Symantec Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

Tech Tip : CA Single Sign-On : Web Agent :: X509 Certificate Authentication : smgetcreds.scc shows a blank page

  • 1.  Tech Tip : CA Single Sign-On : Web Agent :: X509 Certificate Authentication : smgetcreds.scc shows a blank page

    Broadcom Employee
    Posted May 23, 2018 03:21 AM

    Issue:

     

    We're running Web Agent, when user reaches the X509 Authentication Scheme
    /siteminderagent/smgetcreds.scc, no authentication is done, and the
    browser keeps on a blank page.

    If we reload the page, then we get access to the protected page
    and get authenticated and authorized.

    How can we solve this issue ?

     

    Environment:

     

    Web Agent 12.52SP01CR02 64bit on IIS 8.5 with ARR module on Windows 2012;
    Policy Server 12.52SP01 on RedHat 6;
    Policy Store Odbc Oracle 12c;

    Resolution:

     

    1. You need to remove on the IIS Server OS from the "Trusted Root
    Certification Authorities" all signed certificate and insure the
    list only contents self signed certificates (Root Certificates);

    Follow the command given by this page :

    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}
    Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Move-Item -Destination Cert:\LocalMachine\CA

    HTTP error 403.16 - client certificate trust issue
    https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa

     

     

    2. You need to set the exact Issuer DN in the certificate as in the
    Certificate mapping :

    Certificate : CN=duspa01lab.ca.com,OU=Support,O=CA,L=Barcelona,ST=Barcelona,C=ES
    Mapping : C=ES, ST=Barcelona, L=Barcelona, O=CA, OU=Support, CN=duspa01lab.ca.com

    from the Mapping, remove the spaces to get this :

    Mapping : C=ES,ST=Barcelona,L=Barcelona,O=CA,OU=Support,CN=duspa01lab.ca.com

     

     

    3. In IIS configuration, set

    Default Web Site
    Anonymous Authentication Enabled
    Require SSL
    Ignore

    Default Web Site
    siteminderagent
    cert
    Anonymous Authentication Disabled
    Require SSL
    Require

    If "Default Web Site" is configured with "Anonymous Authentication
    Disabled" too, the browser will show blank after some seconds.

    Setting "Default Web Site" configured with "Anonymous
    Authentication Enabled", then when you reach the IIS default page,
    you get the popup to select the certificate, and once done, I get
    the IIS start page.

    c:\> start /B iexplore https://duspa01-p2983.ca.com/iisstart.htm

    It is expected to see this line in the Web Agent traces :

    "User 'unknown' is authenticated by Policy Server.

    This means that the identity has been found from the certificate and
    passed successfully to the Policy Server.

     

     

    KB : KB000097679