client certificate authentication fails even though machine has certificate.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

client certificate authentication fails even though machine has certificate.

L4 Transporter

One of my setup with client certificate authentication in gateway was working fine. For some reason, it gives me 'Required client certificate not found. Please contact your IT administrator' error. The certificate is available in the client machine certificate store and PanGPS.log shows it is able to identify the same. But After which it fails and displays the error.

-------------------PanGPS.log--------------

(T1784)Debug( 859): 04/20/21 14:04:39:531 Opened machine store
(T1784)Debug( 872): 04/20/21 14:04:39:531 Skipped cert Policy Manager STS issued by Policy Manager STS sha1 hash is d9 7b 5c d6 a7 18 ac 55 31 63 38 8a 9a e3 9b 4f 33 1a 71 2f
(T1784)Debug( 872): 04/20/21 14:04:39:531 Skipped cert Policy Manager issued by Policy Manager sha1 hash is 74 b3 29 db fd d2 57 3a e6 37 ed a8 d8 fc 90 ca 77 c0 c1 00
(T1784)Debug( 872): 04/20/21 14:04:39:531 Skipped cert *.pom.local issued by *.pom.local sha1 hash is 56 87 23 33 cd 2d 17 0a 00 57 8b 56 13 76 fd 0d c6 3e 13 55
(T1784)Debug( 868): 04/20/21 14:04:39:531 Found the cert GPA_Windows_Client issued by POM_Client_VPN sha1 hash is 51 84 70 a8 99 3d e9 9b 0f f8 28 ec 6d ac 5b 79 ea b1 de 46 in machine store
(T1784)Debug( 874): 04/20/21 14:04:39:531 Finished searching machine store.
(T1784)Debug(1016): 04/20/21 14:04:39:531 PrepareRequest, m_pMachineCertCtx is 000001E3BA0921F0...
(T1784)Debug(1024): 04/20/21 14:04:39:532 WinHttpOpenRequest...
(T1784)Debug( 442): 04/20/21 14:04:39:532 CPanHTTPSession::PostRequest: WinHttpSendRequest...
(T1784)Debug( 453): 04/20/21 14:04:39:743 bResults=1, g_dwStatus = 00000000
(T1784)Debug( 675): 04/20/21 14:04:39:748 Server <portal fqdn> cert chain has been created.
(T1784)Debug( 689): 04/20/21 14:04:39:748 Server <portal fqdn> cert verification passed
(T1784)Debug( 721): 04/20/21 14:04:39:748 Check server certificate revocation returns TRUE
(T1784)Debug( 475): 04/20/21 14:04:39:748 CPanHTTPSession::PostRequest: WinHttpReceiveREsponse...
(T1784)Debug( 487): 04/20/21 14:04:39:748 CPanHTTPSession::PostRequest: WinHttpQueryHeaders...
(T1784)Debug( 369): 04/20/21 14:04:39:748 Content-length: 529
(T1784)Info (1220): 04/20/21 14:04:39:748 download data success
(T1784)Debug( 530): 04/20/21 14:04:39:748 CPanHTTPSession::SendRequest: WinHttpQueryHeaders...
(T1784)Debug(3590): 04/20/21 14:04:39:748 Login to gateway (null) <--portal fqdn--> without ipv6
(T1784)Debug(10948): 04/20/21 14:04:39:748 StopCaptivePortalDetection() captive portal detection is in progress
(T5056)Debug(5039): 04/20/21 14:04:39:748 CaptivePortalDetectionThread: IsDetectingCaptivePortal=0, PreLoginIsDone=1
(T5056)Debug(5016): 04/20/21 14:04:39:748 CaptivePortalDetectionThread: wait (-1 ms) for captive portal detection event.
(T1784)Debug(3620): 04/20/21 14:04:39:748 Pre-login response is <?xml version="1.0" encoding="UTF-8" ?>
<prelogin-response>
<status>Error</status>
<ccusername></ccusername>
<autosubmit></autosubmit>
<msg>Valid client certificate is required</msg>
<newmsg>Required client certificate not found. Please contact your IT administrator.</newmsg>
<license>yes</license>
<authentication-message>Enter login credentials</authentication-message>
<username-label>Username</username-label>
<password-label>Password</password-label>
<panos-version>1</panos-version><region>AE</region>
</prelogin-response>

---------------PanGPS.log--------------

I even tried generating new certificate from same CA and imported in client machine/user store, it didnt work.

Root CA is already there in the trusted CA store.

Anybody encountered the same?, any solution.

3 REPLIES 3

Cyber Elite
Cyber Elite

@Abdul_Razaq,

Have you looked at the certificate profile on the firewall and verified that it's actually configured as needed? if the client is sending the expected cert and you're seeing an auth failure, that response is being returned by the firewall. So you'll need to investigate why the firewall isn't authorizing the certificate as you expect instead of the client. 

L6 Presenter

Can you specify if you are using machine certficate for VPN (Pre-Logon) or client SSL certficate for authentication after you logged into the computer? It is important as there is some difference as what certficate is needed or in chich store to place it.

L4 Transporter

Is this only on one machine or systematic?  I've run into a memory error a couple of times followed by the firewall refusing to acknowledge valid certificates until after a reboot.

  • 4205 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!