Forum Discussion

Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Sep 27, 2012

Debug client side checks in windows

Does anyone know how to debug client side checks in windows? I can get client-side checks working fine in mac. And debug it because the install has a handy f5networks.conf file. And even tells you where to shove it, and what the values all do...

 

But I can't find the equivalent on any windows laptops, and can't get any client-side checks to work beyond running processes... The docs for machine cert checks are pretty vague, and the F5 docs don't seem to talk the smae language as windows docs (Shades of Trunks vs Etherchannels here!)

 

Anyone got any ideas? The user directory seems void of config files by default in windows. And a search of the whole filesystem revelas no files called f5networks.conf

 

 

H

 

 

6 Replies

  • H,

     

     

    What are you trying to debug exactly? Have you run the OESIS Diagnostics Tool on your workstation? Does that give you the output you need?

     

     

    Seth
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    OESIS doesn't even mention anything about certs, except a line that says

     

     

    GetActiveClientCertificates, (0 ms) result: Not implemented

     

     

    It's the same whether the utility runs as a normal user, or the local Administrator user (Which I assume is equivalent of Unix/Linux root - I won't apologise for being a Unix/Linux guy and not windows. I'd probably seriously consider suicide if I had to work on windows every day).

     

     

    Now whether this means OESIS doesn't do certs (Which seems strange since windows machine certs are documented as working on APM), or perhaps it's a windows thing (XP SP3 32Bit). I know the certs there, because the admins have shown me in some console interface they have.

     

     

    H
  • H,

     

     

    Not trying to convert you to a windows world... unfortunately it is the world everybody else lives in. :)

     

     

    What exactly are you trying to accomplish here?? From your previous post you said something about the machine certificates... is this the inspector you are questioning?

     

     

    If it is certs you are trying to validate then you can use the winhttpcertcfg.exe script from microsoft. This is also the script that allows you to grant access to the private key for non-admins. http://support.f5.com/kb/en-us/solutions/public/9000/000/sol9017.html

     

     

    If you want to grant access to the cert then you use the "-g" switch if you want to list then you use the "-l" switch.

     

     

    Is this what you are looking for? You can also view the certificate via the mmc console

     

     

    1. "Go to Start -> Run" and type "mmc"

     

    2. "File" -> "Add/Remove Snap-in"

     

    3. In the box for "Available Snap-ins" select "Certificates" and click "Add"

     

    4. YOU NEED TO BE AN ADMIN TO VIEW THE MACHINE CERTIFICATE

     

    5. Select "Computer Account" and then "Next"

     

    6. Select "Local Computer" and then "Finish"

     

    7. Select "OK" and now you should see certificates on the left of the console.

     

    8. Expand"Certificates" - "Personal" - "Certificates" and then you will see a list of the certs for that machine.

     

     

    Hopefully this information will help you in what you are looking for... if not please let me know what you are looking for and we will see if we can get it for you.

     

     

    Thanks,

     

    Seth Cooper
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus

    Thanks. I'll ignore the rest of the world bit. I'll never surrender.

     

    winhttpcertcfg was already looked at (It's mentioned in one of the APM manuals IIRC). And is only concerned with adding access to the PRIVATE key... You can just verify the PUBLIC key of the cert (That's the unverified exit from check_machine_cert). But my issue is that OESIS doesn't even find that. Even for administrator...

     

     

    Is there a way to map the repository name (In F5 the default is MY) to the location of the certs (LOCAL Machine - Certificates - Personal) ? I'm wondering if that's the issue... Although I'd expect the oesis test tool to at least LIST all the certs it COULD find...

     

     

     

    Cheers

     

    H

     

  • The machine inspector will check machine certificates so that puts you in the correct store. MY does map to the personal store on the machine... is there another store you are wanting to map to?

     

     

    Thanks,

     

    Seth
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Ah. So MY maps to Personal-Certificates... No, that's the one. Pity they don't use the same names.. That'd save confusion.

     

     

    I'm starting to suspect the original windows guys who built these things (Sadly not around to ask any more) have done something in their locking down of the laptops. I'm going to ask the current ones to try a generic windows build to prove who's breaking it :)

     

     

    H