Cert Based Authentication + LDAP Enrollment failing for Cloud connector- XenMobile Setup

Cert Based Authentication + LDAP Enrollment failing for Cloud connector- XenMobile Setup

book

Article ID: CTX227186

calendar_today

Updated On:

Description

Under PKI entities, the test connectivity is failing for the CA server 
User-added image

XenMobile Debug Logs :

2017-02-06T15:30:57.847+0000 | 200B97A4C77E1C34  | ERROR | http-nio-14443-exec-61 | com.sparus.nps.pki.connector.MsCertSrvConnector | TestConnection to pki url [ certnew.cer] failed with response Headers: {null=[HTTP/1.1 401 Unauthorized], 
2017-02-06T15:30:57.847+0000 | 200B97A4C77E1C34  | ERROR | http-nio-14443-exec-61 | com.sparus.nps.pki.connector.MsCertSrvConnector | TestConnection to pki url [ certnew.cer] failed with response Headers: {null=[HTTP/1.1 401 Unauthorized], Server=[Microsoft-IIS/8.5, Microsoft-IIS/8.5], X-Cws-TransactionId=[dc1223fd-b80d-4ea1-84f7-227086cdd74e], Pragma=[no-cache], Date=[Mon, 06 Feb 2017 15:30:56 GMT], Arr-Disable-Session-Affinity=[True, True], Access-Control-Expose-Headers=[X-Cws-TransactionId], Cache-Control=[no-cache], X-AspNet-Version=[4.0.30319], Expires=[-1], Content-Length=[599], X-Powered-By=[ASP.NET, ASP.NET], Content-Type=[text/plain; charset=utf-8]}and Response Error: System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

Environment

This software application is provided to you as is with no representations, warranties or conditions of any kind. You may use and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that: (a) the software application may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the software application fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the software application. In no event should the software application be used to support ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SOFTWARE APPLICATION, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the software application.

Resolution

  • Under PKI entities set the Authentication type to Client certificate. 

  • Verify the Cloud Connector is showing Up on the Cloud portal.

  • Ensure the cloud connector trusts the CA server and is able to request cert by accessing the url on browser https://RootCA-URL/certsrv/.

  • Similarly, check on any other Windows system in the same domain of XenMobile is able to request the cert by accessing the url on browser https://RootCA-URL/certsrv/.

  • Verify the certificate is issued on CA for the user by going into Issued Certificate List.

  • Verify the user template 

  1. Verify under general ”Publish Certificate in Active Directory” is unchecked. 
  2. Under Security option please check the Enroll option for the authenticated users. 
  3. Under Cryptography settings make sure we provide the key size same as that set on Xenmobile.
  4. Under Subject Name tab select the option Supply in the request. 

  • Run a test Connectivity on the Cloud Connector and verify the logs from the following location >C:\ProgramData\Citrix\WorkspaceCloud\Logs.

  • Reboot the Cloud Connector if any service is showing down 

  • If multiple connectors are available for troubleshooting, disable all other cloud connector apart from one and verify the behaviour. Verify the steps mentioned above on each Cloud Connector one by one. 

Problem Cause

  • Configuration issues and the Cloud connector is unable to trust and fetch the cert from CA . 

  • The cloud connector must have connectivity and should be able to fetch cert from CA server 

Issue/Introduction

This article summarizes the steps to verify if the CBA + LDAP enrollment is failing for customer cloud environment that uses Cloud Connector
Powered by Wolken Software