Forum Discussion
NimbostratusClient cert auth not working on Win2016
My VS has a client ssl profile bound, requiring client authentication and sending the required PKI to the client, which is a Win2016 server.
- Client Cert: require
- Trusted CAs:
- Advertised CAs:
The client (Win2016 server) initiates the connection without user interaction. A sniffer trace shows that the F5 sends a "certificate request" back to the client, together with its own cert. The next ssl packet from the Win2016 server is "certificate", but with no certificate in it, and a certificate length specified as "0".
The client cert was imported into the machine cert store, into the user cert store for the service initiating the connection etc. - nothing helped.
Any idea how to make the Win2016 server send its own cert when requested by the F5? What could possibly be the problem here?
Jad_Tabbara__J1Cirrostratus
Hello,
As you described, it seems that your server doesn't send the certificate. Maybe you can try to install it on the local computer cert store.
Regards
Greetings Dirken,
I have no background with Windows server, but let me offer some background on BIG-IP, there may be some overlap in behavior?If you wish to have a server-ssl profile to send a certificate, you must also include the key.
If you wish to have a client-ssl profile send a certificate you must:
- Import the certificate and key.
- Associate the certificate and key with the client-ssl profile.
- Associate the profile with a virtual server.
So in summary, perhaps try importing the accompanying key and ensure whatever service (IIS?) is configured to reference the certificate and key.
Good luck, hope you get this resolved soon!
Kevin
dirkenHi Kevin,
the server side is fine, my problem is the client side. The clients connecting to the VS, however, are Windows2016 servers - maybe this created a bit of confusion.
I did not import the specific cert/key because there are several clients (Win2016) connecting to this VS. So I imported the cert of the issuing (root) ca. This cert is referenced in the client ssl profile for client authentication as trusted ca and advertised ca.
If the ca cert was not present, the config would not even save correctly, so this should be fine. I am pretty sure it is one of two possible issues:
1 - a general problem on the client (Win2016 server)
2 - a problem with cert choice on the client, as there is no user initiating the connection a popup to chose a cert will not work. It is the only cert on the client, however, and I am advertising the accepted ca exactly for this purpose.Hi Dirken,
"the server side is fine, my problem is the client side. The clients connecting to the VS, however, are Windows2016 servers - maybe this created a bit of confusion."
No, that's what I was expecting (Server on client side of BIG-IP). Just to reiterate, when BIG-IP is in the position of your Win2016 server, it will not send a client certificate without the key. It needs both. I'm wondering if that's your problem. Maybe an SSL standard, just a shot in the dark. Also, what service on the Window2016 server is making the connection? IIS or which one? Does it need to reference this key pair?
Lastly, BIG-IP could not pass client certificates when configured to terminate SSL for the longest time. We finally implemented two different SSL proxies and they are able to do this. I wonder if your Windows server has a SSL proxy feature?
Kevin
Daniel_VarelaEmployee
I would use firefox just for testing. This has its own cert store. This way you can compare and rule out problems with F5.
If you go Internet Options, under Content tab you can manage your certificates. You can filter out client aunthentication ones by selecting the according intended purpose. You can import your certificate there as well.
Other thing I would check is security. Server flavour is known to be very restricted. It may help to add your site to Local Intranet.
