Certificate Based Authentication : Troubleshooting Tips

Certificate Based Authentication : Troubleshooting Tips

book

Article ID: CTX226440

calendar_today

Updated On:

Description

This document specifically addresses some common troubleshooting tips and guidelines that would help in tackling certain issues related with the Certificate based authentication(CBA).
 
Please ensure that the initial configuration is set as per the article: 
https://support.citrix.com/article/CTX220479
 
Assuming that the configuration is done but you face issues where the CBA does not happen successfully, for the ease of troubleshooting we could split the troubleshooting steps into two.
a)Whether the certificate is pushed to the device from XenMobile.
b)Whether the pushed certificate to device can be validated on Netscaler.
 

  • Whether the certificate is pushed to the device from XenMobile:
For this, you could deploy a credential policy from the XenMobile Server to the device and  verify from the delivery groups whether the cert ID is shown which would be similar like :

User-added image
If we find that the credentials policy is failing and there is no Certificate ID from the delivery groups, you could verify the debug logs of the XenMobile server. Some common errors that you may see is as listed below:

Issue :
Caused by: com.zenprise.zdm.pki.spi.IssuingServiceException: Could not sign CSR
at com.zenprise.zdm.pki.internal.util.AbstractIssuingAdapter.issueDirect(AbstractIssuingAdapter.java:147) ~[nps.jar:?]
at
... 55 more
Caused by: com.sparus.nps.pki.CertificateSigningException: Could not sign certificate
at com.zenprise.zdm.pki.util.MsCertSrvSigningService.signRequest(MsCertSrvSigningService.java:108) ~[nps.jar:?]
at com.sparus.nps.iphone.mobileconfig.MobileConfig.createPayload(MobileConfig.java:489) ~[nps.jar:?]
at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPDict(MobileConfig.java:520) ~[nps.jar:?]
at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPList(MobileConfig.java:571) ~[nps.jar:?]
... 55 more
Caused by: java.net.SocketException: Connection reset
at java.net.SocketInputStream.read(SocketInputStream.java:209) ~[?:1.8.0_66-XMS]
at java.net.SocketInputStream.read(SocketInputStream.java:141) ~[?:1.8.0_66-XMS]

 User-added image
Sol: This is mainly because there is a connection Failure/Reset from the CA server to XMserver
Points to verify :
-Verify whether the CA server URL https://CAcertFQDN/certsrv/ is accessible on port 443.
-Verify the SSL binding from IIS server

User-added image

-Verify the Web Enrollment service is enabled for the CA server>Server Manger>Roles and Features.

User-added image

-Verify whether the client cert authentication is enabled from the IIS server.

User-added image
 

Powered by Wolken Software