Jump to content


Photo

Client-side certificate authentication not working on Windows 10 with IE and Edge

SSL client-side windows 10

This topic has been archived. This means that you cannot reply to this topic.
7 replies to this topic

#1 Chris

Chris
  • Members
  • 4 posts

Posted 05 March 2016 - 01:34 PM

Hello,

I am configuring my users to access VPN with 2-factor authentication: password + SSL certificate.

I have no problems with IE on Windows 7 but on Windows 10 only Firefox is working properly.

Edge and IE11 are not prompting for certificate and after submitting login credentials I am ending up on message: "You do not have a client certificate installed. Click here to select an alternative authentication scheme."

 

I already tried on two computers: desktop with Windows 7 upgraded to Windows 10 and laptop with factory pre-installed Windows 10 with identical results. Both computers are up to date with Windows patches. I am able to log-in with Firefox but IE and Edge somehow do not submit their client certificate.

My Barracuda SSL VPN, model 380 is also up to date with firmware version 2.6.2.1

In NAC I am not blocking any OS or browser version: everything is set to "Allow".

 

Please help.

Thank you,

Chris

 

 

 

 



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 441 posts

Posted 07 March 2016 - 03:15 AM

Hi Chris, which certificate type are you using? If you're using internal certificates (where the CA is stored on your SSL VPN and certificates generated from it) and you only started using this feature in 2.6.2.1, then you may be affected by a bug we've found in 2.6.2.1 and fixed in 2.6.2.2 (currently at 25% EA, if you don't have access to this firmware then I can arrange that for you).



#3 Chris

Chris
  • Members
  • 4 posts

Posted 07 March 2016 - 04:30 PM

Gavin,

For server I am using trusted 2048-bits certificate signed by GoDaddy. Clients are getting PKCS#12 certificates.

I cannot say if IE and Edge on Windows 10 worked before firmware upgrade because I never tried to configure such a client in the past - I had only Mac, XP and Win 7 clients and they continue to work fine.

I can try new firmware. Can you send me a link to download it or should I contact Barracuda tech support?

Thanks,

Chris

 

 

 

 



#4 Gavin Chappell

Gavin Chappell
  • Moderators
  • 441 posts

Posted 09 March 2016 - 04:41 AM

This isn't related to your SSL server certificate (which is probably the one you're referring to when you say you have one signed by GoDaddy), but a separate Certificate Authority certificate that may have been created on your SSL VPN.

 

If you go into Access Control->Security Settings, is the "Certificate Type" setting set to "Internal"?



#5 Chris

Chris
  • Members
  • 4 posts

Posted 09 March 2016 - 03:40 PM

It is set to Internal.



#6 Gavin Chappell

Gavin Chappell
  • Moderators
  • 441 posts

Posted 09 March 2016 - 04:09 PM

Then you may be affected by the bug which was fixed in 2.6.2.2. You may be able to see this firmware already, as the EA rollout is now up to 50% but if not then private message me your serial number and I'll arrange for your appliance to have access to it.

 

Unfortunately, once the firmware is installed, you'll need to delete the current certificate authority and re-create a new one after the upgrade, before re-creating any user certificates - this is necessary to make sure everything is in a current format, and the correct signatures are in place on the user certificates such that they can be validated by the new CA certificate and its new private key.



#7 Chris

Chris
  • Members
  • 4 posts

Posted 09 March 2016 - 05:06 PM

Gavin,

With Barracuda's tech support I applied 2.6.2.2.751 firmware and it still does not work BUT I did not recreate CA as it may affect my current users. Sound like I will have to re-generate all certificates and force my users to re-apply them. Correct?



#8 Gavin Chappell

Gavin Chappell
  • Moderators
  • 441 posts

Posted 10 March 2016 - 02:49 AM

Hey Chris,

Sounds like someone may have attached you to the wrong build - you should be on 2.6.2.2, the 751 refers to the internal build number which shouldn't be visible on a customer appliance. Let me check into this for you, we may need to do a little bit of work to get you back onto the customer track rather than an internal track.

 

Meanwhile, yes, you will need to regenerate all the certificates, including the CA itself, and every user certificate - the bug was in the CA certificate, which is the "common ancestor" of every other certificate, so once the CA is changed it will immediately invalidate all certificates that were signed by the original CA because they can not be verified against the new CA.