none
UAG Portal with smartcard

Answers

  • Could you set an IIS test site and configure it to "require cliente certificate"?

    At this point we should discard that the issue is caused by the smartcard itself


    // Raúl - I love this game
    Thursday, August 25, 2011 10:04 AM

All replies

  • Jaek,

    Are you getting prompted to enter in your PIN?  or is it going straight to the error page?

    Verify you have full trust on the PKI side.  Make sure UAG trust the issuer of the certificates (Root CA) etc...

    Another thing is, make sure the UAG UAG is in your Internet Explorer trusted zone.

     

    Thanks!
    Dennis Lee
    UAG Consultant

    Thursday, August 18, 2011 7:53 PM
  • Hi Dennis, thanks for the response!

    No I dont get any PIN prompt, it going straight to the error page (error 500)

    I have full trust on the PKI side, internal CA...

    The site is in trusted zone in Internet Explorer.

    My desktop is a locked down Windows 7, I going to test with a clean installation today.

    //J


    jaek
    Friday, August 19, 2011 7:04 AM
  • I test with a clean installation of Windows 7 Enterprise x64 with the same result.

    Any one with the same problem?

    Regards


    jaek
    Friday, August 19, 2011 8:30 AM
  • Hi Amig@. You say you get a 500 error? That usually appears when there is something wrong in the code. Carefully check the customized file to check for syntax errors or mistyped names
    // Raúl - I love this game
    • Proposed as answer by RMoros Monday, August 22, 2011 6:57 AM
    Friday, August 19, 2011 11:39 AM
  • Hi Raul,

     

    I check my code and find nothing wrong, I use the samples and change the authserver in <PORTALNAME>1validate.inc and use the SubjectCN in <PORTALNAME>1cert.inc and SubjectCN (session), CN (user) in my <REPOSITORYNAME>.inc

    The first error I get when I trace is ERROR:Failed to get the repository base type [DUMMY], type [DUMMY] [CacheCredentials], will use [0x00000001 (true)]

    I have a Active Directory repository with name authserver01

    Regards /J


    jaek
    Wednesday, August 24, 2011 8:04 AM
  • Hi Amig@. Can you list the files in von\internalsite\inc\customupdate? Maybe there is something missed
    // Raúl - I love this game
    Wednesday, August 24, 2011 8:11 AM
  • Hi,

    authserver01.inc

    uagportal1cert.inc

    uagportal1login.inc

    uagportal1validate.inc

     

    //J


    jaek
    Wednesday, August 24, 2011 8:34 AM
  • OK. Two more things:

    In uagportal1validate.inc there must be Session("repository1") = "authserver01"

    SubjectCN in the uer certitificate must contain the upn or samaccount name of the user in ActiveDirectory


    // Raúl - I love this game
    Wednesday, August 24, 2011 8:54 AM
  • The uagportal1validate.inc have the value

    The certificate Subject is: E=<mylogonname>@<mydomain>.com and CN=<mylogonname>

    //J


    jaek
    Wednesday, August 24, 2011 9:27 AM
  • So, what is happenning ??

    Have you tried AD authentication first? Just to confirm Active Directory settings are ok


    // Raúl - I love this game
    Wednesday, August 24, 2011 10:23 AM
  • If I rename or delete all files in CustomUpdate I get the login prompt, I can login with my username/password, so the AD seems to be OK.

    If I use the smartcard script in CustomUpdate i get error "A Client certificate was not presented!" in my trace on the UAG server, on the client I get 500 error..

    //J


    jaek
    Wednesday, August 24, 2011 10:43 AM
  • Once again.

    In authserver01.inc, what is the value for  param_email.Name = "". Have you set "cn" or "samaccountname"?

    Nevertheless. If the attribute is not the correct one that should prevent the user from login but the certiificate has to be requested. And in your case the certificate is not requested. Let´s check a couple of things. First, in the UAG server open the certificates mmc and in Computer Store right click the properties of the root CA that issued the user certificate. Open Properties and in the General Tab check if "Client authentication" is marked a an enabled purpose. Also, I would like you to check something else. Sometimes when putting a custom file in the CustomUpdate folder that file is "moved" (instead of "copied") from another location and it doesn't inherit the NTFS permissions from the parent folder. Can you check that the permissions are ok?


    // Raúl - I love this game
    Wednesday, August 24, 2011 11:17 AM
  • in authserver01.inc under SessionMgrComLayer.param i have param_email.Name = SubjectCN, and under UserMgrComLayer.param I have param_email.Name = cn

    My root certificat have "All issuance policies" and "All application policies"

    I check the permissions and it is inherited from .\von\., I have SYSTEM, Administrators, Network Service = Full and Users= Read&Execute

    //J



    jaek
    Wednesday, August 24, 2011 12:32 PM
  • Well, two things. I think the attributes must be enclosed in quotes. Also, if the certificate subjectcn equals loginname and param_email.name equals cn there will be a mismatch as cn is in the format CN=First name last name, OU=unit, Dc=.,...I would change cn by samAccountName.

    Regarding the purposes, waht I want to check is this in the properties of the Root CA in UAG server


    // Raúl - I love this game
    Wednesday, August 24, 2011 1:19 PM
  • I change the authserver01.inc under SessionMgrComLayer.param to param_email.Name = "SubjectCN", and under UserMgrComLayer.param I have param_email.Name = "samAccountName"

    I check my root cert and I have the Client Authentication enabled.

    I get the same error... 

     



    jaek
    Wednesday, August 24, 2011 1:49 PM
  • I still think that tuning the attributes is the second step. The first one is to check why the certificate is not being requested. Could you please enable CAPI log in the client? EventViewer->Applications and Services Log->Microsoft->CAPI2 (right click and enable log if not already enabled). Then go to the UAG portal. If the certificate is requested there should be a crypto api call and there should be an entry in the log. Maybe this gives us a clue
    // Raúl - I love this game
    Wednesday, August 24, 2011 3:09 PM
  • I activate the CAPI2 log and test to connect, I see the SSL check for the https connection but nothing about the smartcard.

    //J


    jaek
    Thursday, August 25, 2011 8:00 AM
  • I guess the answer is "Yes" but, have you tried to connect before to other sites that require certificate authentication with that smart card?
    // Raúl - I love this game
    Thursday, August 25, 2011 8:33 AM
  • No, my test environment have no connection to the internet and I dont have any more smart card sites.


    jaek
    Thursday, August 25, 2011 9:40 AM
  • Could you set an IIS test site and configure it to "require cliente certificate"?

    At this point we should discard that the issue is caused by the smartcard itself


    // Raúl - I love this game
    Thursday, August 25, 2011 10:04 AM