Forum Discussion

ratrapanta's avatar
ratrapanta
Icon for Nimbostratus rankNimbostratus
Apr 02, 2021

Machine Cert Auth; Found match cert but failed to login

I am new to F5 APM, would like to seeking help to rectify this issue. Although the certcheck manage to found macth certificate but the client won't be able to get logon screen and getting message no cert. Despite go 'Succesfull' it will go to 'Fallback'

 

the is the fmcertcheck.txt

 

2021-04-02, 5:21:29:078, 7732,7436,, 48,,,, current log level = 63

2021-04-02, 5:21:29:078, 7732,7436,, 48, , 39, ::DllMain, ActiveX control location: "C:\Windows\Downloaded Program Files\f5certchk.dll"

2021-04-02, 5:21:29:594, 7732,7436,, 48, \CertCheckImpl.cpp, 43, CCertCheckImpl::Verify, certInfo:STORE_NAME:MY&STORE_LOCATION:LocalMachine&ALLOW_ELEVATION:1&MATCH_FQDN:1&SN:&ISSUER:CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local&SAN:RE5TIE5hbWU9cGN2cG4yLmZjc2piLmxvY2Fs, RootCertInfo:IS_TRUSTED:0, Nonce: NDdZUUhiaElWUVVoUzBneEJJN3o=

2021-04-02, 5:21:29:594, 7732,7436,, 48, \CertCheckImpl.cpp, 45, CCertCheckImpl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"true", Allow elevation UI:"true", Serial number(HEX):"", Issuer:"CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local", SubjectAltName:"DNS Name=pcvpn2.fcsjb.local"

2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1247, CCertInfo::MatchCertificate, fqdn:PCVPN2.fcsjb.local

2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1289, CCertInfo::MatchCertificate, CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local matches pattern CN=fcsjb-AUTH01-CA-1, DC=fcsjb, DC=local(extracted content="")

2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1341, CCertInfo::MatchCertificate, DNS Name=pcvpn2.fcsjb.local matches pattern DNS Name=pcvpn2.fcsjb.local(extracted content =).

 

2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1413, CCertInfo::FindCertificateInStoreExt: , Total certs tested: 1

2021-04-02, 5:21:29:594, 7732,7436,, 48, \certinfo.cpp, 1420, CCertInfo::FindCertificateInStoreExt: , Found matched certificate

2021-04-02, 5:21:29:609, 7732,7436,, 48, \certinfo.cpp, 1879, CCertInfo::IsPrivateKeyPresent, GetPrivateKey succeeded: found private key.

2021-04-02, 5:21:29:609, 7732,7436,, 48, \CertCheckImpl.cpp, 278, CCertCheckImpl::CheckPrivateKey, The machine certificate has private key on this machine

2021-04-02, 5:21:29:625, 7732,7436,, 48, \CertCheckImpl.cpp, 298, CCertCheckImpl::CheckPrivateKey, Signing message succeeded

2021-04-02, 5:21:29:625, 7732,7436,, 48, \CertCheckImpl.cpp, 150, CCertCheckImpl::Verify, Found key successfully using current user

1 Reply

  • These are the logs from the clientside. Have you enabled some debug logging and check APM logs for the user session on F5?

     

    FYI - Machine certificate check require Admin right on the client side. That's why you should deploy "Machine Certificate Checker" within the Edge Client and install EC with admin rights.