This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

client certificate authentication fails even though machine has certificate.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

client certificate authentication fails even though machine has certificate.

Abdul_Razaq
L4 Transporter

‎04-21-2021 01:18 AM - edited ‎04-21-2021 01:27 AM

One of my setup with client certificate authentication in gateway was working fine. For some reason, it gives me 'Required client certificate not found. Please contact your IT administrator' error. The certificate is available in the client machine certificate store and PanGPS.log shows it is able to identify the same. But After which it fails and displays the error.

-------------------PanGPS.log--------------

(T1784)Debug( 859): 04/20/21 14:04:39:531 Opened machine store
(T1784)Debug( 872): 04/20/21 14:04:39:531 Skipped cert Policy Manager STS issued by Policy Manager STS sha1 hash is d9 7b 5c d6 a7 18 ac 55 31 63 38 8a 9a e3 9b 4f 33 1a 71 2f
(T1784)Debug( 872): 04/20/21 14:04:39:531 Skipped cert Policy Manager issued by Policy Manager sha1 hash is 74 b3 29 db fd d2 57 3a e6 37 ed a8 d8 fc 90 ca 77 c0 c1 00
(T1784)Debug( 872): 04/20/21 14:04:39:531 Skipped cert *.pom.local issued by *.pom.local sha1 hash is 56 87 23 33 cd 2d 17 0a 00 57 8b 56 13 76 fd 0d c6 3e 13 55
(T1784)Debug( 868): 04/20/21 14:04:39:531 Found the cert GPA_Windows_Client issued by POM_Client_VPN sha1 hash is 51 84 70 a8 99 3d e9 9b 0f f8 28 ec 6d ac 5b 79 ea b1 de 46 in machine store
(T1784)Debug( 874): 04/20/21 14:04:39:531 Finished searching machine store.
(T1784)Debug(1016): 04/20/21 14:04:39:531 PrepareRequest, m_pMachineCertCtx is 000001E3BA0921F0...
(T1784)Debug(1024): 04/20/21 14:04:39:532 WinHttpOpenRequest...
(T1784)Debug( 442): 04/20/21 14:04:39:532 CPanHTTPSession::PostRequest: WinHttpSendRequest...
(T1784)Debug( 453): 04/20/21 14:04:39:743 bResults=1, g_dwStatus = 00000000
(T1784)Debug( 675): 04/20/21 14:04:39:748 Server <portal fqdn> cert chain has been created.
(T1784)Debug( 689): 04/20/21 14:04:39:748 Server <portal fqdn> cert verification passed
(T1784)Debug( 721): 04/20/21 14:04:39:748 Check server certificate revocation returns TRUE
(T1784)Debug( 475): 04/20/21 14:04:39:748 CPanHTTPSession::PostRequest: WinHttpReceiveREsponse...
(T1784)Debug( 487): 04/20/21 14:04:39:748 CPanHTTPSession::PostRequest: WinHttpQueryHeaders...
(T1784)Debug( 369): 04/20/21 14:04:39:748 Content-length: 529
(T1784)Info (1220): 04/20/21 14:04:39:748 download data success
(T1784)Debug( 530): 04/20/21 14:04:39:748 CPanHTTPSession::SendRequest: WinHttpQueryHeaders...
(T1784)Debug(3590): 04/20/21 14:04:39:748 Login to gateway (null) <--portal fqdn--> without ipv6
(T1784)Debug(10948): 04/20/21 14:04:39:748 StopCaptivePortalDetection() captive portal detection is in progress
(T5056)Debug(5039): 04/20/21 14:04:39:748 CaptivePortalDetectionThread: IsDetectingCaptivePortal=0, PreLoginIsDone=1
(T5056)Debug(5016): 04/20/21 14:04:39:748 CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(T1784)Debug(3620): 04/20/21 14:04:39:748 Pre-login response is <?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Error</status>
<ccusername></ccusername>
<autosubmit></autosubmit>
<msg>Valid client certificate is required</msg>
<newmsg>Required client certificate not found. Please contact your IT administrator.</newmsg>
<license>yes</license>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version><region>AE</region>
</prelogin-response>

---------------PanGPS.log--------------

I even tried generating new certificate from same CA and imported in client machine/user store, it didnt work.

Root CA is already there in the trusted CA store.

Anybody encountered the same?, any solution.

0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎04-21-2021 07:55 AM

@Abdul_Razaq,

Have you looked at the certificate profile on the firewall and verified that it's actually configured as needed? if the client is sending the expected cert and you're seeing an auth failure, that response is being returned by the firewall. So you'll need to investigate why the firewall isn't authorizing the certificate as you expect instead of the client. 

0 Likes Likes

nikoolayy1
L6 Presenter

‎04-23-2021 12:47 AM - edited ‎04-23-2021 12:49 AM

Can you specify if you are using machine certficate for VPN (Pre-Logon) or client SSL certficate for authentication after you logged into the computer? It is important as there is some difference as what certficate is needed or in chich store to place it.

0 Likes Likes

fhewiufhwefhwe
L4 Transporter

‎07-20-2021 07:32 AM

Is this only on one machine or systematic?  I've run into a memory error a couple of times followed by the firewall refusing to acknowledge valid certificates until after a reboot.

0 Likes Likes
  • 3547 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks