Text only | Text with Images

NetXMS Support Forum

English Support => General Support => Topic started by: mashedpotatorocket on March 30, 2023, 09:33:19 AM

Title: Access Denied using Microsoft AD certificate auth
Post by: mashedpotatorocket on March 30, 2023, 09:33:19 AM
We recently tried enabling user certificate login with a simple openssl-generated self-signed CA, it worked like a charm. But when changing the TrustedCertificate to our Microsoft Windows Server Issuing CA and using Group Policy-enrolled user certificates we only get Access Denied.

I notice two odd things in netxmsd.log with debuglevel 3:
1. The full Subject is not displayed
2. There's no log entry saying "validation failed"

In more detail, the Subject of my openssl cert is:
Code Select
C=SE,ST=X,L=City,O=Company,OU=OrgUnit,CN=My Name
When trying to logon with the TrustedCertificate set to Microsoft CA, this is what is logged:
Code Select
2023.03.29 18:06:41.788 *D* [crypto.cert        ] Validating certificate "C=SE,ST=X,L=City,O=Company,OU=OrgUnit,CN=My Name" for user user1
2023.03.29 18:06:41.788 *D* [crypto.cert        ] Certificate "C=SE,ST=X,L=City,O=Company,OU=OrgUnit,CN=My Name" for user user1 - validation failed
which seems alright.

The subject of my Microsoft cert is:
Code Select
DC=se,DC=companyname,DC=companydomain,OU=OrgUnit1,OU=OrgUnit2,CN=My Name,[email protected]
This is the only thing that gets logged:
Code Select
2023.03.29 18:04:10.242 *D* [crypto.cert        ] Validating certificate "OU=OrgUnit1,CN=My Name" for user user1
No log entry saying "validation failed", and the subject string is both cropped and showing the OU part in the wrong place.

This makes me think that there's something failing when parsing the subject string from the Microsoft certificate. There's no funny characters in the subject.

I have tried lot's of variants on certificate mapping methods, no difference.
Is there any way to get this working?

Best regards.
Title: Re: Access Denied using Microsoft AD certificate auth
Post by: Filipp Sudanov on April 12, 2023, 12:55:11 PM
The issue is with how the subject is parsed when we try to match the user which corresponds to the certificate. Code was written with openssl certs in mind, but for Microsoft certs subject is composed differently (has DC= serveral times, etc).
The certificate itself is validated ok, that's why there's no "validation failed" in the log, but server can not match certificate with a user, thus Access Denied.

Will fix
Title: Re: Access Denied using Microsoft AD certificate auth
Post by: Victor Kirhenshtein on April 12, 2023, 02:57:56 PM
I just fixed certificate subject parsing, fix will be included into next release.

Best regards,
Victor
Text only | Text with Images