OWA and ActiveSync certificate based authentication

Similar Messages

• Anyconnect 3.1 and user certificate-based authentication

  Hi experts,
  I'm trying to test a basic full tunnel VPN connection from Anyconnect 3.1 installed on a Windows 7 machine to a Cisco ASA, using only certificate authentication.
  Steps i took:
  1) I've created a Windows 2008 certificate authority for testing, and imported the root CA certificate into both the Windows 7 client and into Cisco ASA
  2) I generated a certificate signing request on the W7 client, got that signed by W2008 CA and imported the signed certificate into W7. Both user certificate and root CA are in the personal certificate store
  3) On ASA, I've also generated a certificate signing request, got that signed by W2008 CA and imported the signed certificate back in ASA
  I then used ASDM to configure ASA to support Anyconnect on its untrust interface.
  When I use Anyconnect on the W7 client to connect to ASA, I got "No valid certificates available for authentication" and "certificate validation failure" messages as seen in the below screenshot
  I can confirm that both user and root CA certificate exist in the personal certificate store
  The corresponding ASA configuration and debug output are shown in the attached txt file. On the ASA, I've made sure its ID certificate has CN=<public IP of ASA> since I don't have a DNS setup in place.
  Can anyone suggest what could be wrong with my setup?

  Problem has been fixed by using IP address instead of hostname in the Anyconnect Client profile, since I don't have a DNS setup in my environment.
  Once that is done I was able to connect and authenticate using user certificates.
  ASA1# sh vpn-sessiondb detail anycon
  Session Type: AnyConnect Detailed
  Username     : cisco                  Index        : 2
  Assigned IP  : 10.5.1.100             Public IP    : 10.3.1.10
  Protocol     : IKEv2 IPsecOverNatT AnyConnect-Parent
  License      : AnyConnect Premium
  Encryption   : AES256                 Hashing      : none SHA1
  Bytes Tx     : 0                      Bytes Rx     : 30758
  Pkts Tx      : 0                      Pkts Rx      : 195
  Pkts Tx Drop : 0                      Pkts Rx Drop : 0
  Group Policy : GroupPolicy_VPN-CP1    Tunnel Group : VPN-CP1
  Login Time   : 06:40:49 UTC Wed Feb 19 2014
  Duration     : 0h:07m:38s
  Inactivity   : 0h:00m:00s
  NAC Result   : Unknown
  VLAN Mapping : N/A                    VLAN         : none
  IKEv2 Tunnels: 1
  IPsecOverNatT Tunnels: 1
  AnyConnect-Parent Tunnels: 1
  AnyConnect-Parent:
    Tunnel ID    : 2.1
    Public IP    : 10.3.1.10
    Encryption   : none                   Auth Mode    : Certificate
    Idle Time Out: 30 Minutes             Idle TO Left : 22 Minutes
    Client Type  : AnyConnect
    Client Ver   : 3.1.05152
  IKEv2:
    Tunnel ID    : 2.2
    UDP Src Port : 50530                  UDP Dst Port : 4500
    Rem Auth Mode: Certificate
    Loc Auth Mode: rsaCertificate
    Encryption   : AES256                 Hashing      : SHA1
    Rekey Int (T): 86400 Seconds          Rekey Left(T): 85941 Seconds
    PRF          : SHA1                   D/H Group    : 5
    Filter Name  :
    Client OS    : Windows
  IPsecOverNatT:
    Tunnel ID    : 2.3
    Local Addr   : 0.0.0.0/0.0.0.0/0/0
    Remote Addr  : 10.5.1.100/255.255.255.255/0/0
    Encryption   : AES256                 Hashing      : SHA1
    Encapsulation: Tunnel
    Rekey Int (T): 28800 Seconds          Rekey Left(T): 28341 Seconds
    Rekey Int (D): 4608000 K-Bytes        Rekey Left(D): 4607970 K-Bytes
    Idle Time Out: 30 Minutes             Idle TO Left : 29 Minutes
    Bytes Tx     : 0                      Bytes Rx     : 31218
    Pkts Tx      : 0                      Pkts Rx      : 196
  NAC:
    Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
    SQ Int (T)   : 0 Seconds              EoU Age(T)   : 459 Seconds
    Hold Left (T): 0 Seconds              Posture Token:
    Redirect URL :

• Certificate based authentication for Exchange ActiveSync in Windows 8.* Mail app

  I have a Surface Pro and want to setup access to my company's Exchange server that accepts only Exchange ActiveSync certificate-based authentication.
  I've installed server certificates to trusted pool and my certificate as personal.
  Then I can connect thru Internet Explorer, but this is not comfortable to use.
  I don't have a password because of security politics of our company. When I'm setting up this account on my Android phone I'm using any digit for password and it works perfectly.
  Can someone help to setup Windows 8 metro-style Mail application? Does it supports this type of auth? When I'm trying to add account with type Outlook, entering server name, domain name, username, 1 as a password then I've got a message like "Can't
  connect. Check your settings."
  Is there any plans to implement this feature?

  For what it's worth we have CBA working with Windows 8.1 Pro.  In our case we have a MobileIron Sentry server acting as an ActiveSync reverse-proxy, so it verifies the client cert then uses Kerberos Constrained Delegation back to the Exchange CAS, however
  it should work exactly the same to the Exchange server directly.  I just used the CA to issue a User Certificate, exported the cert, private key and root CA cert, copied to the WinPro8.1 device and into the Personal Store.  Configured the Mail app
  to point at the ActiveSync gateway, Mail asked if I would like to allow it access the certificate (it chose it automatically) and mail synced down immediately...
  So it definitely works with Windows Pro 8.1.

• NPS and Cisco ASA 5510 - AnyConnect Certificate based authentication

  Hi everyone,
  Hoping someone can help please.
  We're trying to go for a single VPN solution at our company, as we currently have a few through, when buying other companies.
  We're currently running a 2008 R2 domain, so we're looking at NPS and we have Cisco ASA 5510 devices for the VPN side.
  What we would like to achieve, is certificate based authentication. So, user laptop has certificate applied via group policy based on domain membership and group settings, then user goes home. They connect via Cisco AnyConnect via the Cisco ASA 5510 and
  then that talks to MS 2008 R2 NPS and authenticates for VPN access and following that, network connectivity.
  Has anyone implemented this before and if so, are there any guides available please?
  Many Thanks,
  Dean.

  Hi Dean,
  Thanks for posting here.
  Yes, this is possible . But we have guide about a sample that using Windows based server (RRAS) to act as VPN server and working with Windows RADIUS/NPS server and use certificate based authentication method (Extensible Authentication Protocol-Transport
  Layer Security (EAP-TLS) or PEAP-TLS without smart cards) for reference :
  Checklist: Configure NPS for Dial-Up and VPN Access
  http://technet.microsoft.com/en-us/library/cc754114.aspx
  Thanks.
  Tiger Li
  Tiger Li
  TechNet Community Support

• ActiveSync with Certificate-Based Authentication

  We are trying to setup ActiveSync with certificate-based authentication against Exchange 2010 SP2, but with no luck.
  What has been done so far:
  OWA over https works fine. A public, trusted certificate is in place.
  Setup ActiveSync against this Exchange server: works fine, using user name/password.
  Issued a user cert, signed with an internal CA, CA-cert successfully imported into al client devices.
  Created a new OWA-site with cert-based authentication (just to make sure it works), imported user certificate into a mac, visit this OWA site - cert-based authentication works fine.
  Now, with the configuration utility, created configuration profile with that user cert and an ActiveSync account, left password blank and chose the imported cert (p12) as authentication means.
  After installing that last profile the device keeps asking for a password and refuses to synchronize. Logs on the server show error 401.2, so I assume iPhone is ignoring the cert and is trying to use password-authentication instead.
  The devices tested were iPhone 3G with IOS 4 and iPad 2 with IOS 5.
  Any help will be greatly appreciated.
  Roman.

  No-one with this experience?
  We've done some network analysis (as much as was possible to decrypt) and could see, that the server sends an SSL-Alert (rejection?) to the client after the client presents the certificate.
  That explains why the client falls back to password-authentication, but it does not tell us why the server rejects the cert (that is accepted perfectly when accessed from a browser) in first place.

• Exchange 2010 SP3 OWA with certificate based authentication

  Hi,
  I have a bizarre problem in my customer’s environment. Maybe someone has an idea.
  Exchange 2010 with SP3, latest cumulative Update installed.
  The problem I’m having is that when I enable Certificate based authentication (require client certificate option in IIS) on OWA and ECP virtual directories in conjunction with forms based authentication (this is the requirement – the user
  must have a client certificate and type in username and password to log in to OWA), the result is that after the user selects the certificate he wants to use, he is logged into OWA automatically, but cannot use the website, because it’s being constantly automatically
  refreshed (or redirected to itself or something like that). The behavior occurs with all users, with any browser. If client certificate is on required, forms based authentication works just fine. If I switch to “Basic Authentication” and enable client certificate
  requirement, then OWA act’s as it should be – so no problems. The problem only occurs when authentication type is forms based and client certificates are required.
  I have tried the exact same settings (as far as I can tell) on one other production server and one test server, and encountered no such problems.
  Anyone – any ideas?

  Hi McWax,
  According to your description and test, I understand that all accounts cannot login OWA when select require client certificate.
  Is there any error message when open OWA or login? For example, return error ”HTTP error: 403 - Forbidden”. Please post relative error for further troubleshooting.
  I want to confirm which authentication methods are used for OWA, Integrated Windows authentication or Digest authentication? More details about it, for your reference:
  http://technet.microsoft.com/en-us/library/bb430796(v=exchg.141).aspx
  If you select another authentication method, please check whether Client Certificate Mapping Authentication services is installed, and also enabled in IIS, please refer to:
  http://www.iis.net/configreference/system.webserver/security/authentication/clientcertificatemappingauthentication
  To prevent firewall factor, please try to sign in OWA at CAS server. Besides, I find a FAQ about certificate:
  http://technet.microsoft.com/en-us/library/aa998424(v=exchg.80).aspx
  Best Regards,
  Allen Wang

• Certificate Based Authentication - Questions and Authentication Modules

  Hi Everyone
  I'm trying to achieve a specific configuration using AM . I've installed the AM Server 7.1 on a AS9.1EE container and have another AS91EE container on another machine that has the agent configured.
  The AM server is using a DS rep for configurations and dynamic profiles and using a AD rep for authentication.
  What I now need to achieve is authentication base on one of these two way :
  - user and password authentication (which is working)
  - Certificate based authentication ( working on it )
  To configure the Cert. Auth I've started reconfiguring the containers and agent to work in SSL, as said in the manuals. The manuals also say that the containers must have "Client Authentication Enabled", they don't say which ( either the server or agent container or both ) . Also I assume that "Client Authentication Enabled" is refering to the Http Listener configuration of that container.
  When I enable it ( the Client Authentication ) on the http listener for either containers the https connection to that container stops working. In Firefox it simply prompts an error saying that the connection was "interrupted while the page was loading." . On IE, it prompts for a Certificate to be sent to the container and when I provide none, then it gives me the same error as Firefox. In both cases no page was presented.
  Basically what I need is for both authentication methods described before to work! So, asking the certificate ( specially if it wasn't the AM asking for it ) without giving the user a chance to use a user/password combination isn't what is wanted.
  From what I gathered the "Client Authentication" makes this http listener need a certificate to be presented always .
  So, my first question is : is the documentation correct? Does this "Client Authentication" thingy need to be enabled at the listener level?
  2- I'll probably need to code a costum module for this scenario I'm working in because of client requisits, but if possible I would like to use the provided module. Still, in case I need to make on, has anyone made a cert. auth module that they can provide me with so I have a working base to start with?
  3- Is there a tested how-to anywhere on how to configure Cert. Based Authentication?
  All for now,
  Thank you all for your help
  Rp

  Hi Rp,
  We are using AM 7.1 with Certificate Authentication and LDAP Authentication. To answer your question, yes it is possible to use both method at the same time i.e. Use certificate first and then fallback to LDAP.
  First you need to configure AM's webcontainer to accept the certificate. From your message it is clear that you have done that. The only mistake that you did is "made the Client Authentication required". I have done this in Sun WebServer 7.0 and Sun Application Server 7.0 (yeah that is old!!). You need to make the Client Authentication as optional. It means that Certificate will be transferred only when it is available otherwise Web Container will not ask for the Certificate. You will have to search Glassfish website or ASEE 9.1 manual to learn how to make the Client-Authentication Optional. You definitely need this authentication optional as Web Agent will be connecting to this AM and as far as I know they do not have any mechanism to do the Client Authentication.
  Secondly, In AM 7.1, you will have to Set up the Authentication chaining. Where you can make Certificate Module as Sufficient and LDAP module as REQUIRED.
  Thirdly, if you are using an non ocsp based certificate then change the ocsp checking in AMConfig.properties to false.
  Fourth, You may have to write a small custom code to get the profile from your external sources. (if you need to then I can tell you how).
  HTH,
  Vivek

• Certificate Based Authentication and SSL

  To whom it may concern,
  I have installed SJES on Solaris 9 x386 (intel version). Everything is running fine, the mails are also coming and going.
  Now, I need Certificate based authentication and SSL. I have downloaded versign.com trial certificate and have install it succesfully in the Messaging Server Console -- > Manage Certificates. The certificate is also visible in its tab.
  Next, I followed the documentation and enable ssl by using ./configutil utility. And also restarted the server.
  I am running my Messenger express (http) like this :
  http://testing.xyz.com:8100
  (I am using port 8100 for http access to mails). After restarting the mail server, I tried :
  https://testing.xyz.com:8100 also,
  http://testing.xyz.com:443 also,
  https://testing.xyz.com:443 also,
  but I cannot see the login page of the mail server. All the above mention url i tried and just given error "the connection was refused when attempting to contact testing.xyz.com. I CAN ONLY SEE THE LOGIN PAGE WHEN I WRITE THE OLD HTTP ADDRESS: i.e. http://testing.xyz.com:8100
  And I also checked the logs and the server is having no problem in starting and there is not a single word regarding SSL enabling in the logs.
  Please help me out, it's really a strange behaviour. I am using SunONE Messaging Server 6.0.
  Thanking you,
  Farhan Ahmed,
  System Engineer
  Dubai, UAE.

  Dear jay,
  I am pasting a line from imap and http logs ... i don't know what this error means and how to resolve it.
  [29/Dec/2004:14:42:45 +0100] testing imapd[888]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  strange thing is that my certificate name is lowercase server-cert and also i can see in the GUI console the certificate name as lowercase and I have also set this parameter encryption.rsa.nssslpersonalityssl = server-cert (all lowercase), but the error in the log tells it as "Server-Cert" !!!! though it is "server-cert"
  i got this line from the http log:
  [29/Dec/2004:14:42:47 +0100] testing httpd[894]: General Error: SSL initialization error: ASockSSL_Init: couldn't find cert Server-Cert (-8183)
  I haven't missed the sslpassword.conf file step. I have placed the same password which i provided while generating the certificate request in the GUI.
  Help me out what this errors means and how to resolve them. I have also copied the cert7.db and key3.db to /opt/SUNWms*/config directory from the /var/opt/mps/serverroot/alias
  Thanking you,
  Farhan Ahmed,
  System Engineer,
  Dubai Internet City, Dubai, UAE.

• Exchange 2013 - How to configure Outlook Anywhere with certificate based authentication?

  Hello,
  is it possible to secure Outlook Anywhere in Exchange 2013 with certficate based authentication?
  I found documentation to configure CBA for OWA and ActiveSync, but not for Outlook Anywhere.
  We would like to secure external access to the mailboxes via Outlook by using CBA.
  Thanks a lot in advance!
  Regards,
  André

  Hi,
  Let’s begin with the answer in the following thread:
  http://social.technet.microsoft.com/Forums/en-US/e4b44ff0-4416-44e6-aa78-be4c1c03f433/twofactor-authentication-outlook-anywhere-2010?forum=exchange2010
  Based on my experience, Outlook client only has the following three authentication methods:Basic, NTML, Negotiate. And for more information about Security for Outlook Anywhere, you can refer to the following article:
  http://technet.microsoft.com/en-us/library/bb430792(v=exchg.141).aspx
  If you have any question, please feel free to let me know.
  Thanks,
  If you have feedback for TechNet Subscriber Support, contact
  [email protected]
  Angela Shi
  TechNet Community Support

• How does Certificate based authentication work?

  We are doing
  Certificate based authentication in an enterprise with android phones and exchange 2010.
  We are using activesync to talk to exchange over SSL.
  It is working.
  I am trying to document HOW it works (on a fairly high level).
  I have some information, but would like to know what happens when exchange gets the actual client auth cert from the device in the last part of the authentication process.
  Does exchange forward it  in toto to AD, since AD (and its related PKI service) created the cert?
  Thanks.
  Mac

  Hi Ainm
  Exchange ActiveSync supports several types of user authentication. By default, Exchange ActiveSync is configured to use Basic authentication. This transmits the user name and password in clear text. You can configure Exchange ActiveSync to use certificate-based
  authentication. This method uses a certificate on both the server and the device to validate the connection from the device to the server.
  There are differences between the mobile operating systems as to what format they like their certificates in, but both Windows Mobile and iPhone are happy to use pfx files whereas Android prefers it as a p12 (which can be just a renamed pfx file if you like).
  Certificate based authentication is done via kerberos and yes Exchange should perform the lookup with AD  for verifying that your certificate is good and valid.
  Remember to mark as helpful if you find my contribution useful or as an answer if it does answer your question.That will encourage me - and others - to take time out to help you Check out my latest blog posts on http://exchangequery.com Thanks Sathish
  (MVP)

• Need Help about Certificate based Authentication

  Hi friends..
  Currently, i'm trying to develop an applet that using Certificate Based Authentication..
  i have looked at this thread : http://forums.sun.com/thread.jspa?threadID=5433603
  these is what Safarmer says about steps to generate CSR :
  0. Generate key pair on the card.
  1. Get public key from card
  2. Build CSR off card from the details you have, the CSR will not have a signature
  3. Decide on the signature you want to use (the rest assumes SHA1 with RSA Encryption)
  4. Generate a SHA1 hash of the CSR (without the signature section)
  5. Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
  6. Send DigestInfo to the card
  7. On the card, the matching private key to encrypt the DigestInfo
  8. Return the encrypted digest info to the host
  9. Insert the response into the CSR as the signature
  Sorry, i'm a little bit confused about those steps.. (Sorry i'm pretty new in X509Certificate)..
  on step 4,
  Generate a SHA1 hash of the CSR (without the signature section)
  Does it mean we have to "build" CSR looks like :
  Data:
  Version: 0 (0x0)
  Subject: C=US, ST=California, L=West Hollywood, O=ITDivision, OU=Mysys, CN=leonardo.office/[email protected]
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  RSA Public Key: (1024 bit)
  Modulus (1024 bit):
  00:be:a0:5e:35:99:1c:d3:49:ba:fb:2f:87:6f:d8:
  ed:e4:61:f2:ae:6e:87:d0:e2:c0:fd:c1:0f:ed:d7:
  84:04:b5:c5:66:cd:6b:f0:27:a2:cb:aa:3b:d7:ad:
  fa:f4:72:10:08:84:88:19:24:d0:b0:0b:a0:71:6d:
  23:5e:53:4f:1b:43:07:98:4d:d1:ea:00:d1:e2:29:
  ea:be:a9:c5:3e:78:f3:5e:30:1b:6c:98:16:60:ba:
  61:57:63:5e:6a:b5:99:17:1c:ae:a2:86:fb:5b:8b:
  24:46:59:3f:e9:84:06:e2:91:b9:2f:9f:98:04:01:
  db:38:2f:5b:1f:85:c1:20:eb
  Exponent: 65537 (0x10001)
  Attributes:
  a0:00
  on step 5, Build a DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) that contains the message digest generated in the previous step
  How DigestInfo structure (BER encoded TLV that you can get from the PKCS#1 standard) looks like?
  And what is the DigestInfo Contains, and what is TAG for DigestInfo?..
  Please help me regarding this..
  Thanks in advance..
  Leonardo Carreira

  Hi,
  Leonardo Carreira wrote:
  Sorry, Encode the Public Key is handled by On Card Application or Off Card Application?..
  I think its' easier to encode the public key by Off Card app..
  Could you guide me how to achieve this?, i think Bouncy Castle can do this, but sorry, i don't know how to write code for it.. :( All you need to do is extract the modulus and exponent of the public key. These will be in a byte array (response from your card) that you can use to create a public key object in your host application. You can then use this key to create a CSR with bouncycastle.
  I have several some questions :
  1. Does Javacard provide API to deal with DER data format?JC 2.2.1 does not buy JC 2.2.2 does, however I believe this is an optional package though. You can implement this in your applet though.
  2. Regarding the Certificate Based Authentication, what stuff that need to be stored in the Applet?..
  - I think Applet must holds :
  - its Private Key,
  - its Public Key Modulus and its Public Key Exponent,
  - its Certificate,
  - Host Certificate
  i think this requires too much EEPROM to store only the key..This depends on what you mean by Certificate Based Authentication. If you want your applet to validate certificates it is sent against a certificate authority (CA) then you need the public keys for each trust point to the root CA. To use the certificate for the card, you need the certificate and corresponding private key. You would not need to use the public key on the card so this is not needed. You definitely need the private key.
  Here is a rough estimate of data storage requirements for a 2048 bit key (this is done off the top of my head so is very rough):
  ~800 bytes for your private key
  ~260 bytes per public key for PKI hierarchy (CA trust points)
  ~1 - 4KB for the certificate. This depends on the amount of data you put in your cert
  3. What is the appropriate RSA key length that appropriate, because we have to take into account that the buffer, is only 255 bytes (assume i don't use Extended Length)..You should not base your key size on your card capabilities. You can always use APDU chaining to get more data onto the card. Your certificate is guaranteed to be larger than 256 bytes anyway. You should look at the NIST recommendations for key strengths. These are documented in NIST SP 800-57 [http://csrc.nist.gov/publications/PubsSPs.html]. You need to ensure that the key is strong enough to protect the data for a long enough period. If the key is a transport key, it needs to be stronger than the key you are transporting. As you can see there are a lot of factors to consider when deciding on key size. I would suggest you use the strongest key your card supports unless performance is not acceptable. Then you would need to analyse your key requirements to ensure your key is strong enough.
  Cheers,
  Shane

• Certificate based authentication with sender SOAP adapter. Please help!

  Hi Experts,
     I have a scenario where first a .Net application makes a webservice call to XI via SOAP Adapter. Then the input from the .Net application is sent to the R/3 system via RFC adapter.
  .Net --->SOAP -
  >XI -
  >RFC -
  R/3 System
  Now as per client requirement I have to implement certificate based authentication in the sender side for the webservice call. In this case the .Net application is the "client" and XI is the "server". In other words the client has to be authenticated by XI server. In order to accomplish this I have setup the security level in the SOAP sender channel as "HTTPS  with client authentication". Additionally I have assigned a .Net userid in the sender agreement under "Assigned users" tab.
  I have also installed the SSL certificate in the client side. Then generated the public key and loaded it into the XI server's keystore.
  When I test the webservice via SOAPUI tool I am always getting the "401 Unauthorized" error. However if I give the userid/password for XI login in the properties option in the SOAPUI tool then it works fine. But my understanding is that in certificate based authentication, the authentication should happen based on the certificate and hence there is no need for the user to enter userid/password. Is my understanding correct? How to exactly test  certificate based authentication?
  Am I missing any steps for certificate based authentication?
  Please help
  Thanks
  Gopal
  Edited by: gopalkrishna baliga on Feb 5, 2008 10:51 AM

  Hi!
  Although soapUI is a very goot SOAP testing tool, you can't test certificate based authentication with it. There is no way (since I know) how to import certificat into soapUI.
  So, try to find other tool, which can use certificates or tey it directly with the sender system.
  Peter

• Certificate based authentication

  I have a client application that requires certificate based authentication.
  I could not find any instructions on how to set this up in the 11g manuals. So I reverted to the 5.2 manual (http://docs.oracle.com/cd/E19850-01/816-6698-10/ssl.html#18500), and followed some instructions found online.
  I have completed the setup, and the client is able to authenticate using his certificate, and I have verified this in the logs.
  [22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuing,DC=corp,DC=company,DC=lan
  [22/Mar/2012:13:13:33 -0500] conn=34347 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
  [22/Mar/2012:13:13:33 -0500] conn=34347 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
  When adding the usercertificate attribute to the ID I used the following LDIF:
  version: 1
  dn: uid=userid,ou=employees,o=company
  changetype: modify
  replace: userCertificate
  usercertificate: < file:///home/user/Certs/usercert.bin
  the file was a binary encoded certificate file.
  Here is the part that I don't understand when I do a search (or LDIF export) of the user object with the certificate it just returns a short base64 encoded string. when I decode this string, it is just the literal string of "< file:///home/user/Certs/usercert.bin".
  So it appears that the certificate has not been stored on the user object in binary, and yet the certificate authentication still works. The file mentioned, does not exist on the LDAP server (the cert was loaded from another server), so there is no way that it is reading the cert from the file.
  Anyone have any idea what is going on here? And why certificate auth works, when there appears to be not cert stored in LDAP?
  If by chance this is how it is all suppose to work, then how do I go about backing up the usercertificate attribute when I do my LDAP data backups?
  Thanks
  Brian

  Cyril,
  Thanks for the reply.
  I believe I am doing both types of certificate authentication, you are describing. My issue is that when I perform the steps to store the PEM formatted cert into the directory server, rather than storing a binary value of the cert, it appears to be storing the path to the file I attempted to import. The odd part is that I can still authenticate even after this is done.
  I tried to post as much info as I could before without posting any sensitive data, I'll try and expand on that below.
  Here is my documentation of the steps taken to configure the server and setup a user, for what I believe to be certificate based authentication, where the user is authenticated solely on the certificate that they provide (no password is sent).
  1. Server must be running SSL, all connections for Certificate Auth are done over SSL (just a note)
  2. From the DSCC
  ----a. Directory Servers Tab -> Servers Tab -> Click Server Name
  ----b. Security Tab -> General Tab
  ----c. In "Client Authentication" section, select:
  --------i. LDAP Settings: "Allow Certificate-Based Client Authentication"
  --------ii. This should be the default setting.
  3. On the directory server setup the /ldap/dsInst/alias/certmap.conf file:
  ----a. certmap default default
  ----default:DNComps
  ----default:FilterComps uid,cn
  4. restart the directory server
  5. Do the following to setup the user who will be connecting. On their unix account (or similar)
  ----a. Create a directory to hold the certDB
  --------i. mkdir certdb
  ----b. Create a CertDB
  --------i. /ldap/dsee7/bin/certutil -N -d certdb
  ------------1) Enter a password when prompted
  ----c. Import the CA cert
  --------i. /ldap/dsee7/bin/certutil -A -n "OurRootCA" -t "C,," -a -I ~/OurRootCA.cer -d certdb
  ----d. Create a cert request
  --------i. /ldap/dsee7/bin/certutil -R -s "cn=userid,ou=company,l=city,st=state,c=US" -a -g 2048 -d certdb
  ----e. Send the cert request to the PKI Team to generate a user cert
  ----f. Take the text of the generated cert & save it to a file
  ----g. Import the new cert into your certdb
  --------i. /ldap/dsee7/bin/certutil -A -n "certname" -t "u,," -a -i certfile.cer -d certdb
  ----h. Create a binary version of cert
  --------i. /ldap/dsee7/bin/certutil -L -n "certname" -d certdb -r > userid.bin
  ----i. Add the binary cert to the user's LDAP entry (version: 1 must be included - I read this in a doc somewhere, but it doesn't seem to matter)
  --------i. ldapmodify
  ------------1) ldapmodify -h host -D "cn=directory manager" -w password -ac
  ------------2)
  ------------version: 1
  ------------dn: uid=userid,ou=employees,o=company
  ------------sn: Service Account
  ------------givenName: userid
  ------------uid: userid
  ------------description: Service Account for LDAP
  ------------objectClass: top
  ------------objectClass: person
  ------------objectClass: organizationalPerson
  ------------objectClass: inetorgperson
  ------------cn: Service Account
  ------------userpassword: password
  ------------usercertificate: < file:///home/userid/Certs/userid.bin
  ------------nsLookThroughLimit: -1
  ------------nsSizeLimit: -1
  ------------nsTimeLimit: 180
  After doing this setup I am able to perform a search using the certificate:
  ldapsearch -h host -p 1636 -b "o=company" -N "certname" -Z -W CERTDBPASSWORD -P certdb/cert8.db "(uid=anotherID)"
  This search is successful, and I can see it logged, as having been a certificate based authentication:
  [23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - fd=136 slot=136 LDAPS connection from x.x.x.x:53574 to x.x.x.x
  [23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL 128-bit RC4; client CN=userid,OU=company,L=city,ST=state,C=US; issuer CN=issuer,DC=corp,DC=company,DC=lan
  [23/Mar/2012:13:25:20 -0500] conn=44605 op=-1 msgId=-1 - SSL client bound as uid=userid,ou=employees,o=company
  [23/Mar/2012:13:25:20 -0500] conn=44605 op=0 msgId=1 - BIND dn="" method=sasl version=3 mech=EXTERNAL
  If I understand correctly that would be using the part 2 of your explanation as using the binary encoded PEM to authenticate the user. If I am not understanding that corretly please let me know.
  Now the part that I am really not getting is that the usercertificate that is stored on the ID is as below:
  dn: uid=userid,ou=employees,o=company
  usercertificate;binary:: PCBmaWxlOi8vL2hvbWUvdXNlcmlkL0NlcnRzL3VzZXJpZC5iaW4
  which decodes as: < file:///home/userid/Certs/userid.bin
  So I'm still unclear as to what is going on here, or what I've done wrong. Have I set this up incorrectly such that Part 2 as you described it is not what I have setup above? Or am I missunderstanding part 2 entirely?
  Thanks
  Brian
  Edited by: BrianS on Mar 23, 2012 12:14 PM
  Just adding ---- to keep my instruction steps indented.

• Certificate based authentication with SSL load balancer

  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

  I think the simplest and most secure way is to have the servers configured for
  2-way ssl, since this would ensure that the certificate they receive and use for
  authentication has been validated during the ssl handshake. In this case the load
  balancer itself does not need to and cannot do the handshaking, and would need
  to pass the entire SSL connection through to the WLS server (ie: act similar to
  a router)
  Pavel.
  "George Coller" <[email protected]> wrote:
  >
  I've been asked to implement certificate-based authentication (CBA)
  on a weblogic cluster serving up web services. I've read through
  Chapter 10 (security) and understand the "Identity Assertion" concept.
  Environment:
  Weblogic 8.1 cluster fronted by a load-balancer that handles SSL and
  uses sticky-sessions.
  Question:
  If the load balancer is used to handle SSL, do I still need to turn
  on SSL on the weblogic cluster in order to use CBA? Is there another
  way to request the client's certificate?
  If the above is yes, what is the minnimal level of SSL? Does it have
  to be two-way?
  If SSL has to be turned on is there any reason to use the load
  balancer's SSL? Is there still a performance benefit?

• C4C to CRM integration using HCI Certificate-based Authentication - 403 Forbidden

  Hi Experts,
  In reference from the discussion in this link (Quick Guide on using Certificates for Integrating C4C and ECC using HCI), we need suggestions on why we're getting 403-Forbidden error, what steps did we miss for our communication from C4C to CRM using HCI. 
  We already imported the necessary certificates in the iFlows/SSL Server/Client PSEs signed by Entrust (which is one of the supported CAs and our communication from CRM to C4C certificate-based authentication configuration is working fine) for HCI. We also mapped the HCI client certificate to the CRM user that we created (CODINTEG). Service IDOC is also registered and activated (SICF and SRTIDOC).
  Below are the roles assigned to the user CODINTEG, and the mapping of HCI client certificate in SM30 and also the certificates imported in our SSL Server PSE. Just a note that we're not using SAP webdispatcher as a reverse proxy here for our C4C to CRM connection.
  Thanks in advance.
  Regards,
  Rajiv

  Hello Rajiv,
  for test purpose and for eliminating error reasosns caused by user authorization rights you could assign first SAP_ALL to your communication user. If this works, you should reduce the rights again to a minimum...
  Goto SU01 and edit the user CODINTEG. Goto Tab Profiles and within F4 help tab "Composite Profiles" search for SAP_ALL.
  Best regards,
  Berthold