Jump to content
Welcome to our new Citrix community!

Client cert auth on NS has started failing after working perfectly


Recommended Posts

Hi all:

 

I'm frustrated by a recent development in our Citrix environment. We're using client certificate authentication in tandem with ldap to authenticate users to our environment. The client certs are coming from US DoD CAC cards. Once the certificate authentication is successful, the NetScaler performs a lookup to Active Director to find the user, if the user is found, they are fully authenticated and passed along to StoreFront. 

 

After purring along perfectly smoothly for about a year, our users are now reporting failures at the NS/certificate level. The message is shown below: "Invalid Certificate presented." Nothing has changed with the root CA's we have installed on the NS, I went so far as to update them all from the DoD site as well with no change. I've been able to replicate the issue on another Windows machine.

 

Unfortunately, since this is happening at the ssl/handshake level, there are no entries in the /tmp/aaad.debug auth log. Is there another log I can find these failures in.

 

I also upgraded the NS to the latest version of ADC that our license allows, and the behavior is identical. To further complicate things, it appears that this problem only exists on Windows client machines. Macs seem to be fine. I'm wondering if a recent W10 update has changed something which is causing this process to break.

 

Has anyone else hit this? I don't know where to turn next, since I have no logs to examine.

 

image.thumb.png.3f4285ae18a38f26ed2de0ad8bc1b7d9.png

Link to comment
Share on other sites

Update: I've been able to replicate this issue using a fresh install of Windows 10 v. 1703. So, that shoots my theory of a W10 update changing something. 

 

I've been poring through Wireshark logs, comparing a successful connection to another server against this one (which is failing), and can't find the issue yet. 

 

Have tried a number of small changes in the Virtual Server SSL setup as well as the 'Advanced SSL settings' for the entire NetScaler. No love yet. 

 

Ideas appreciated! ;)

 

-td

Link to comment
Share on other sites

  • 2 years later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...