Machine Certificate Check - why does it fail?
Hi, I am trying to implement machine certificate check for Edge Client users. The machine certificate is stored in the default MY store and I assume I have configured the APM action correctly with: MY / LocalMachine / CA Bundle / YES to right elevation prompts. The connection fails always on machine certificate check with these entries in APM log: debug /Common/ap_edge_client:Common:4d76a881: MachineCert agent: ENTER Function executeInstance info /Common/ap_edge_client:Common:4d76a881: Executed agent '/Common/empty_act_machinecert_auth_ag', return value 0 info /Common/ap_edge_client:Common:4d76a881: Following rule 'fallback' from item 'Machine Cert Auth' to item 'Log F' info /Common/ap_edge_client:Common:4d76a881: Session variable 'session.check_machinecert./Common/empty_act_machinecert_auth_ag.result' set to '-2' info /Common/ap_edge_client:Common:4d76a881: Session variable 'session.check_machinecert.last.result' set to '-2' Edge client log file contains these entries: 0,2018-08-09,11:04:34:936,APPCTRL,7384,8484,Starting pending session ID: 4d76a881 48,2018-08-09,11:04:35:431,APPCTRL,7384,8484,URL: https:///my.policy 48,2018-08-09,11:04:36:330,APPCTRL,7384,8484,Cookie MRHSession not set 1,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Authentication failure 1,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Authentication failed - redirect (0x80070005) 0,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Failed to establish session 4d76a881 I set the logging levels for this APM policy to debug for everything, but still none of the logs tell me what could be causing the problems. Is it my VPE action setting, is it perhaps something with CA, or the client rights? How should I identify the root cause here? What more can I do more to troubleshoot beside trying every possible set of settings in the APM machine certificate check action? Any help really appreciated! thx.
Securing Office 365 with APM as IdP
I'm evaluating using APM as a SAML identity provider for Office 365, but I'm struggling to find ways to effectively secure access as per my specification. Windows/ Mac OS, only permit corporate devices. Mobile, only permit via MDM solution (TBC). I have implemented device based certificate checks with OCSP, which although a little clunky (cert checker service deployed via GPO) works well on Windows. On Mac OS I have the same check working for administrators in Safari; although the Office 2016 clients, I'm guessing implement a cut down browser for modern authentication redirection which seemingly doesn't support plug-ins. User certificates don't seem appropriate here as it's the device I'm looking to validate, not the user. I considered whether anything could be done coupling user certs with client side SSO, to remove the login page, but I'm guessing failing to authenticate (on a non-corp device) with Kerberos would result in the browser prompting for credentials, allowing manual input of credentials? Has anybody got any suggestions, or perhaps any examples? My current policy is getting quite complex. Cheers.Add Machine Cert Auth to APM profile
I'm currently running APM with the Exchange iapp, I've been given a requirement that machines accessing owa must have a cert issued by our internal CA. I've added the machine cert auth to my APM policy but have yet to test successfully. I don't have any F5 agent installed, is this required? User accounts have permissions to read the certificate store localcomputer\My Here's what I have in the access log. 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: Received User-Agent header: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko. 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: New session from client IP x.x.x.x (ST=Missouri/CC=US/C=NA) at VIP 10.x.xx.xxx Listener /Common/PKI-testing-vs (Reputation=Unknown) 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: Following rule 'fallback' from item 'Start' to item 'Machine Cert Auth' 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: MachineCert agent: ENTER Function executeInstance 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: Executed agent '/Common/machinecert-access_act_machinecert_auth_ag', return value 0 2017-02-01 08:56:56 /Common/machinecert-access:Common:5c44bc1d: Following rule 'fallback' from item 'Machine Cert Auth' to ending 'Deny'
APM Machine Cert Auth unable to find the private key
I have been doing some testing within a customer environment for a SSL VPN solution. As part of the solution, a machine cert must be checked and validated before the logon page. My problem is that everytime the process exits through the "Found" rule, which according to F5 doc means no private key has been found. But my testing is based on a standalone edge client on windows 7 that includes the machine checker service, I also use local admin for all testing. Looking into the cert itself, it definitely has an associated private key, there is an interesting issue that the key has a blank subject field, the DNS FQDN is specified in the SAN field. I doubt whether this is related to the issue that edge client can't find the private key. Has anyone seen this before. Thanks in advance.
machine cert auth agent doesn't check on private keys?
hi out there I have still problems with the machine cert auth agent in my apm policy - it seems as if it cannot verify if the the certificate contains the private key or not - I tried to export a certificate with non-exportable private keys and import it again so that no private key exist on the client - the agent still return "1" and lets me pass the authentication successfull even though I would expect that it should return "2" and hereby indicate correct certificate but without private keys what can I do? best regards /timachine cert auth agent doesn't check on private keys?
hi out there I have still problems with the machine cert auth agent in my apm policy - it seems as if it cannot verify if the the certificate contains the private key or not - I tried to export a certificate with non-exportable private keys and import it again so that no private key exist on the client - the agent still return "1" and lets me pass the authentication successfull even though I would expect that it should return "2" and hereby indicate correct certificate but without private keys what can I do? best regards /ti
Basic Machine Cert inspection in APM Policy
Hi Guys Just a newbie question here I guess. I need to setup a basic Machine Cert Auth action in my access policy. I've read the documentation but it just describe it, just not naming conventions etc. I've checked my PC and I get a valid machine certificate and its stored in Certificates (Local Computer)\Personal\Certificates. Its a valid machine cert issued to the machine with the correct FQDN and issued by my Subordinate CA. In the Machine Cert Auth action, I'm not sure what to name the Certificate Store. I've tried personal and personal\certificates but I'm not sure if its actually finding the certificate. Certificate Store Location is LocalMachine. CA Profile is /Common/certificateauthority (all default settings - can't seem to select a valid CA cert inside this profile it just keeps resetting to none) OCSP Responder is None Certificate Match Rule SubjectCN Match FQDN It doesnt need to be fancy just yet. All I want it to do is check that it has a valid machine cert issued from our internal CA and that it hasn't expired. THen it passes on to the next auth method. No idea where to start really, the only error I can see if the reports is machinecert_auth_ag.result -2 I can't even tell if the policy is finding the certificate. HELP!? :)
