked the IIS Web Logs on the Management Points. These logs are also all clear.
    The SMSTS.LOG is successfully importing the Root CA certificates ....
    Root CA Public Certs=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)Importing certificates to root store TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    Added certificate to store or replaced matching certificate in store. TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    Added certificate to store or replaced matching certificate in store. TSMBootstrap 19/12/14 11:27:22 AM 1164 (0x048C)
    I have noticed that there are plenty of issues related to an invalid CA due to root CA import issues or CRL checking. We currently have CRL checking disabled and based on the "INVALID_CN" reference I don't believe CRL check is part of the equation.
    With regards to the Common Name I can confirm the following:
    The "ConfigMgr Client Certificate" Template used to auto enroll all domain joined systems is based upon the "Workstation Authentication" template. The Subject Field is set, as by default to "None". The SAN is set to DNS name.
    The "ConfigMgr OSD Certificate" Template used to create the client authentication certificate used on the DPs and Bootable Media is set to "Supplied at Request". I set a CN of "Configmgr OSD Certificate" for this certificate.
    I have tried using another client authentication certificate for the DPs and Bootable media that had no Subject Name defined.
    Can offer any suggestions as to where I might be going wrong?
    Thanks,
    Nathan Sutton
    NSutton

    Hi Jason,
    Here is the log as requested. I will post it up in separate messages.
    <![LOG[LOGGING: Finalize process ID set to 724]LOG]!><time="13:36:01.388+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="tslogging.cpp:1495">
    <![LOG[==============================[ TSBootShell.exe ]==============================]LOG]!><time="13:36:01.388+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728"
    file="bootshell.cpp:1055">
    <![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL']LOG]!><time="13:36:01.404+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="util.cpp:964">
    <![LOG[Debug shell is enabled]LOG]!><time="13:36:01.404+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:1066">
    <![LOG[Waiting for PNP initialization...]LOG]!><time="13:36:01.419+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:60">
    <![LOG[RAM Disk Boot Path: MULTI(0)DISK(0)RDISK(0)PARTITION(1)\SOURCES\BOOT.WIM]LOG]!><time="13:36:01.419+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732"
    file="configpath.cpp:302">
    <![LOG[WinPE boot path: D:\SOURCES\BOOT.WIM]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="configpath.cpp:327">
    <![LOG[Booted from removable device]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="configpath.cpp:357">
    <![LOG[Found config path D:\]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:548">
    <![LOG[Booting from removable media, not restoring bootloaders on hard drive]LOG]!><time="13:36:01.435+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:582">
    <![LOG[D:\WinPE does not exist.]LOG]!><time="13:36:01.497+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:599">
    <![LOG[D:\_SmsTsWinPE\WinPE does not exist.]LOG]!><time="13:36:01.497+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:613">
    <![LOG[Executing command line: wpeinit.exe -winpe]LOG]!><time="13:36:01.497+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:860">
    <![LOG[Executing command line: X:\windows\system32\cmd.exe /k]LOG]!><time="13:36:02.935+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:860">
    <![LOG[The command completed successfully.]LOG]!><time="13:36:02.951+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:942">
    <![LOG[Successfully launched command shell.]LOG]!><time="13:36:02.951+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="728" file="bootshell.cpp:432">
    <![LOG[The command completed successfully.]LOG]!><time="13:36:15.371+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:942">
    <![LOG[Starting DNS client service.]LOG]!><time="13:36:15.371+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:666">
    <![LOG[Executing command line: X:\sms\bin\i386\TsmBootstrap.exe /env:WinPE /configpath:D:\]LOG]!><time="13:36:15.890+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732"
    file="bootshell.cpp:860">
    <![LOG[The command completed successfully.]LOG]!><time="13:36:15.890+480" date="12-19-2014" component="TSBootShell" context="" type="1" thread="732" file="bootshell.cpp:942">
    <![LOG[==============================[ TSMBootStrap.exe ]==============================]LOG]!><time="13:36:16.062+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212"
    file="tsmbootstrap.cpp:1165">
    <![LOG[Command line: X:\sms\bin\i386\TsmBootstrap.exe /env:WinPE /configpath:D:\]LOG]!><time="13:36:16.062+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212"
    file="tsmbootstrap.cpp:1166">
    <![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL']LOG]!><time="13:36:16.078+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="util.cpp:964">
    <![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\TSRESNLC.DLL']LOG]!><time="13:36:16.078+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="resourceutils.cpp:169">
    <![LOG[Current OS version is 6.2.9200.0]LOG]!><time="13:36:16.078+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="util.cpp:3094">
    <![LOG[Adding SMS bin folder "X:\sms\bin\i386" to the system environment PATH]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212"
    file="tsmbootstrap.cpp:963">
    <![LOG[Failed to open PXE registry key. Not a PXE boot.]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstrap.cpp:844">
    <![LOG[Media Root = D:\]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmbootstrap.cpp:1000">
    <![LOG[WinPE boot type: 'Ramdisk:SourceIdentified']LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmbootstrap.cpp:779">
    <![LOG[Failed to find the source drive where WinPE was booted from]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="2" thread="1212" file="tsmbootstrap.cpp:1036">
    <![LOG[Executing from Media in WinPE]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmbootstrap.cpp:1041">
    <![LOG[Verifying Media Layout.]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:1623">
    <![LOG[MediaType = BootMedia]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:2607">
    <![LOG[PasswordRequired = false]LOG]!><time="13:36:16.094+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:2633">
    <![LOG[Found network adapter "Realtek PCIe GBE Family Controller" with IP Address X.X161.12.]LOG]!><time="13:36:16.109+480" date="12-19-2014" component="TSMBootstrap" context="" type="0"
    thread="1212" file="tsmbootstraputil.cpp:517">
    <![LOG[Running Wizard in Unattended mode]LOG]!><time="13:36:16.109+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:2803">
    <![LOG[Loading Media Variables from "D:\sms\data\variables.dat"]LOG]!><time="13:36:16.109+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsremovablemedia.cpp:322">
    <![LOG[no password for vars file]LOG]!><time="13:36:16.156+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmediawizardcontrol.cpp:247">
    <![LOG[Entering TSMediaWizardControl::GetPolicy.]LOG]!><time="13:36:16.156+480" date="12-19-2014" component="TSMBootstrap" context="" type="0" thread="1212" file="tsmediawizardcontrol.cpp:527">
    <![LOG[Creating key 'Software\Microsoft\SMS\47006C006F00620061006C005C007B00350031004100300031003600420036002D0046003000440045002D0034003700350032002D0042003900370043002D003500340045003600460033003800360041003900310032007D00']LOG]!><time="13:36:16.172+480"
    date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="environmentscope.cpp:263">
    <![LOG[Environment scope successfully created: Global\{51A016B6-F0DE-4752-B97C-54E6F386A912}]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212"
    file="environmentscope.cpp:623">
    <![LOG[Creating key 'Software\Microsoft\SMS\47006C006F00620061006C005C007B00420041003300410033003900300030002D0043004100360044002D0034006100630031002D0038004300320038002D003500300037003300410046004300320032004200300033007D00']LOG]!><time="13:36:16.172+480"
    date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="environmentscope.cpp:263">
    <![LOG[Environment scope successfully created: Global\{BA3A3900-CA6D-4ac1-8C28-5073AFC22B03}]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212"
    file="environmentscope.cpp:623">
    <![LOG[Setting LogMaxSize to 1000000]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:555">
    <![LOG[Setting LogMaxHistory to 1]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:556">
    <![LOG[Setting LogLevel to 0]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:557">
    <![LOG[Setting LogEnabled to 1]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:558">
    <![LOG[Setting LogDebug to 1]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:559">
    <![LOG[UEFI: false]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:569">
    <![LOG[Loading variables from the Task Sequencing Removable Media.]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:584">
    <![LOG[Loading Media Variables from "D:\sms\data\variables.dat"]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsremovablemedia.cpp:322">
    <![LOG[Succeeded loading resource DLL 'X:\sms\bin\i386\1033\TSRES.DLL']LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="util.cpp:964">
    <![LOG[Setting SMSTSLocationMPs TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSMediaGuid TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSBootMediaPackageID TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSBootMediaSourceVersion TS environment variable]LOG]!><time="13:36:16.172+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSBrandingTitle TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSCertSelection TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSCertStoreName TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSDiskLabel1 TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSHTTPPort TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSHTTPSPort TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSIISSSLState TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSMediaCreatedOnCAS TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSMediaPFX TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSMediaSetID TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSMediaType TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSPublicRootKey TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSRootCACerts TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSSiteCode TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSSiteSigningCertificate TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSStandAloneMedia TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSSupportUnknownMachines TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSTimezone TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSUseFirstCert TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSx64UnknownMachineGUID TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    <![LOG[Setting _SMSTSx86UnknownMachineGUID TS environment variable]LOG]!><time="13:36:16.187+480" date="12-19-2014" component="TSMBootstrap" context="" type="1" thread="1212" file="tsmediawizardcontrol.cpp:604">
    NSutton

  • KDC identifying both with client authentication

    hi everybody
    i am using a client authentication certificate template's ,
    and i also want to use a KDC identifying both with client authentication
    looking for this configure specified
    thank you
    Marv Kikovanovich

    Hey Marv
    Thanks for posting ,
    You've need to add another Application Policy: "KDC Authentication" on client
    certificate template.
    Certification Authority\Certificate Templates\Manage
    properties the client certificate template - extensions TAB
    Edit Application Polices , and Add the "KDC Authentication" Policy.
    Good Luck.
    I'd be glad to answer any question

  • Cisco CSS Client Authentication

    I have a few questions in this regard..
    1.) Is it possible to use self signed certs for the client authentication, baring in mind you need to point the CSS to the CRL?
    2.) I need to run around 20 different VIP's (probably on the same IP but with different tcp ports), all requiring their own individual certificate for client auth. Is there a limit to the number of client authentication certificates I can load on a 11501S device?
    3.) Can someone provide me with a working configuration example for client authentication on a CSS?

    client authentication means the CSS will request the client to send its own certificate and we will check its validity with the configured CA and configured CRL.
    It has nothing to do with the CSS certificate.
    So, you could have a self signed certificate on the CSS. That doesn't change anything for client authentication.
    The same IP thing is probably not a good thing if you want to assign the certificate to different domain.
    A dns request will only return an ip address and no port.
    So you may end up with all requests going to the same ip and port 443.
    I think the limit is 256 ssl-proxy server.
    Check config guide for assistance :
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v7.50/configuration/ssl/guide/terminat.html#wp999318
    Gilles.

  • Problem using multiple Client Certificates

    Hi folks, I had (mistakenly) posted an earlier version of this question to the crypto forum.
    My problem is that I have multiple client certs in my keystore, but only one is being used as the selected certificate for client authentication for all connection�s. So, one connection works fine, the rest fail because the server doesn�t like the client cert being presented.
    I have been trying to get the JSSE to select the proper client certificate by making use of the chooseClientAlias method. (init the SSL context with a custom key manager that extends X509ExtendedKeyManager and implements the inherited abstract method X509KeyManager.chooseClientAlias(String[], Principal[], Socket))
    But, still no luck.. the JSSE is not calling in to the my version of chooseClientAlias, and it just keeps presenting the same client certificate.
    No clue why, any thoughts on how to get the JSSE to call my version of chooseClientAlias?
    Thanks!
    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(createCustomKeyManagers(Keystore, KeystorePassword),
                createCustomTrustManagers(Keystore, KeystorePassword),null);
    SSLSocketFactory factory = sslContext.getSocketFactory();
    URL url = new URL(urlString);
    URLConnection conn = url.openConnection();
    urlConn = (HttpsURLConnection) conn;
    urlConn.setSSLSocketFactory(factory);
    BufferedReader rd = new BufferedReader(new InputStreamReader(urlConn.getInputStream()));
    String line;
    while ((line = rd.readLine()) != null) {
         System.out.println(line);  }
    public class CustomKeyManager extends X509ExtendedKeyManager
        private X509ExtendedKeyManager defaultKeyManager;
        private Properties serverMap;
        public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
            SocketAddress socketAddress = socket.getRemoteSocketAddress();
            String hostName = ((InetSocketAddress)socketAddress).getHostName().toUpperCase();
            String alias = null;
            if(serverMap.containsKey(hostName)){
                alias = serverMap.getProperty(hostName.toUpperCase());
                if(alias != null && alias.length() ==0){
                    alias = null; }
            else {
                alias = defaultKeyManager.chooseClientAlias(keyType, issuers, socket);
            return alias;
    .

    Topic was correctly answered by ejp in the crypto forum..
    namely: javax.net.ssl.X509KeyManager.chooseClientAlias() is called if there was an incoming CertificateRequest, according to the JSSE source code. If there's an SSLEngine it calls javax.net.ssl.X509ExtendedKeyManager.chooseEngineClientAlias() instead.*
    You can create your own SSLContext with your own X509KeyManager, get its socketFactory, and set that as the socket factory for HttpsURLConnection.*
    Edited by: wick123 on Mar 5, 2008 10:26 AM

  • SSL: how to use Multiple Private key/Certificate pair for authentication.

    Hi all,
    i am implementing SSL in java using X509 Certificate/private key combination.
    i have two set of private key/certificate pair.
    one is factory default and another is generated at run time.
    my problem is to try ssl connection with both pairs on same tcp/ip connection.
    e.g. on server side: first try ssl connection with factory default certificate, if it fails try connecting with generated certificate on same tcp/ip connection.
    on client side: if generated certificate(this certificate was generated at server side) is present first perform server authentication using this certificate otherwise authenticate server with factory default certificate.
    can someone please help and let me know how do i need to configure both ends(client and server) for achieving the same.
    Thanks In Advance
    Saurabh Ahuja

    Client code does not contain any default truststore and needs a certificate for authentication.Of course it does. OpenSSL has a way of doing that: some kind of equivalent for the truststore. None of the stuff you've posted here about generating certificates at runtime has any bearing on that problem.
    It's like this. The idea of PKI with SSL is as follows:
    - the server has a private key and a signed certificate. Preferably it's signed by a CA that the client already trusts, otherwise if it's self-signed it has to be exported from the server's keystore and imported into the truststores of all the clients.
    - the client has a truststore that trusts the server, one way or the other, see above.
    - the server's private key is private to it. Nobody else has it. Nobody else can ever get it. If it ever leaks, the server is compromised, and server authentication via that private key now means absolutely nothing. You have lost security.
    - the server sends its cert to the client along with a digital signature signed by its private key.
    - the client (a) decides whether it trusts the cert, via its truststore, and (b) verifies the digital signature, which establishes that the server owns the certificate.
    At this point the server is authenticated to the client and the SSL connection is open. It can now be used as an ordinary socket connection.
    If you want client authentication too, you need all the above in reverse as well, i.e. reading server for client and client for server throughout. Note particularly that each client must have its own private key. Otherwise the private key isn't private, so signing something with it doesn't establish ownership, so client authentication isn't valid.
    You need to understand all this stuff and relate it to the apparently broken security design of your application. Generating a private key and a certificate at runtime is complete nonsense within the context of PKI and SSL. It proves nothing, establishes nothing, authenticates nothing; it just wastes time.

  • How to use digital certificate for client authentication in PCK

    My sap jca adapter need support digital certificate on client authentication. how to implement it in j2ee or pck?
    Message was edited by: Spring Tang

    refer the following links
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/092dddc6-0701-0010-268e-fd61f2035fdd
    https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/b2a56861-0601-0010-bba1-e37eb5d8d4a9
    please let me know if u dont find relevant information

  • Certificates issued by communications server for client authentication

    Hi,
    we ran into problem with those certificates, that are being issued by the lync server itself.  In our enteprise we have CX600 and CX3000 phones, and i know that certificate authentication is required for the phones to work (both for registrar and webservice).
    However, now that users have lync installed, they have their communications server certificate assigned as well. The problem is when a user needs to sign a document with the certificate from our private CA, for most of the users, word or excel suggests to
    use a certificate issued by communications server, not our ent CA. Maybe there is a way for LYNC to trust private enteprise CA and not give out its own certificates and STILL use certificate authentication?
    Thanks!

    Facing almost the same issue, Lync (server) issues ClientAuth certs from "Communication Server", (btw
    is not trusted of course), and in turns forces users to make a selection of which VPN cert to use when dialing in, instead of only one ClientAuth cert installed, they now have 2 ClientAuth certs installed, which our internal CA's should care about and NOT
    the Lync (server).
    Don’t get how an MS product of this caliber can be built without proper PKI integration, how can it NOT utilize internally issued certs for client authentication???
    Not the first though, SCCM and OSD is another example....
    However, are you saying that Lync communication can’t be used without certificate authentication,
    without the user being spammed with credential prompts?
    Trying to get clarification on this…

  • HTTPS Without client authentication shows error of Certificate

    Hi Experts,
    I am trying to develop a SOAP to RFC scenario where in SOAP sender HTTP security level - HTTPS Without Client Authentication is selected.
    I have downloaded WSDL from Sender agreement and trying to test web service from SOAPUI.  Now as per my understanding simply placing request to HTTPS:<host>:<port>:XISOAPAdapter/....   with correct user should work and this scenario shouldn't need any certificates.
    However in SOAPUI and even in RWB SOAP Sender, I am receiving error that - Client Certificate required.
    Any comments on why would it be happening ?    In fact whatever option in HTTP Security level I select, error remains same. In NWA is there any other configuration to be done to make this work ?
    Is below understanding right ?
    -- >> HTTPS Without client authentication will not need certificate exchange and simply user authentication will do
    Thanks..
    regards,
    Omkar.

    Hello Omkar,
    What you are trying to do is Consume a SOAP->RFC scenario (synchronous) from SOAP UI and you want that to be secure. With this requirement, just having the certificates alone is not sufficient (sorry for late response..i just came across this post when i was searching something else )
    1)How did you generate the certificate and the private key? Because Key Generation plays a Big Part in it. The Key should have been signed by a CA. Though its not signed by a CA, a trick which would work is, at the time of Key generation, provide the Organization Name as SAP Trust Community and Country as DE.
    2) At the time of Key Generation definitely it shall ask for a password. You remember that.
    3) Export the Private Key as PCKS12 format and the certificate as Base64 format and have it in your local system, (shall be used later in SOAP UI and NWA)
    Here follows the major part
    4) Open NWA and go to Configuration Management->Authentication
    5) Go to Properties Taband click Modify
    6)  Under Logon Application select the check box "Enable Showing Certificate Logon URL Link on Logon Page" and save it.
    7) Now go to the Components Tab.
    8) Search for client_cert Policy Configuration name and Edit it it. Make sure the following Login Modules are maintained in the same Order
    ==> Name: com.sap.engine.services.security.server.jaas.ClientCertLoginModule
           Flag : Sufficient
    ==> Name: BasicPasswordLoginModule
           Flag: Optional
    9) Now Select the name com.sap.engine.services.security.server.jaas.ClientCertLoginModule and you can see lots of entries under the Login Module Options. Remove them all and add anew entry (case sensitive). Save it.
    ==>Name: Rule1.getUserFrom
           value : wholeCert
    10) Now search for the Policy Configuration name sap.com/com.sap.aii.adapter.soap.app*XISOAPAdapter
    and edit it.
    11) Under the Authentication stack select the template client_cert against the used template label. and save it
    12)If you are using AXIS Adapter, do the steps 11 for the Policy Configuration name sap.com/com.sap.aii.axis.app*XIAxisAdapter.
    13) Now in NWA navigate to Operation management->Identity Management
    14) Search for the user PIISUSER (or any user id which you thing has good amount of authorizations to access the service)
    15)Click Modify and go to the TAB Certificates and upload the certificate (not the private key) which you downloaded in step 3.
    16) With this setup what you have done is you have created proper certificate, enabled certificate based logon for SOAP and AXIS adapter and associated the certificate with a user id.
    17) usually in Dual stack PI, we will have the same certificate added to the server pse in strustsso2 tcode. But since its single stack, just make sure in the cert and keys you add this certificate to teh Trusted CAs and also to the Server Keystore.
    18) Now in SOAP UI Right Click on the Project Name->Select Show Project View->Under the WS Security Configurations->Go to Keystore and certificates and add the Private Key
    19) In SOAP UI under the operation name, in the Request, in stead of providing user credentials, choose the private key name against the SSL Keystore entry.
    20) Before you execute the scenario  make sure you have chosen the HTTPS url and https port is proper. Usually its 443, but some customers configure their own port.
    Scenario should work now. Else if you track it using XPI Inspector, you can find out easily at which step it has gone wrong.
    Good Luck!!
    Best Regards,
    Sundar

  • Cisco ISE authentication failed because client reject certificate

    Hi Experts,
    I am a newbie in ISE and having problem in my first step in authentication. Please help.
    I am trying to deploy a standalone Cisco ISE 1.1.2 with WLC using 802.1x authentication. The user authentication configured to be checked to ISE's internal user database for early deployment. But when the user try to authenticate, they failed with error message in ISE :
    Authentication failed : 12321 PEAP failed SSL/TLS handshake because the client rejected the ISE local-certificate
    I've generate a certificate for ISE using Windows Server CA and replace ISE's self-signed certificate with the new certificate but authentication still failed with the same error message. Must I generate a certificate for WLC also? Please help me in solving this problem.
    Regards,
    Ratna

    Certificate-Based User Authentication via Supplicant Failing
    Symptoms or
    Issue
    User authentication is failing on the client machine, and the user is receiving a
    “RADIUS Access-Reject” form of message.
    Conditions (This issue occurs with authentication protocols that require certificate validation.)
    Possible Authentications report failure reasons:
    • “Authentication failed: 11514 Unexpectedly received empty TLS message;
    treating as a rejection by the client”
    • “Authentication failed: 12153 EAP-FAST failed SSL/TLS handshake because
    the client rejected the Cisco ISE local-certificate”
    Click the magnifying glass icon from Authentications to display the following output
    in the Authentication Report:
    • 12305 Prepared EAP-Request with another PEAP challenge
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is reusing an existing session
    • 12304 Extracted EAP-Response containing PEAP challenge-response
    • 11514 Unexpectedly received empty TLS message; treating as a rejection by the
    client
    • 12512 Treat the unexpected TLS acknowledge message as a rejection from the
    client
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    • 11006 Returned RADIUS Access-Challenge
    • 11001 Received RADIUS Access-Request
    • 11018 RADIUS is re-using an existing session
    • 12104 Extracted EAP-Response containing EAP-FAST challenge-response
    • 12815 Extracted TLS Alert message
    • 12153 EAP-FAST failed SSL/TLS handshake because the client rejected the
    Cisco ISE local-certificate
    • 11504 Prepared EAP-Failure
    • 11003 Returned RADIUS Access-Reject
    Note This is an indication that the client does not have or does not trust the Cisco
    ISE certificates.
    Possible Causes The supplicant or client machine is not accepting the certificate from Cisco ISE.
    The client machine is configured to validate the server certificate, but is not
    configured to trust the Cisco ISE certificate.
    Resolution The client machine must accept the Cisco ISE certificate to enable authentication.

  • Logout from an "https client authentication (public key certificate)"

    Hi ,
    I am using an https client authentication (public key certificate) to login to my ADF faces website
    How can I logout form the application? It seems the session.invalidate() is not working because my login information is still displayed after running the logout method (below)
    Note that this logout method was working well with the Form-Based Authentication.
    Thank you
    Jamil
    public String logout() {
    ExternalContext ectx = FacesContext.getCurrentInstance().getExternalContext();
    HttpServletRequest request = (HttpServletRequest)ectx.getRequest();
    HttpServletResponse response = (HttpServletResponse)ectx.getResponse();
    HttpSession session = (HttpSession)ectx.getSession(false);
    session.invalidate();
    String temp = request.getContextPath() + "/adfAuthentication?logout=true&end_url=/faces/logout";
    try {
    ectx.redirect(temp);
    FacesContext.getCurrentInstance().responseComplete();
    } catch (Exception ex) {
    System.out.println("Exception in logout()");
    return null;
    }

    Can you try with the null chk.. as this piece of code is working fine for us
    public void logout(ActionEvent evt) {> FacesContext fc = FacesContext.getCurrentInstance();
    > HttpSession session =
    > (HttpSession)fc.getExternalContext().getSession(false);
    > HttpServletRequest request =
    > (HttpServletRequest)fc.getExternalContext().getRequest();
    > HttpServletResponse response =
    > (HttpServletResponse)fc.getExternalContext().getResponse();
    > try {
    > if (session != null) {
    > session.invalidate();
    > }
    > fc.getExternalContext().redirect(request.getContextPath() +
    > "/faces/index");
    > } catch (Exception exp) {
    > try {
    > fc.getExternalContext().redirect("/faces/Error");
    > } catch (Exception ex) {
    }> }
    > }

  • Certificate-Based Client authentication slowness (DSEE 6.3.1)?

    I seem to be seeing very slow operations involving certain certificate-based client interactions.
    I have a user with an application that connects via LDAPS (port 636), does an anonymous bind, and then binds as a specific user. This application is written using .Net (System.DirectoryServices.Protocols library) and housed on an IIS web server that has a certificate signed by Equifax.
    The application performs relatively quickly (operations take an elapsed time of less than 1 second) if:
    1. "Client Authentication" is set to "Allow Certificate-Based Client authentication" and there is no Equifax CA cert in the list of CA Certificates.
    or 2. "Client Authentication" is set to "Do Not Allow Certificate-BAsed Client authentication".
    If I have "Allow Certificate-Based Client authentication" and the Equifax CA cert installed, all operations by the application succeed but show an elapsed time of about 13-14 seconds.
    The Equifax CA cert should be trusted (certutil shows flags: CT,, )
    Has anyone seen anything like this? I've not been able to successfully figure out how to get additional logging RE: the certificate exchange other than grabbing the raw data from ssltap (which I'm not sure I correctly understand). I turned up the infolog levels to include connection managment and packets, but that didn't provide what I was looking for.
    Additional troubleshooting info:
    dsadm -V[dsadm]
    dsadm : 6.3.1 B2008.1121.0308 NAT
    [slapd 32-bit]
    Sun Microsystems, Inc.
    Sun-Java(tm)-System-Directory/6.3.1_RME_6915746 B2010.0112.1626 32-bit
    ns-slapd : 6.3.1 B2008.1121.0308 NAT
    Slapd Library : 6.3.1_RME_6915746 B2010.0112.1626
    Front-End Library : 6.3.1 B2008.1121.0308
    [slapd 64-bit]
    Sun Microsystems, Inc.
    Sun-Java(tm)-System-Directory/6.3.1_RME_6915746 B2010.0112.1631 64-bit
    ns-slapd : 6.3.1 B2008.1121.0308 NAT
    Slapd Library : 6.3.1_RME_6915746 B2010.0112.1631
    Front-End Library : 6.3.1 B2008.1121.0308

    The only thing I can think of off the top of my head is if the server is doing a callout to an external site for something like a CRL. Even though the traffic is encrypted, you should be able to see something like that in a packet trace even so.

  • How can i specify a specific certificate for client authentication

    hi all,
    i'm currently using a pkcs11 smartcard device to authenticate aigainst a directory server from java.
    everything works perfectly when using cards with the authentication certificate as the first in the keystore.
    unfortunately the cards i need to handle can have both auth or sign as first certificate.
    is there a way to select explicitely which certificate to present during the ssl handshake ?
    thanks a lot in advance

    Look into the following:
    -- page protect property of the repeating frame
    -- Maximum number of records per page property

Maybe you are looking for

  • Videos not recognised after updating software

    My iPod won't sync my videos. This is for all video files (.mov, .mpv, the lot). They played fine on my video iPod before and they still play in iTunes, but when I try to update, I just get a "file not recognised by your iPod" message. This only happ

  • Is there a way to monitor CPU usage during the execution of a vi?

    I am wondering if there is a way, using LabView, to monitor the CPU usage during the execution of a vi. I want to be able to programmatically adjust the program controls based on the CPU usage. This program is designed to run all day in the backgroun

  • Idoc will trigger after purchase order release workflow

    Hi Workflow Guru, I have a requirement to configure Purchase Order release workflow. I am configure the same its working fine, but my client requirement is when the purchase order finaly release one IDOC will be trigger and the document will send to

  • [svn:bz-trunk] 17839: Bug: BLZ-552 - AMFX should support Dictionary type

    Revision: 17839 Revision: 17839 Author:   [email protected] Date:     2010-09-24 08:05:57 -0700 (Fri, 24 Sep 2010) Log Message: Bug: BLZ-552 - AMFX should support Dictionary type QA: Yes Doc: Yes - document that the new Dictionary type is supported i

  • Browse Albums by Artist problem

    ? Hello everyone, I've had a quick search and couldn't find the answer so here goes. I have a Zen 32GB player which I only use for music. All of my albums are sync'd with WMP without any problem, however.... when browsing on the player, if i search b