Patrick-Dussault

Tech Tip : CA Single Sign-On : Web Agent :: X509 Certificate Authentication : smgetcreds.scc shows a blank page

Discussion created by Patrick-Dussault Employee on May 23, 2018

Issue:

 

We're running Web Agent, when user reaches the X509 Authentication Scheme
/siteminderagent/smgetcreds.scc, no authentication is done, and the
browser keeps on a blank page.

If we reload the page, then we get access to the protected page
and get authenticated and authorized.

How can we solve this issue ?

 

Environment:

 

Web Agent 12.52SP01CR02 64bit on IIS 8.5 with ARR module on Windows 2012;
Policy Server 12.52SP01 on RedHat 6;
Policy Store Odbc Oracle 12c;

Resolution:

 

1. You need to remove on the IIS Server OS from the "Trusted Root
Certification Authorities" all signed certificate and insure the
list only contents self signed certificates (Root Certificates);

Follow the command given by this page :

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Move-Item -Destination Cert:\LocalMachine\CA

HTTP error 403.16 - client certificate trust issue
https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa

 

 

2. You need to set the exact Issuer DN in the certificate as in the
Certificate mapping :

Certificate : CN=duspa01lab.ca.com,OU=Support,O=CA,L=Barcelona,ST=Barcelona,C=ES
Mapping : C=ES, ST=Barcelona, L=Barcelona, O=CA, OU=Support, CN=duspa01lab.ca.com

from the Mapping, remove the spaces to get this :

Mapping : C=ES,ST=Barcelona,L=Barcelona,O=CA,OU=Support,CN=duspa01lab.ca.com

 

 

3. In IIS configuration, set

Default Web Site
Anonymous Authentication Enabled
Require SSL
Ignore

Default Web Site
siteminderagent
cert
Anonymous Authentication Disabled
Require SSL
Require

If "Default Web Site" is configured with "Anonymous Authentication
Disabled" too, the browser will show blank after some seconds.

Setting "Default Web Site" configured with "Anonymous
Authentication Enabled", then when you reach the IIS default page,
you get the popup to select the certificate, and once done, I get
the IIS start page.

c:\> start /B iexplore https://duspa01-p2983.ca.com/iisstart.htm

It is expected to see this line in the Web Agent traces :

"User 'unknown' is authenticated by Policy Server.

This means that the identity has been found from the certificate and
passed successfully to the Policy Server.

 

 

KB : KB000097679

Outcomes