Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Machine Certificate Check - why does it fail?

Hi,

I am trying to implement machine certificate check for Edge Client users.

The machine certificate is stored in the default MY store and I assume I have configured the APM action correctly with: MY / LocalMachine / CA Bundle / YES to right elevation prompts.

The connection fails always on machine certificate check with these entries in APM log:

debug  /Common/ap_edge_client:Common:4d76a881: MachineCert agent: ENTER Function executeInstance
info   /Common/ap_edge_client:Common:4d76a881: Executed agent '/Common/empty_act_machinecert_auth_ag', return value 0
info   /Common/ap_edge_client:Common:4d76a881: Following rule 'fallback' from item 'Machine Cert Auth' to item 'Log F'
info   /Common/ap_edge_client:Common:4d76a881: Session variable 'session.check_machinecert./Common/empty_act_machinecert_auth_ag.result' set to '-2'
info   /Common/ap_edge_client:Common:4d76a881: Session variable 'session.check_machinecert.last.result' set to '-2'

Edge client log file contains these entries:

0,2018-08-09,11:04:34:936,APPCTRL,7384,8484,Starting pending session ID: 4d76a881
48,2018-08-09,11:04:35:431,APPCTRL,7384,8484,URL: https://<our_hostname>/my.policy
48,2018-08-09,11:04:36:330,APPCTRL,7384,8484,Cookie MRHSession not set
1,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Authentication failure
1,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Authentication failed - redirect (0x80070005)
0,2018-08-09,11:04:36:498,APPCTRL,7384,8484,Failed to establish session 4d76a881

I set the logging levels for this APM policy to debug for everything, but still none of the logs tell me what could be causing the problems.

Is it my VPE action setting, is it perhaps something with CA, or the client rights?

How should I identify the root cause here? What more can I do more to troubleshoot beside trying every possible set of settings in the APM machine certificate check action?

Any help really appreciated! thx.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi,

Machine certificate check require Admin right on the client side. That's why you should deploy "Machine Certificate Checker" within the Edge Client and install EC with admin rights.

Then, in addition to the Trusted CA, you need to add Common Name or Issuer matching text to the Machine Certificate Check in the VPE.

0
Comments on this Answer
Comment made 4 months ago by Martin Vlasko 300

Hi,

I did not mention it, but all that I have done already. The checker is installed together with the EC and the whole thing has been installed with admin rights.

In APM policy machine certificate check action I do have the 'Match subject CN with FQDN' set to YES and even the 'Match Issuer' set to the correct string.

I mean, I am pretty sure I managed to configure everything based on the available documentation. My question here was more the direction... if it does not work for whatever reason, what is the way to find out why is it not working?

I cannot imagine there is no way to somewhere see the real actual reason of the error, it must be written somewhere.. I just don't know where, couldn't find it yet.

Looks like I will have to open a ticket with F5 support.

0
Comment made 4 months ago by Yann Desmarest 4478

Hi,

You can check the log file on the client itself. It will help you to understand the problem.

You can also download F5 CTU (Client Troubleshooting Utility) and run it on the client.

https://support.f5.com/csp/article/K12444

0
Comment made 4 months ago by Martin Vlasko 300

Hi there,

Log file from the client I checked already, it's in my original post above. Not really helpful the messages in it.

But I can give a try to the CTU, I thought it would produce just the same type of logs as I already have, but I will give it a try and let's see.

thx for the tip.

0