Forum Discussion

Greg_33216's avatar
Greg_33216
Icon for Nimbostratus rankNimbostratus
Dec 24, 2009

Using a local certificate and protected configurations

Hello,

 

 

I hope someone can help here as this has been doing my head in for a number of weeks now. I want to use a scenario on Firepass 6.1 where a resource group is protected by a 'Protected Configuration'. The main check is for a certificate installed on the machine issued by our Microsoft CA server. I have installed the client root certificate onto the firepass and this certificate is signed by our CA server and seems to have worked. Once the user has our Root Microsoft CA server certificate imported from the signing server "server01" (same one that signed the firepass certificate request) imported into their trusted store then the client web browser no longer complains that the Firepass is using a non trusted certificate.

 

 

Where I am falling apart is checking the issuing CN = "Server1" field on the certificate generated for the client machines. These certificates are using the Web server template and are signed on the same Microsoft CA server. When I view the certificate the "issued by" field shows 'server01'. I have imported them using the MMC snap into both the user store and the local machine store.

 

 

I have the pre-logon inspection running the Windows Machine Certificate Inspector and I am using inspectors check details the following way;

 

 

Cert Store Name: MY

 

Sert Store Location: Current User

 

Cert Match Rule: Issuer (regex match)

 

SubjectAltName(regex): blank

 

Issuer(regex): |CN = (server01)|

 

SerialNumber: blank

 

 

I have the logger turned on which is set to dump the certificate fields and also with a note to say "Cert Found and Verified" when session.cert_check.last_check.result ==1, "Cert found no match" when session.cert_check.last_check.result ==2 and "No Cert found" when going to fallback. I also try and dump the following logger action CN Issuer=%session.ssl.cert.issuer.cn% which only returns "CN Issuer =" with no data.

 

 

I am starting to think that it is not even finding a certificate. It always seems to go through the fallback branch. The client side pre-logon process shows the message that it is checking for certificates and google desktop etc... so I am sure the right inspection sequence is being used.

 

 

Any help would be much appreciated. I try and work out as much as I can myself before calling in the cavalry but so far have come up blank with my own efforts and finding a similar scenario in a posting somewhere.

 

 

cheers,

 

Greg

 

APM
remote access
security

13 Replies

Sort By
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Dec 29, 2009
    Can you enable the session variables and logon? Then post them if you can. Once you post them we can tell.
  • Greg_33216's avatar
    Greg_33216
    Icon for Nimbostratus rankNimbostratus
    Dec 30, 2009
    It looks like it does not like my certificate......

     

     

    Session Variable %session.cert_check.cert_check9187.far_ispector_version%= ' '

     

    Session Variable %session.cert_check.cert_check9187.agent_id%= ' F5_win_cert_check '

     

    Session Variable %session.cert_check.cert_check9187.agent_version%= ' 1.0 '

     

    Session Variable %session.cert_check.cert_check9187.data_version%= ' 1.0 '

     

    Session Variable %session.cert_check.cert_check9187.id%= ' cert_check9187 '

     

    Session Variable %session.cert_check.cert_check9187.result%= ' 0 '

     

    Session Variable %session.cert_check.cert_check9187.message%= ' The certificate is not valid. '

     

    Session Variable %session.cert_check.last_check.far_ispector_version%= ' '

     

    Session Variable %session.cert_check.last_check.agent_id%= ' F5_win_cert_check '

     

    Session Variable %session.cert_check.last_check.agent_version%= ' 1.0 '

     

    Session Variable %session.cert_check.last_check.data_version%= ' 1.0 '

     

    Session Variable %session.cert_check.last_check.id%= ' cert_check9187 '

     

    Session Variable %session.cert_check.last_check.result%= ' 0 '

     

    Session Variable %session.cert_check.last_check.message%= ' The certificate is not valid. '

     

     

     

    This may have something to do with how I originally installed the certificate from our MS CA server I would say. I might try going through the setup of all this again to see if this resolves the problem.
  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Dec 30, 2009
    Can you post your check for session.cert_check.cert_check9187

     

     

    The paramaters for the check at least.
  • Greg_33216's avatar
    Greg_33216
    Icon for Nimbostratus rankNimbostratus
    Dec 31, 2009
    The parameters are the same as I posted in the 1st message. A screen shot is attached. I've also attached a screenshot of the sequence I am using to test this all with. Thanks for your help to by the way.

     

     

    cheers,

     

    Greg

     

     

  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Dec 31, 2009
    When you installed the certificate on the local machine where did you store it? I believe you have to set the location to local machine. I never got the user store working right.
  • Greg_33216's avatar
    Greg_33216
    Icon for Nimbostratus rankNimbostratus
    Dec 31, 2009
    I've used the MMC to install it both locally and in the current user profile. Tweaking the inspector to check for local machine as opposed to current user has the same result.

     

     

    Incidently, the store name is "MY". Would changing this to "Personal" to match the name on the tab in windows make a difference? I'm unsure as to what this "MY" refers to.

     

     

    cheers,

     

    Greg

     

     

  • Mike_61719's avatar
    Mike_61719
    Icon for Cirrus rankCirrus
    Dec 31, 2009

    Posted By Greg on 12/31/2009 7:43 AM

     

     

    I've used the MMC to install it both locally and in the current user profile. Tweaking the inspector to check for local machine as opposed to current user has the same result.

     

     

    Incidently, the store name is "MY". Would changing this to "Personal" to match the name on the tab in windows make a difference? I'm unsure as to what this "MY" refers to.

     

     

    cheers,

     

    Greg

     

     

     

     

     

    What does it show up as in IE? Under Personal or trusted or Intermediate?

     

     

    What about the registry? Check to see which location it is in. Remember it depends on who installs it when trying to access it.

     

     

    HKEY_LOCAL_MACHINE

     

    HKEY_CURRENT_USER
  • Mike_Ho's avatar
    Mike_Ho
    Icon for Cirrus rankCirrus
    Jan 11, 2010
    The "MY" store is the same thing as the Personal store.

     

     

    Are you sure your issuing certificate regex is correct? I had a heck of a time creating a regex for an issuer check and ultimately I ended up matching on the entire issuer string. That would only be a problem if you in fact have multiple issuing CAs.

     

  • Greg_33216's avatar
    Greg_33216
    Icon for Nimbostratus rankNimbostratus
    Jan 12, 2010
    Thanks Mike and Michael for getting back on this one.

     

     

    I think I have got it to the point where it is looking at the certificate now. As you say though, the regex is quite a mission to get working.

     

     

    When I use the string; ^.*CN=server01, DC=subdomain, DC=domain, DC=com.*$ is get a "The certificate is not valid.

     

     

    Session Variable %session.cert_check.last_check.agent_id%= ' F5_win_cert_check '

     

    Session Variable %session.cert_check.last_check.agent_version%= ' 1.0 '

     

    Session Variable %session.cert_check.last_check.data_version%= ' 1.0 '

     

    Session Variable %session.cert_check.last_check.id%= ' cert_check9187 '

     

    Session Variable %session.cert_check.last_check.result%= ' 0 '

     

    Session Variable %session.cert_check.last_check.message%= ' The certificate is not valid

     

     

    If I use the string 'CN=server01, DC=subdomain, DC=domain, DC=com' I get "The specified certificate is NOT installed on the client computer";

     

     

    Session Variable %session.cert_check.last_check.far_ispector_version%= ' '

     

    Session Variable %session.cert_check.last_check.agent_id%= ' F5_win_cert_check '

     

    Session Variable %session.cert_check.last_check.agent_version%= ' 1.0 '

     

    Session Variable %session.cert_check.last_check.data_version%= ' 1.0 '

     

    Session Variable %session.cert_check.last_check.id%= ' cert_check9187 '

     

    Session Variable %session.cert_check.last_check.result%= ' 0 '

     

    Session Variable %session.cert_check.last_check.message%= ' The specified certificate is NOT installed on the client computer.

     

     

    I've attached a couple of screenshots with my regex statement and the certificate. These are mock ups as I don't really want to be posting the real stuff obviously for security reasons. If anyone can tell me where my regex has gone wrong it will be very much appreciated.

     

     

    cheers,

     

    Greg

     

  • Mike_Ho's avatar
    Mike_Ho
    Icon for Cirrus rankCirrus
    Jan 15, 2010
    The one key thing you haven't shown us is that in Device Management -> Security -> Certificates you have installed the issuing certificate in the "Client Root Cert(s)" store. Click "details" next to the CA cert and verify it has the correct subject identifier.