Forum Discussion

dirken's avatar
dirken
Icon for Nimbostratus rankNimbostratus
Jun 06, 2017

Client cert auth not working on Win2016

My VS has a client ssl profile bound, requiring client authentication and sending the required PKI to the client, which is a Win2016 server.

 

- Client Cert: require

 

- Trusted CAs:

 

- Advertised CAs:

 

 

The client (Win2016 server) initiates the connection without user interaction. A sniffer trace shows that the F5 sends a "certificate request" back to the client, together with its own cert. The next ssl packet from the Win2016 server is "certificate", but with no certificate in it, and a certificate length specified as "0".

 

 

The client cert was imported into the machine cert store, into the user cert store for the service initiating the connection etc. - nothing helped.

 

 

Any idea how to make the Win2016 server send its own cert when requested by the F5? What could possibly be the problem here?

 

application delivery
LTM

5 Replies

Sort By
  • Jad_Tabbara__J1's avatar
    Jad_Tabbara__J1
    Icon for Cirrostratus rankCirrostratus
    Jun 06, 2017

    Hello,

     

    As you described, it seems that your server doesn't send the certificate. Maybe you can try to install it on the local computer cert store.

     

    Regards

     

  • Kevin_K_51432's avatar
    Kevin_K_51432
    Historic F5 Account
    Jun 06, 2017

    Greetings Dirken,

     

    I have no background with Windows server, but let me offer some background on BIG-IP, there may be some overlap in behavior?

     

    If you wish to have a server-ssl profile to send a certificate, you must also include the key.

     

    If you wish to have a client-ssl profile send a certificate you must:

     

    • Import the certificate and key.
    • Associate the certificate and key with the client-ssl profile.
    • Associate the profile with a virtual server.

    So in summary, perhaps try importing the accompanying key and ensure whatever service (IIS?) is configured to reference the certificate and key.

     

    Good luck, hope you get this resolved soon!

     

    Kevin

     

    • dirken's avatar
      dirken
      Icon for Nimbostratus rankNimbostratus
      Jun 06, 2017

      Hi Kevin,

       

      the server side is fine, my problem is the client side. The clients connecting to the VS, however, are Windows2016 servers - maybe this created a bit of confusion.

       

      I did not import the specific cert/key because there are several clients (Win2016) connecting to this VS. So I imported the cert of the issuing (root) ca. This cert is referenced in the client ssl profile for client authentication as trusted ca and advertised ca.

       

      If the ca cert was not present, the config would not even save correctly, so this should be fine. I am pretty sure it is one of two possible issues:

       

      1 - a general problem on the client (Win2016 server)

       

      2 - a problem with cert choice on the client, as there is no user initiating the connection a popup to chose a cert will not work. It is the only cert on the client, however, and I am advertising the accepted ca exactly for this purpose.

       

    • Kevin_K_51432's avatar
      Kevin_K_51432
      Historic F5 Account
      Jun 06, 2017

      Hi Dirken,

       

      "the server side is fine, my problem is the client side. The clients connecting to the VS, however, are Windows2016 servers - maybe this created a bit of confusion."

       

      No, that's what I was expecting (Server on client side of BIG-IP). Just to reiterate, when BIG-IP is in the position of your Win2016 server, it will not send a client certificate without the key. It needs both. I'm wondering if that's your problem. Maybe an SSL standard, just a shot in the dark. Also, what service on the Window2016 server is making the connection? IIS or which one? Does it need to reference this key pair?

       

      Lastly, BIG-IP could not pass client certificates when configured to terminate SSL for the longest time. We finally implemented two different SSL proxies and they are able to do this. I wonder if your Windows server has a SSL proxy feature?

       

      Kevin

       

  • Daniel_Varela's avatar
    Daniel_Varela
    Icon for Employee rankEmployee
    Jun 06, 2017

    I would use firefox just for testing. This has its own cert store. This way you can compare and rule out problems with F5.

     

    If you go Internet Options, under Content tab you can manage your certificates. You can filter out client aunthentication ones by selecting the according intended purpose. You can import your certificate there as well.

     

    Other thing I would check is security. Server flavour is known to be very restricted. It may help to add your site to Local Intranet.