RDP connection via application access fails when client certificate is set to require

Question

I've set up a VIP with a client SSL profile that requires a certificate.
The access policy on this VIP has some resource assignments: network access, rdp application access and rdp via app tunnel access.
All of these resources work just fine, except the rdp application access.
The connection is not established and the handshake gives this failure:
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 269
    Handshake Protocol: Certificate
        Handshake Type: Certificate (11)
        Length: 3
        Certificates Length: 0
    Handshake Protocol: Client Key Exchange

However, another resource works just fine:
TLSv1.2 Record Layer: Handshake Protocol: Multiple Handshake Messages
    Content Type: Handshake (22)
    Version: TLS 1.2 (0x0303)
    Length: 269
    Handshake Protocol: Certificate
        Handshake Type: Certificate (11)
        Length: 3
        Certificates Length: 2647
    Handshake Protocol: Client Key Exchange

In the first capture, the certificate length is 0. In the second one it is 2647.
Now, I've set the client SSL profile to 'request' and all resources work just fine.
Can someone shed some light on this issue? Why does it fail when set to 'require'?

iainthomson85_1 · Answer

If the Client presenting a valid certificate ?&nbsp;
If its not SSL handshaking when its set to "Require", that would suggest not.&nbsp;

mreco_159588 · Answer

The client does present its client certificate when initiating the connection to obtain the full webtop. That's the second TLS excerpt.&nbsp;
When clicking the RDP resource on the full webtop, a new SSL handshake is performed, but now the client certificate is not presented and the SSL handshake fails.&nbsp;
According to F5 support this is a client issue, but I don't see how I can configure the browser to not present a certificate one time and do present a certificate the other time.&nbsp;
Any help here would be appreciated.&nbsp;

iainthomson85_1 · Answer

There's another setting on the F5 that forces a new SSL client session each time... can't remember the setting and I don't have an f5 infront of me to check.&nbsp;

mreco_159588 · Answer

I guess you mean 'Retain Certificate' under 'Client Authentication' in the Client SSL profile. I have already enabled that, but to no avail.&nbsp;

tommyv_321687 · Answer

Hi mreco, having the same issue - did you manage to find a solution?&nbsp;

Forum Discussion

RDP connection via application access fails when client certificate is set to require

5 Replies

Recent Discussions

HOW TO HIRE A HACKER TO RECOVER STOLEN BITCOIN. CONTACT FASTFUND RECOVERY

Block CBC

Error while running ansible

URL

Portal Access to HTTPS resources slow

Related Content

Re: Management Certificate

Application Programming Interface (API) Authentication types simplified

Enhance your Application Security using Client-side signals

My Security+ Certification Journey

F5 BIG-IP per application Red Hat OpenShift cluster migrations