Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Ma

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Ma

L3 Networker

Hi

 

Anyone run into a issue where Client Certificate does not get presented to GP if its in the Local Machine Store? I tired giving the user perm but this didnt fix it. Only way to resolve it is to move the cert to the user store, which I dont want to do.


Thaks

18 REPLIES 18

L5 Sessionator

Users with standard permissions don't have access to the machine store. It's not a condition specific to GP.

When you gave permission to the user for the machine cert, how did you do it?


@rmfalconer wrote:

Users with standard permissions don't have access to the machine store. It's not a condition specific to GP.

When you gave permission to the user for the machine cert, how did you do it?


Right click on the machine cert, Manage private keys and add user to read

 

Thanks

L7 Applicator

Going back to basics,,,, have you checked your setting in the portal app...

 

Client Certificate Store Lookup. 

Hate to res an old topic, but I am having this very issue as well.  Running 4.1.8 GP, have AD auto-enrolling workstations for certificates which only places the certificate in the machine store.  The GP Client is setup to look for certificates in the machine store (not both) and I am still getting errors connecting with an error stating 'required client cert not found'.

 

Any thoughts?

Can we assume you can see the cert in the machines personal store when using the mmc.

 

have you tried this firstly with a self signed cert, generate a user cert and manually import into comp store.

 

pretty basic stuff but may be worth going back a few steps to see if its a cert read error or pki issue.

Thanks for the reply, and good call.  I re-imported the self-signed cert (generated by the firewall) I used as a PoC for pre-logon only in the machine store and was able to connect....  Though this leaves me scratching my head the certs permissions are identical, both have the private keys, share the same signature algorithms etc. 

 

The only differences I see are the self-signed cert has an additional 'Intended Purpose' of IP Security end system, and the cert CN.  The self-signed is just some bogus name I made for testing purposes, and the PKI issued one is my machines FQDN. 

 

The certificate profiles in use for the PKI has our Root and intermediate CAs defined with the rest as defaults, and the self-signed certificate profile has the firewalls CA defined with the rest of the options as default.

 

OK so does the PKI cert on the Palo have "Trusted Root CA" ticked....

 

kinda clutching at straws as you seem to have all you need.

 

I doubt if it's anything to do with the username field in the cert profile as that will cause a different error. "certificate invalid".

 

do you get the same error when you browse to https:\\your-portaldotsumfink

 

cancel my previous re trusted root ca. mines not even ticked and works OK, not sure why i said that... hey ho.... 

the PKI certificate with your device name, under the details tab, does it have "Client Authentication" in the enhanced key useage. 

prelogon-cert.jpg

 

It does, I've attached a screen shot of my config.  The green is the self-signed, the blue is our root ca, and red is an intermediate that signed the cert that was deployed to the workstation.

In your GP portal configuration, do you have a certificate profile applied?

In the portal config I do not, but in the gateway I do.  It is when I switch it from the prelogon-cert profile to the internal-PKI profile that I encounter the 'required client cert not found' error.

Do you have a way to distribute a cert to the user store? There could be a permission issue with accessing the computer cert store to verify the correct certificate.

I do not and would actually like to avoid that as I would prefer the machine certificate not follow the user, wherever they login.

 

Out of curiosity do you, or @Mick_Ball, have pre-logon setup using certs auto-enrolled from AD; or are you using the SCEP functionality, or manually generating and importing certs?

  • 7136 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!