Client Based Certificate Authentication fails for NS GW with 503 error
Article ID: CTX223779
Updated On:
Description
The CBA fails with this error : Fetcher : getagclientcert got a fail response 503
- we see the 401 error in the IIS logs below:
10.99.60.190, -, 5/8/2017, 11:22:16, W3SVC1, WIN0215, 10.99.60.31, 170, 1573, 1605, 401, 5, POST, /certsrv/certfnsh.asp, -,
10.99.60.190, -, 5/8/2017, 11:31:44, W3SVC1, WIN0215, 10.99.60.31, 28, 1563, 1605, 401, 5, POST, /certsrv/certfnsh.asp, -,
" 2017-05-08T15:01:45.094+0530 ",<MDM>,ERROR (2),-[FetcherBase networkRequestFailHandler:],"Fetcher::getagclientcert got a fail response 503",Active,com.apple.main-thread,403,Secure Hub,/jenkins/workspace/iOS_Secure Hub/AppStore/MDM/Common/Source/Checker/FetcherBase.m,77
" 2017-05-08T15:01:45.095+0530 ",<MDM>,ERROR (2),-[X1MDMEnrollFlowController handleServerError:errorMessage:],"handleServerError response 503 with title and detail text [ConnectionErrorHeader]",Active,com.apple.main-thread,403,Secure Hub,/jenkins/workspace/iOS_Secure Hub/AppStore/Me@Work/Me@Work/Controller/X1MDMEnrollFlowController.m,2131
" 2017-05-08T15:01:45.095+0530 ",<MDM>,ERROR (2),__45-[X1MDMEnrollFlowController getAGCertificate]_block_invoke,"request to get AG certificate resulted in httpResponse 503",Active,com.apple.main-thread,403,Secure Hub,/jenkins/workspace/iOS_Secure Hub/AppStore/Me@Work/Me@Work/Controller/X1MDMEnrollFlowController.m,1474
Resolution
#1 Client Certificate Negotiation :
-------------------------------------------------------------------------
To validate whether client certificate negotiation is enabled:
1. Run this netsh command to show the SSL Certificate configuration that is bound on the IIS website:
netsh http show sslcert
2. If the value for Negotiate Client Certificate is Disabled, run the following command to enable it:
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=cert_hash appid={app_id} certstorename=store_name verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable
For Example:
netsh http add sslcert ipport=0.0.0.0:443 certhash=609da5df280d1f54a7deb714fb2c5435c94e05da appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=ExampleCertStoreName verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable
#2 SCHANNEL key
-------------------------------------------------------------------------------------------
Start Registry Editor (Regedt32.exe), and then locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNELSCHANNEL\Protocols subkey
To enable the system to use the protocols that will not be negotiated by default (such as TLS 1.1 and TLS 1.2), change the DWORD value data of the DisabledByDefault value to 0x0 in the following registry keys under the Protocols key:
- SCHANNEL\Protocols\TLS 1.1\Client
- SCHANNEL\Protocols\TLS 1.1\Server
- SCHANNEL\Protocols\TLS 1.2\Client
- SCHANNEL\Protocols\TLS 1.2\Server
So these values need to be added :
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000
Problem Cause
Identify the last changes for the CA server -mostly it could be the server patchingIssue/Introduction
