RDP connection via application access fails when client certificate is set to require

Question

I've set up a VIP with a client SSL profile that requires a certificate.
The access policy on this VIP has some resource assignments: network access, rdp application access and rdp via app tunnel access.
All of these resources work just fine, except the rdp application access.
The connection is not established and the handshake gives this failure:
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 269
    Handshake Protocol: Certificate
        Handshake Type: Certificate (11)
        Length: 3
        Certificates Length: 0
    Handshake Protocol: Client Key Exchange

However, another resource works just fine:
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 269
    Handshake Protocol: Certificate
        Handshake Type: Certificate (11)
        Length: 3
        Certificates Length: 2647
    Handshake Protocol: Client Key Exchange

In the first capture, the certificate length is 0. In the second one it is 2647.
Now, I've set the client SSL profile to 'request' and all resources work just fine.
Can someone shed some light on this issue? Why does it fail when set to 'require'?

iainthomson85_1 · Answer

If the Client presenting a valid certificate ?&nbsp;
If its not SSL handshaking when its set to "Require", that would suggest not.&nbsp;

mreco_159588 · Answer

The client does present its client certificate when initiating the connection to obtain the full webtop. That's the second TLS excerpt.&nbsp;
When clicking the RDP resource on the full webtop, a new SSL handshake is performed, but now the client certificate is not presented and the SSL handshake fails.&nbsp;
According to F5 support this is a client issue, but I don't see how I can configure the browser to not present a certificate one time and do present a certificate the other time.&nbsp;
Any help here would be appreciated.&nbsp;

iainthomson85_1 · Answer

There's another setting on the F5 that forces a new SSL client session each time... can't remember the setting and I don't have an f5 infront of me to check.&nbsp;

mreco_159588 · Answer

I guess you mean 'Retain Certificate' under 'Client Authentication' in the Client SSL profile. I have already enabled that, but to no avail.&nbsp;

tommyv_321687 · Answer

Hi mreco, having the same issue - did you manage to find a solution?&nbsp;

Forum Discussion

RDP connection via application access fails when client certificate is set to require

5 Replies

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

ASM attack signatures not syncing between active and standby F5

Hardware BIG-IP appliance reach EOSS, but the software version running on it not yet?

VPN Communication Error with F5 BIG-IP Edge Client

simultaneous disabling / enabling of all LTM objects

Query on source IP preservation for syslog traffic through F5 virtual server

Related Content

Introducing the F5 Application Study Tool (AST)

Automating Certificate Management on F5 BIG-IP

Certificate Automation for BIG-IP using CyberArk Certificate Manager, Self-Hosted

Automatic Certificate Management with ACMEv2 in F5 BIG-IP

NGINX Management Suite API Connectivity Manager - Modern API driven Applications

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS