locked
Help With Client Certificate Authentication (CBA) using Third Party Client Certificates RRS feed

  • Question

  • We are currently using ADFS 2016 and WAP 2016 to publish several internal web applications (Internet --> WAP --> ADFS <--> Internal). All Forms based, WIA and device based authentication is working without any issues. My problem is that I can't get client certificate authentication (CBA) working when using third party certificates. I need to allow employees with third party client certificates to authenticate using these certificates. Additionally, CBA works fine when using client certificates issued from our internal PKI, just not when using the third party client certificates. Any help is greatly appreciated. I have noted some additional info below.

    # Root Certificates #

    The third party root certificate has been placed in the Trusted Root Store on all ADFS and WAP servers.

    It has Also been placed in the Trusted Root Store on the clients machine

    # Intermediate CA (Issuing) Certificates)

    The third party Intermediate root certificate has been placed in the Intermediate CA Store on all ADFS and WAP servers.

    It has Also been placed in the Intermediate CA Store on the clients machine

    The Intermediate root certificate has been placed in the NTAUTH store and has been verified on all ADFS and WAP servers

    # Client Certificate #

    The third party client certificates have been imported into AD for the employee user accounts.

    The client certificates include the correct CN and E values in the Subject attribute of the certificate

    The client certificates include the RFC822 Name value only (user@company.com) in the Subject Alternative Name attribute of the certificate

    The client certificates include the Client Authentication (1.3.6.1.5.5.7.3.2) and Secure Email (1.3.6.1.5.5.7.3.4) values in the Enhanced Key Usage attribute of the certificate

    # Other Info #

    Claim rules for the certificate issuer and serial number have been configured for on the claims provider and relying party

    https://blogs.msdn.microsoft.com/samueld/2016/07/19/adfs-certauth-aad-o365/
    https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-user-certificate-authentication

    All third party roots and client certificates on the ADFS and WAP servers chain correctly and are trusted

    All CRLs for the third party certificates resolve and are accessible on the ADFS and WAP servers

    All required ports are open on the firewalls (Internal PKI works)

    # ADFS Errors #

    -- Event ID 364

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:
    wsfed

    Relying Party:
    urn:federation:MicrosoftOnline

    Exception details:
    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
       at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.KerberosCertificateLogon(X509Certificate2 certificate)
       at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509Certificate)
       at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CreateFromCertificate(X509Certificate2 certificate, Boolean useWindowsTokenService, String issuerName)
       at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSignOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.BuildSsoSecurityToken(WSFederationSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.WSFederation.WSFederationProtocolHandler.ProcessSingleSignOn(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)

    Event ID: 111

    The Federation Service encountered an error while processing the WS-Trust request.
    Request type: http://schemas.microsoft.com/idfx/requesttype/issue

    Additional Data
    Exception details:
    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
       at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.KerberosCertificateLogon(X509Certificate2 certificate)
       at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509Certificate)
       at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CreateFromCertificate(X509Certificate2 certificate, Boolean useWindowsTokenService, String issuerName)
       at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)

    -- Event ID 364

    Encountered error during federation passive request.

    Additional Data

    Protocol Name:
    Saml

    Relying Party:
    http://sts.company.com/adfs/services/trust

    Exception details:
    System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect
       at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.KerberosCertificateLogon(X509Certificate2 certificate)
       at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CertificateLogon(X509Certificate2 x509Certificate)
       at Microsoft.IdentityModel.Claims.WindowsClaimsIdentity.CreateFromCertificate(X509Certificate2 certificate, Boolean useWindowsTokenService, String issuerName)
       at Microsoft.IdentityModel.Tokens.X509SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityTokenHandler.ValidateToken(SecurityToken token)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.GetEffectivePrincipal(SecurityTokenElement securityTokenElement, SecurityTokenHandlerCollection securityTokenHandlerCollection)
       at Microsoft.IdentityServer.Web.WSTrust.SecurityTokenServiceManager.Issue(RequestSecurityToken request, IList`1& identityClaimSet, List`1 additionalClaims)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.SubmitRequest(MSISRequestSecurityToken request, IList`1& identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestBearerToken(MSISRequestSecurityToken signInRequest, Uri& replyTo, IList`1& identityClaimCollection)
       at Microsoft.IdentityServer.Web.Protocols.PassiveProtocolHandler.RequestSingleSignOnToken(ProtocolContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSsoSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken, SecurityToken& ssoSecurityToken)
       at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.ProcessSingleSignOn(ProtocolContext context)
       at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
       at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)

    Friday, October 20, 2017 3:07 AM

All replies

  • Hey.

    Have you been able to solve this problem?
    Wednesday, October 9, 2019 7:15 AM
  • you need userprincipalname in subjectAlternativeName or you would need to enable altSecurityIdentities  mappings. For more information see: https://blogs.msdn.microsoft.com/spatdsg/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute/
    Thursday, October 10, 2019 12:18 PM