- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-13-2019 06:44 PM
Having some trouble with a generalized single certificate (wanting to use as part of user/pass authentication) across multiple machines. Wanting to require this certificate be on a machine and the user enter their user/pass combination for authentication to portal/gateway (not user/machine specific cert). Not doing prelogon at this point. I can add this exported certificate into the Certificates (Local Computer) /Personal AND Trusted Root store ....all day long....and it makes no difference.
I can even specify in the portal agent config to use 1.3.6.1.5.5.7.3.2 for an OID- and also ensure that both Client certificate store look up - both "user and machine" is set on the portal...still nothing.
The only way I can get this to successfully work, is by placing the exported certificate into the Certificates -Current User - personal - store. ...then everything works perfectly. It's almost as if windows clients have issues accessing the machine store when a user is logged in? Anyone have experience with this, or something along these lines?
Maybe @Mick_Ball answered part of this already below:
MS seems to hint at the fact that any machine store cert in the trusted root will be mirrored to the current user store trusted root- but NOT the Current User Personal:
"Be aware that all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores."
Does a generic certificate have to be installed for every user under their current user personal certificate store?
11-15-2019 11:12 AM - edited 11-15-2019 11:14 AM
11-15-2019 11:16 AM
11-15-2019 12:01 PM
Hey no problemo....
its a shame the messaging service is not working on this site as could send you one of my certs for you to test against my lab portal...
i have logged this as a fault so fingers crossed...
11-15-2019 04:22 PM
I'm not sure I understand? yeah, i noticed this site's direct messaging appears broken...so you think it may be a certificate issue itself?
11-16-2019 12:47 AM
Not sure, kinda running out of ideas... at least that test would tell us if cert issue or windows issue.
going through post again...from the start did you generate a self signed root ca that is in the cert profile for auth, then generated the user cert and sign it with the same root. Then export as pks12.
11-16-2019 05:22 PM - edited 11-16-2019 08:29 PM
I reviewed your post, and double checked everything. Thank you for the replies. I found that the agent itself works when I install to (Local Computer)-Personal. This appears to work for the global protect agent flawlessly. It's a bit misleading to me though, as when I try to browse directly to the portal (which I was originally trying to do) I get a warning that says "Valid client certificate is required" (and an auth failure, if typing in known good credentials)- however, the Global protect agent itself works perfectly. This must be because I'm launching a web browser as a current user of the computer, and the GP agent has access to a different store?
This is where my confusion was all along. How could I be getting a warning "Valid client certificate required" - and denied authentication, when web-browsing to the portal, if I wasn't missing the certificate? Well, the GP agent says otherwise.
If this is the case, how are people using the portal to allow machines that may not have the agent (someone inside the org, but offsite), to web browse to the portal, download the agent and install it? I'm guessing using a publicly signed CA certificate may solve this issue? Or maybe they are just requiring the certificate authentication on their gateways and NOT the portal?
11-17-2019 01:57 AM
Ok glad its working but you should still see the computer store from your browser.
the rules are as follows.
Local machine certificate store
This type of certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root.
Current user certificate store
This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.
as a test why not open regedit as the user and see if you can view the local machine store... if you cannot then something strange is going on. If you can then it must be the browser. What browser are you using.
i always test my certs with IE. As much as i hate it it is still the most popular.
11-17-2019 02:02 AM - edited 11-17-2019 02:05 AM
I think only IE and Edge use the local comp store. Chrome has a plug in and Firefox will fail miserably...
Edited....
11-17-2019 07:06 AM - edited 11-17-2019 07:31 AM
Yes, I can see the Local machine store in regedit. When browsing (using edge/IE) to the portal though, I'm still seeing a warning about "valid client certificate required". I'll test on a couple of machines tomorrow and reply to this thread. I know I can fix the problem by installing the certificate in the (current user) personal store, but I'll see if I can work around it on some test computers.
So your saying that organizations will use cert based auth even on the portal? I'm finding I can make a second CA with a completely different intermediate cert, and use that in the certificate profile, and use that for certificate auth, and that works as well for the GP agent. But NOT when I browse to the portal
So it's down to the browser and the cert store?
11-17-2019 07:40 AM
Ok catch up tomorrow but not sure where the intermediate cert is required for this.
could it also be that as you have been messing with certs that ie is using one that it thinks it should use but its the wrong one.
yes i would have a play on a fresh device and remove all personal certs from user store.
good luck....
11-19-2019 01:08 PM - edited 11-19-2019 01:15 PM
Thanks for all the replies. Definitely a help to the community! Thank you!! I would say this problem is solved.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!