Cannot install Machine Certificate for GP Pre-logon

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
FarzanaMustafa
L4 Transporter

Cannot install Machine Certificate for GP Pre-logon

I encountered a problem installing the machine certificate.

ERROR.png

I followed the article below:
 
We are using a self-signed root ca that is in the cert profile for auth, then generated the server cert and machine cert and signed them with the same root. Then export as pks12.
In the Certificate Profile, I changed the Username Field type from 'None' to 'Subj'.
Made sure I selected the Computer account (default is user account) and cert is in folder "Personal" there.
 
CERT.jpg
 
Tried the MS fix but no luck.
 
Please help!
 
 

Accepted Solutions
MickBall
L7 Applicator

I cannot really tell without seeing your complete setup but it may be that as you included the certificate in the profile, GP was seeing pre-logon as a separate user rather than just a pre-logon user.

 

View solution in original post


All Replies
MickBall
L7 Applicator

Hi @FarzanaMustafa .

have you tried to install the same certificate into the user personal store of the same device or into another device that is not controlled by group policy etc.

 

this will not fix the issue but you need to first discover if this is a problem with the certificate or the installation process.

 

has your root CA been used to generate other successful client auth certs?

FarzanaMustafa
L4 Transporter

@MickBall Thank you so much for your guidance.

 

The Gateway is now working. Any idea how to check evidence of client cert checks being performed? ie. 

How can I validate if the user is authenticated with the pre-logon feature?

MickBall
L7 Applicator

check the gateway current users. add "pre" to the search, this is what you will se before the user connects.

you can also check the previous user tab with pre.

 

MickBall_0-1614776470333.jpeg

 

FarzanaMustafa
L4 Transporter

Hi @MickBall 

 

Sorry for the delayed response and thank you once again for your great inputs.

 

When I'm logged out from the workstation the pre-logon user is not showing in the gateway. I can see it in the Previous User tab.

However, on the KB article of PA it says:
 
Pre-logon.jpg
 
Could you please endorse my concern with the relevant PA Team?
MickBall
L7 Applicator

something seems to be wrong with your configuration as when I log off my workstation the existing (not previous) connection changes to pre-logon and reverts to my name when i log back in.

 

can you post exactly what you have in the gateway config...

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

MickBall
L7 Applicator

MickBall_0-1615546942076.jpeg

 

FarzanaMustafa
L4 Transporter

Thank you so much for your guidance.

I checked the GP GW config and removed the cert from Certificate Profile. It worked!

 

May I ask what was the problem?

 

Cert Profile.png

MickBall
L7 Applicator

I cannot really tell without seeing your complete setup but it may be that as you included the certificate in the profile, GP was seeing pre-logon as a separate user rather than just a pre-logon user.

 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!