cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Machine Cert Auth; Found match cert but failed to login

ratrapanta
Nimbostratus
Nimbostratus

I am new to F5 APM, would like to seeking help to rectify this issue. Although the certcheck manage to found macth certificate but the client won't be able to get logon screen and getting message no cert. Despite go 'Succesfull' it will go to 'Fallback'

 

the is the fmcertcheck.txt

 

2021-04-02, 5:21:29:078, 7732,7436,, 48,,,, current log level = 63

2021-04-02, 5:21:29:078, 7732,7436,, 48, , 39, ::DllMain, ActiveX control location: "C:\Windows\Downloaded Program Files\f5certchk.dll"

2021-04-02, 5:21:29:594, 7732,7436,, 48, \CertCheckImpl.cpp, 43, CCertCheckImpl::Verify, certInfo:STORE_NAME:MY&STORE_LOCATION:LocalMachine&ALLOW_ELEVATION:1&MATCH_FQDN:1&SN:&ISSUER:CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local&SAN:RE5TIE5hbWU9cGN2cG4yLmZjc2piLmxvY2Fs, RootCertInfo:IS_TRUSTED:0, Nonce: NDdZUUhiaElWUVVoUzBneEJJN3o=

2021-04-02, 5:21:29:594, 7732,7436,, 48, \CertCheckImpl.cpp, 45, CCertCheckImpl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"true", Allow elevation UI:"true", Serial number(HEX):"", Issuer:"CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local", SubjectAltName:"DNS Name=pcvpn2.fcsjb.local"

2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1247, CCertInfo::MatchCertificate, fqdn:PCVPN2.fcsjb.local

2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1289, CCertInfo::MatchCertificate, CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local matches pattern CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local(extracted content="")

2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1341, CCertInfo::MatchCertificate, DNS Name=pcvpn2.fcsjb.local matches pattern DNS Name=pcvpn2.fcsjb.local(extracted content =).

 

2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1413, CCertInfo::FindCertificateInStoreExt: , Total certs tested: 1

2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1420, CCertInfo::FindCertificateInStoreExt: , Found matched certificate

2021-04-02, 5:21:29:609, 7732,7436,, 48, \certinfo.cpp, 1879, CCertInfo::IsPrivateKeyPresent, GetPrivateKey succeeded: found private key.

2021-04-02, 5:21:29:609, 7732,7436,, 48, \CertCheckImpl.cpp, 278, CCertCheckImpl::CheckPrivateKey, The machine certificate has private key on this machine

2021-04-02, 5:21:29:625, 7732,7436,, 48, \CertCheckImpl.cpp, 298, CCertCheckImpl::CheckPrivateKey, Signing message succeeded

2021-04-02, 5:21:29:625, 7732,7436,, 48, \CertCheckImpl.cpp, 150, CCertCheckImpl::Verify, Found key successfully using current user

1 REPLY 1

SanjayP
MVP
MVP

These are the logs from the clientside. Have you enabled some debug logging and check APM logs for the user session on F5?

 

FYI - Machine certificate check require Admin right on the client side. That's why you should deploy "Machine Certificate Checker" within the Edge Client and install EC with admin rights.