Cannot install Machine Certificate for GP Pre-logon

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Cannot install Machine Certificate for GP Pre-logon

L4 Transporter

I encountered a problem installing the machine certificate.

ERROR.png

I followed the article below:
 
We are using a self-signed root ca that is in the cert profile for auth, then generated the server cert and machine cert and signed them with the same root. Then export as pks12.
In the Certificate Profile, I changed the Username Field type from 'None' to 'Subj'.
Made sure I selected the Computer account (default is user account) and cert is in folder "Personal" there.
 
CERT.jpg
 
Tried the MS fix but no luck.
 
Please help!
 
 
1 accepted solution

Accepted Solutions

I cannot really tell without seeing your complete setup but it may be that as you included the certificate in the profile, GP was seeing pre-logon as a separate user rather than just a pre-logon user.

 

View solution in original post

8 REPLIES 8

L7 Applicator

Hi @FarzanaMustafa .

have you tried to install the same certificate into the user personal store of the same device or into another device that is not controlled by group policy etc.

 

this will not fix the issue but you need to first discover if this is a problem with the certificate or the installation process.

 

has your root CA been used to generate other successful client auth certs?

@Mick_Ball Thank you so much for your guidance.

 

The Gateway is now working. Any idea how to check evidence of client cert checks being performed? ie. 

How can I validate if the user is authenticated with the pre-logon feature?

check the gateway current users. add "pre" to the search, this is what you will se before the user connects.

you can also check the previous user tab with pre.

 

MickBall_0-1614776470333.jpeg

 

Hi @Mick_Ball 

 

Sorry for the delayed response and thank you once again for your great inputs.

 

When I'm logged out from the workstation the pre-logon user is not showing in the gateway. I can see it in the Previous User tab.

However, on the KB article of PA it says:
 
Pre-logon.jpg
 
Could you please endorse my concern with the relevant PA Team?

something seems to be wrong with your configuration as when I log off my workstation the existing (not previous) connection changes to pre-logon and reverts to my name when i log back in.

 

can you post exactly what you have in the gateway config...

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

MickBall_0-1615546942076.jpeg

 

Thank you so much for your guidance.

I checked the GP GW config and removed the cert from Certificate Profile. It worked!

 

May I ask what was the problem?

 

Cert Profile.png

I cannot really tell without seeing your complete setup but it may be that as you included the certificate in the profile, GP was seeing pre-logon as a separate user rather than just a pre-logon user.

 

  • 1 accepted solution
  • 4230 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!