No Client Certificate Presented For Af Portal On Mac

Overview

1. No Client Certificate Presented For Af Portal On Mac Osx
2. No Client Certificate Presented Af Portal Mac

This document describes the configuration steps that will restrict GlobalProtect access for only certified devices.

Details

This will prevent GlobalProtect users from using unknown devices. The following is a list of requirements that will ensure that the appropriate Windows, Mac OS X, iOS, and Android devices can establish a VPN with GlobalProtect:

No Client Certificate Presented For Af Portal On Mac Osx

The certificate chain is valid on the client computer. To determine whether the certificate is valid, follow these steps: On the domain controller, use the Certificates snap-in to export the SSL certificate to a file that is named Serverssl.cer. Copy the Serverssl.cer file to the client computer. On the client computer, open a Command Prompt. Regarding 2): AF Portal can be accessed by CAC, only if your CAC has been registered with Portal ahead of time. Although I could get to Portal with a username/password, Gunter Annex could not help register my CAC from within Portal. I will go back to work, register the card again, and see if it works from home.

1. The Palo Alto Networks firewall's SSL certificate must have a fully qualified domain-name that resolves to the IP address of the GlobalProtect Portal and Gateway to satisfy Apple iOS requirements. (The user can specify an IP address in the Common Name field if iOS is not included in the list of supported devices).
2. This certificate will be used to sign a machine certificate
3. The portal will not distribute this certificate
4. The GlobalProtect Portal and Gateway will use the firewall's SSL certificate, which then requires a device to present the issued machine certificate for verification. The machine certificate certifies the device. A user must still properly authenticate in order to establish the tunnel.

Go to Device > Certificate Management > Certificates

In order for your machine to recognize your CAC certificates and DoD websites as trusted, run the InstallRoot utility (32-bit, 64-bit or Non Administrator) to install the DoD CA certificates on Microsoft operating systems. If you're running an alternate operating system such as Mac OS or Linux, you can import certificates from the PKCS 7 bundle.

This is the firewall's primary SSL certificate. When this certificate was created, the fully qualified domain-name was entered in the Common Name field and the Certificate Authority box was checked. It is necessary that a FQDN is presented by the firewall when an iOS device connects to it. The certificate shown below has been selected for other functions, but for this topic, it is going to be used to sign the machine certificate.

Create Machine Certificate

Go to Device > Certificate Management > Certificates, click Generate to create a new certificate. This is the machine certificate that will be provided to all devices that can use it for GlobalProtect. Notice this certificate is signed by the previously illustrated CA certificate. Any title or information can be entered under Certificate Name and Common Name fields.

Below is an example of what the Certificate Information would look like viewing it after it has been created:

Export Machine Certificate

Select the PKCS12 file format and enter a password to encrypt this key. This certificate needs to be installed on a device before it first attempts a GlobalProtect connection:

Create Certificate Profile

The firewall's SSL certificate needs to be added to a Certificate Profile so that the profile can be specified in the GlobalProtect Gateway:

Go to Device > GlobalProtect > Gateway and specify certificates for the Gateway.

The firewall's SSL certificate is selected for the Server Certificate field, as shown below:

Go to Device > GlobalProtect > Portal > Portal Configuration

The Client Certificate field is used to distribute the machine certificate to a GlobalProtect platform, which means that any user who authenticates successfully from any device would receive this certificate. Leave this blank to prevent this from happening.

The Certificate Profile field is used to specify the CA certificate that signs the certificate that the device must present when one goes to the GlobalProtect client software download page on the firewall. The GlobalProtect agent will also present a machine certificate when it connects to the Portal to retrieve updates. The user may want use the certificate profile created earlier once they have this setup working.

Go to Device > GlobalProtect > Portal > Client Configuration

In the Portal dialogue window, select Client Configuration and then open a configuration profile that is listed there. The following dialogue window is displayed. The Client Certificate field specifies the certificate that the GlobalProtect must present to the Gateway to certify the connecting device. This certificate needs to be signed by the Server Certificate that the Gateway is using. This is the same certificate that was exported in the PKCS12 format in the Export Machine Certificate section above.

Once these settings have been committed, a user that authenticates successfully may only do so from a device that has the required machine certificate.

owner: jjosephs

This article helps you resolve the problem where an unexpected runtime error may be thrown when you open an Internet Information Services (IIS) webpage.

Original product version: Internet Information Services
Original KB number: 186812

Note

The target audience for this article is website administrators or web developers. If you are an end-user who has encountered this error, we recommend that you ask the site administrator for instructions on how to obtain the correct client certificate.

Symptoms

You have a website that is hosted on IIS. When you go to the website in a web browser, you may receive an error message that resembles the following one:

HTTP Error 403
403.7 Forbidden: Client certificate required

Cause

Soulja boy kiss me thru the phone mp3. This error occurs when the website requests a client certificate, and then the client either doesn't provide one or the certificate supplied by the client browser is rejected. Client certificates are a kind of Secure Sockets Layer (SSL) certificate typically used to identify a user or computer to a website.

The following are several possible causes of this problem:

Go to Device > Certificate Management > Certificates

In order for your machine to recognize your CAC certificates and DoD websites as trusted, run the InstallRoot utility (32-bit, 64-bit or Non Administrator) to install the DoD CA certificates on Microsoft operating systems. If you're running an alternate operating system such as Mac OS or Linux, you can import certificates from the PKCS 7 bundle.

This is the firewall's primary SSL certificate. When this certificate was created, the fully qualified domain-name was entered in the Common Name field and the Certificate Authority box was checked. It is necessary that a FQDN is presented by the firewall when an iOS device connects to it. The certificate shown below has been selected for other functions, but for this topic, it is going to be used to sign the machine certificate.

Create Machine Certificate

Go to Device > Certificate Management > Certificates, click Generate to create a new certificate. This is the machine certificate that will be provided to all devices that can use it for GlobalProtect. Notice this certificate is signed by the previously illustrated CA certificate. Any title or information can be entered under Certificate Name and Common Name fields.

Below is an example of what the Certificate Information would look like viewing it after it has been created:

Export Machine Certificate

Select the PKCS12 file format and enter a password to encrypt this key. This certificate needs to be installed on a device before it first attempts a GlobalProtect connection:

Create Certificate Profile

The firewall's SSL certificate needs to be added to a Certificate Profile so that the profile can be specified in the GlobalProtect Gateway:

Go to Device > GlobalProtect > Gateway and specify certificates for the Gateway.

The firewall's SSL certificate is selected for the Server Certificate field, as shown below:

Go to Device > GlobalProtect > Portal > Portal Configuration

The Client Certificate field is used to distribute the machine certificate to a GlobalProtect platform, which means that any user who authenticates successfully from any device would receive this certificate. Leave this blank to prevent this from happening.

The Certificate Profile field is used to specify the CA certificate that signs the certificate that the device must present when one goes to the GlobalProtect client software download page on the firewall. The GlobalProtect agent will also present a machine certificate when it connects to the Portal to retrieve updates. The user may want use the certificate profile created earlier once they have this setup working.

Go to Device > GlobalProtect > Portal > Client Configuration

In the Portal dialogue window, select Client Configuration and then open a configuration profile that is listed there. The following dialogue window is displayed. The Client Certificate field specifies the certificate that the GlobalProtect must present to the Gateway to certify the connecting device. This certificate needs to be signed by the Server Certificate that the Gateway is using. This is the same certificate that was exported in the PKCS12 format in the Export Machine Certificate section above.

Once these settings have been committed, a user that authenticates successfully may only do so from a device that has the required machine certificate.

owner: jjosephs

This article helps you resolve the problem where an unexpected runtime error may be thrown when you open an Internet Information Services (IIS) webpage.

Original product version: Internet Information Services
Original KB number: 186812

Note

The target audience for this article is website administrators or web developers. If you are an end-user who has encountered this error, we recommend that you ask the site administrator for instructions on how to obtain the correct client certificate.

Symptoms

You have a website that is hosted on IIS. When you go to the website in a web browser, you may receive an error message that resembles the following one:

HTTP Error 403
403.7 Forbidden: Client certificate required

Cause

Soulja boy kiss me thru the phone mp3. This error occurs when the website requests a client certificate, and then the client either doesn't provide one or the certificate supplied by the client browser is rejected. Client certificates are a kind of Secure Sockets Layer (SSL) certificate typically used to identify a user or computer to a website.

The following are several possible causes of this problem:

• The root certificate (certification authority certificate) of the client certificate isn't installed on the computer that is running IIS.
• The client certificate has expired, or the effective time hasn't been reached.
• The client certificate was revoked.
• No valid client certificate is available, or a potentially valid client certificate doesn't have an associated private key installed.

Resolution

Depending on the cause of your problem, try one of the following resolutions:

• If you don't have a client certificate for the site, and you need one, contact the site administrator for instructions.
• Check the expiration date and time of the certificate. If your certificate has expired, contact the site administrator for instructions.

Note

No Client Certificate Presented Af Portal Mac

Client certificate authentication may be enabled where it is not required. If you intended only to require Transport Layer Security (TLS)/SSL communications, then you need only a server certificate. You can disable client certificate authentication by using the resolution in 'HTTP Error 403.7 - Forbidden' error when you run a Web application that is hosted on a server that is running IIS 7.0.

Check whether the server running IIS considers the certificate valid

1. Export the certificate to a .CER file.
2. Copy the .CER file to the server that is running IIS.
3. Open the .CER file on the server that is running IIS.
4. Look at the Certification Path tab. If all certificates in the chain are displayed without a red cross, then the certificate chain is trusted by the computer. If the root certification authority has a red cross against it, continue to the next set of steps.

Install the root certification authority certificate manually

To resolve this issue, install the root certification authority certificate manually. Follow the following steps:

1. Select Start, select Run, type mmc, and then select OK.
2. On the File menu, select Add/Remove Snap-in.
3. In the Add or Remove Snap-ins dialog box, select Certificates under Available Snap-ins, and then select Add.
4. In the Certificates snap-in, select Computer account, select Finish twice, and then select OK.
5. Under Console Root, expand Certificates (Local Computer).
6. Expand Trusted Root Certification Authorities, and then right-click Certificates.
7. Select All Tasks, and then select Import...
8. Select Next, and then navigate to the location where the Root CA certificate file is stored.
9. After the certificate has been selected, select Next two times, and then select Finish.

Note

Intermediate CA certificates should be installed in the Intermediate Certification Authorities store rather than in the Trusted Roots store. Any certification authority certificate whose Issued by and Issued to values are not the same (and therefore the certificate is not at the top of the hierarchy) is known as an Intermediate CA.

References