Jump to content

AlwaysOn Service - Certificate Selection


Darren Bolton

Recommended Posts

So I've got Always-On Service working with the Citrix Gateway Plug-in, the devices have their certificate and all is good until we throw Hybrid Azure AD Join into the mix.

 

When the Windows 10 device is hybird joined with Azure AD the device obtains an additional two certificates from Microsoft. This is now where the problem starts as I don't appear to see how we can configure the Gateway Plugin so that is selects the correct certificate.  It looks like from the epadll log that the default mechanism for selection if no preference is set of the certificate with the longest expiry. This however is the MS certificate.

 

There doesn't appear to be any documentation around how to set a preferred certificate unless I'm missing something.

 

Has anyone encountered this yet and have a workaround or know what registry keys can be configured to set the preference so that our certificate is selected.

 

------------------------------------------------------------------------------------------
				Phase: Pre Authentication EPA
------------------------------------------------------------------------------------------
19:36:25.562 | EVENT   | Initiating EPA SCAN
19:36:25.562 | DEBUG   | vip=gateway.url.com
19:36:25.562 | DEBUG   | ns_enablessl=1 basevport=0xbb01
19:36:25.562 | DEBUG   | Input params: cookie length 65 location https://gateway.url.com/ debug DEBUG vip gateway.url.com version 12.1.51.19
19:36:25.649 | DEBUG   | csec_opts header is not present, first device cert will be selected based on last expiry date 
19:36:25.649 | EVENT   | Device Cert check Present and EPA is Present 
19:36:25.652 | ERROR   | getCurrentConIndex | 1393 | current connection value is incorrect 
19:36:25.652 | DEBUG   | No pref. for certificate exits for this connection
19:36:25.652 | DEBUG   | Didn't find certificate based on pref. or pref. wasn't set
19:36:25.653 | ERROR   | getCertFromStore | 207 | Exited loop with error code -2146885628 which is Success
19:36:25.653 | ERROR   | getCurrentConIndex | 1393 | current connection value is incorrect 
19:36:25.653 | DEBUG   | No pref. for certificate exits for this connection
19:36:25.653 | DEBUG   | creating list of certificate from store 
19:36:25.653 | DEBUG   | Name of the certificate : 1934b88d-c1db-4745-9e51-8a6d0e3349f5
19:36:25.653 | DEBUG   | Name of the certificate : devicecert.mydomain.local
19:36:25.653 | DEBUG   | Name of the certificate : 1934b88d-c1db-4745-9e51-8a6d0e3349f5
19:36:25.653 | DEBUG   | CertCloseStore returned 1
19:36:26.111 | ERROR   | DeviceCert::sendPayload | 148 | Device certifcate scan failed. Server rejected submitted certificate.
19:36:26.111 | EVENT   | Device cert failed. Most probably because of wrong certificate. Removing cached certificate.
19:36:26.111 | ERROR   | getCurrentConIndex | 1393 | current connection value is incorrect 
19:36:26.111 | DEBUG   | current connection doesn't exit in config file. Adding it
19:36:26.111 | DEBUG   | checkDeviceCert returned 2
19:36:26.111 | ERROR   | ns_start_epa | 806 | Device Cert Check failed
19:36:26.111 | DEBUG   | ns_start_epa returning 
19:36:26.111 | DEBUG   | num_mallocPolicyBuffer=0
19:36:26.111 | DEBUG   | releasing buffers
19:36:26.111 | DEBUG   | ns_StopSSL called
19:36:26.111 | DEBUG   | ns_UnloadSecurityLibrary done
19:36:26.111 | EVENT   | EPA has successfully completed
19:36:26.111 | EVENT   | EPA check finished : Error while running EPA scans 

 

Link to comment
Share on other sites

Hi Darren,

 

Next 13.0 release (current being 13.0 Build 41.20, so look for the build > 41 ) , will have a registry setting to define the CA list for device cert auth.  So plugin can pick the right one. that should help in this scenario. You can track IssueID CGOP-11856 in release notes and also edocs will have more documentation around this. 

 

Tentative GA is November End to Dec first half 2019.

 

 - Sid

 

 

  • Like 2
Link to comment
Share on other sites

Hey Sid thanks for the reply.

 

While not ideal as its going to force us to rethink our deployment short-term and force us to  hairpin Office 365 traffic back through the network, at least I know its coming.

 

Are there any preview builds available if I was to ask via a support  request?

 

 

 

 

Link to comment
Share on other sites

  • 1 month later...
  • 1 month later...
  • 4 weeks later...
  • 3 months later...
32 minutes ago, Arne Van Deun said:

Hello Darran,

 

Did you receive any information/documentation from Citrix Support on how to setup this reg key (HKLM\SOFTWARE\Citrix\Secure Access Client\UserCertCaList) ? 

 

We are using  Group Policy preferences to create the UserCertCAList REG_SZ key and set the value using the "Issued by" field from the client certificate. Don't need to worry about quotes if it has spaces in.

 

Hope this helps. We've had it working now for sometime so happy to help further if needed. 

  • Like 1
Link to comment
Share on other sites

On 5/29/2020 at 3:12 PM, Darren Bolton said:

 

We are using  Group Policy preferences to create the UserCertCAList REG_SZ key and set the value using the "Issued by" field from the client certificate. Don't need to worry about quotes if it has spaces in.

 

Hope this helps. We've had it working now for sometime so happy to help further if needed. 

Hi Darren,

 

i have added the registry in the client machine. but still stuck at auto login. when i look at logindll log file i see the error below.

 

16:55:38.882 | VERBOSE | Interactive authentication is present. AO-Service mode doesn't support it.
16:55:38.882 | VERBOSE | Authv3 login failure

 

If i delete the other certs from local machine Personal store it just works fine. any help here is really appreciated.

 

Link to comment
Share on other sites

  • 5 months later...

Hallo Darren,

i have the same problem  with the certificate selection too.

I tried with he registry key but do not work in my win10 machine. I have a NS GW and Plugin with the version 13.0-61.48

i can see in the nsepa.dll file the following debug information:

17:52:00.021 | DEBUG   | No pref. for certificate exits for this connection
17:52:00.021 | DEBUG   | creating list of certificate from store 
17:52:00.021 | DEBUG   | Name of the certificate : machine-01.org.com
17:52:00.021 | DEBUG   | Found 1 valid certificates. We will choose first based on expiry date.

Do you know if there is a relationship between the first line "No pref. for certificate exits for this connection" and the registry key "UserCertCaList"? 

Thanks,

 

 

Link to comment
Share on other sites

  • 3 months later...

Did you figure out how to solve the issue?

We meanwhile try using recent 13.0 client and set the  UserCertCAList but it seems not to help.

The ADC is still 12.1. beside the cert issue, 13.0 client works pretty well with the 12.1 ADC.

 

Our CA has a white space character in between, I only saw examples without, do you know how to set it correctly?
 

UserCertCAList OUR CA; 

 

next test will be:

 

UserCertCAList : "OUR CA"; 

 

 

Link to comment
Share on other sites

  • 2 months later...

I have the same issue but I receive other message

GMT netscaler 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_FAILURE 11331 0 :  SPCBId 3002 - ClientIP 90.164.XXX - ClientPort 49790 - VserverServiceIP 192.168.XXX - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "TLS1-AES-256-CBC-SHA"Session New  - CLIENT_AUTHENTICATION_FAILED - SerialNumber "XXXXXXXXXXXXXXXXXXXX" - Reason "Invalid certificate purpose field"

 

Any reason to this message? I have configured in device certificate the purpose client and server Authentication.

 

Thanks

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...