Certificate Based Authentication : General issues

Certificate Based Authentication : General issues

book

Article ID: CTX226442

calendar_today

Updated On:

Description

 
This document specifically addresses some common troubleshooting tips and guidelines that would help in tackling certain issues related with the Certificate based authentication(CBA).
 
Please ensure that the initial configuration is set as per the article:
https://support.citrix.com/article/CTX220479
 
Assuming that the configuration is done but you face issues where the CBA does not happen successfully, for the ease of troubleshooting we could split the troubleshooting steps into two.
a)Whether the certificate is pushed to the device from XenMobile.
b)Whether the pushed certificate to device can be validated on Netscaler.
 

  • Whether the certificate is pushed to the device from XenMobile:
For this, you could deploy a credential policy from the XenMobile Server to the device and  verify from the delivery groups whether the cert ID is shown which would be similar like :

 User-added image
 
If we find that the credentials policy is failing and there is no Certificate ID from the delivery groups, you could verify the debug logs of the XenMobile server. Some common errors that you may see is as listed below:

Issue :
Caused by: com.sparus.nps.pki.CertificateSigningException: Could not sign certificate
at com.zenprise.zdm.pki.util.MsCertSrvSigningService.signRequest(MsCertSrvSigningService.java:108) ~[nps.jar:?]
at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPDict(MobileConfig.java:520) ~[nps.jar:?]
at com.sparus.nps.iphone.mobileconfig.MobileConfig.toPList(MobileConfig.java:571) ~[nps.jar:?]
... 55 more
Caused by: java.io.IOException: Could not obtain certificate (template=xmtemplate). Reason:                 No mapping between account names and security IDs was done. 0x80070534 (WIN32: 1332 ERROR_NONE_MAPPED)        
 
Solution:
-Validate whether the client negotiation and the DS mapper is enabled from the CA server.

User-added image

To enable the Client negotiation and the DS Mapper usage, Please follow the below steps:
1. Run this netsh command to show the SSL Certificate configuration that is bound on the IIS website:
netsh http show sslcert
2. If the value for Negotiate Client Certificate is Disabled, run the following command to enable it:
netsh http delete sslcert ipport=0.0.0.0:443
netsh http add sslcert ipport=0.0.0.0:443 certhash=cert_hash appid={app_id} certstorename=store_name verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable
For Example:
netsh http add sslcert ipport=0.0.0.0:443 certhash=609da5df280d1f54a7deb714fb2c5435c94e05da appid={4dc3e181-e14b-4a21-b022-59fc669b0914} certstorename=ExampleCertStoreName verifyclientcertrevocation=Enable VerifyRevocationWithCachedClientCertOnly=Disable UsageCheck=Enable clientcertnegotiation=Enable

 

Powered by Wolken Software