Forum Discussion
NimbostratusMachine Cert Auth; Found match cert but failed to login
I am new to F5 APM, would like to seeking help to rectify this issue. Although the certcheck manage to found macth certificate but the client won't be able to get logon screen and getting message no cert. Despite go 'Succesfull' it will go to 'Fallback'
the is the fmcertcheck.txt
2021-04-02, 5:21:29:078, 7732,7436,, 48,,,, current log level = 63
2021-04-02, 5:21:29:078, 7732,7436,, 48, , 39, ::DllMain, ActiveX control location: "C:\Windows\Downloaded Program Files\f5certchk.dll"
2021-04-02, 5:21:29:594, 7732,7436,, 48, \CertCheckImpl.cpp, 43, CCertCheckImpl::Verify, certInfo:STORE_NAME:MY&STORE_LOCATION:LocalMachine&ALLOW_ELEVATION:1&MATCH_FQDN:1&SN:&ISSUER:CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local&SAN:RE5TIE5hbWU9cGN2cG4yLmZjc2piLmxvY2Fs, RootCertInfo:IS_TRUSTED:0, Nonce: NDdZUUhiaElWUVVoUzBneEJJN3o=
2021-04-02, 5:21:29:594, 7732,7436,, 48, \CertCheckImpl.cpp, 45, CCertCheckImpl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"true", Allow elevation UI:"true", Serial number(HEX):"", Issuer:"CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local", SubjectAltName:"DNS Name=pcvpn2.fcsjb.local"
2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1247, CCertInfo::MatchCertificate, fqdn:PCVPN2.fcsjb.local
2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1289, CCertInfo::MatchCertificate, CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local matches pattern CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local(extracted content="")
2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1341, CCertInfo::MatchCertificate, DNS Name=pcvpn2.fcsjb.local matches pattern DNS Name=pcvpn2.fcsjb.local(extracted content =).
2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1413, CCertInfo::FindCertificateInStoreExt: , Total certs tested: 1
2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1420, CCertInfo::FindCertificateInStoreExt: , Found matched certificate
2021-04-02, 5:21:29:609, 7732,7436,, 48, \certinfo.cpp, 1879, CCertInfo::IsPrivateKeyPresent, GetPrivateKey succeeded: found private key.
2021-04-02, 5:21:29:609, 7732,7436,, 48, \CertCheckImpl.cpp, 278, CCertCheckImpl::CheckPrivateKey, The machine certificate has private key on this machine
2021-04-02, 5:21:29:625, 7732,7436,, 48, \CertCheckImpl.cpp, 298, CCertCheckImpl::CheckPrivateKey, Signing message succeeded
2021-04-02, 5:21:29:625, 7732,7436,, 48, \CertCheckImpl.cpp, 150, CCertCheckImpl::Verify, Found key successfully using current user
spalandeNacreous
These are the logs from the clientside. Have you enabled some debug logging and check APM logs for the user session on F5?
FYI - Machine certificate check require Admin right on the client side. That's why you should deploy "Machine Certificate Checker" within the Edge Client and install EC with admin rights.