Access Denied using Microsoft AD certificate auth

Started by mashedpotatorocket, March 30, 2023, 09:33:19 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

mashedpotatorocket

March 30, 2023, 09:33:19 AM
We recently tried enabling user certificate login with a simple openssl-generated self-signed CA, it worked like a charm. But when changing the TrustedCertificate to our Microsoft Windows Server Issuing CA and using Group Policy-enrolled user certificates we only get Access Denied.

I notice two odd things in netxmsd.log with debuglevel 3:
1. The full Subject is not displayed
2. There's no log entry saying "validation failed"

In more detail, the Subject of my openssl cert is:
Code Select
C=SE,ST=X,L=City,O=Company,OU=OrgUnit,CN=My Name
When trying to logon with the TrustedCertificate set to Microsoft CA, this is what is logged:
Code Select
2023.03.29 18:06:41.788 *D* [crypto.cert        ] Validating certificate "C=SE,ST=X,L=City,O=Company,OU=OrgUnit,CN=My Name" for user user1
2023.03.29 18:06:41.788 *D* [crypto.cert        ] Certificate "C=SE,ST=X,L=City,O=Company,OU=OrgUnit,CN=My Name" for user user1 - validation failed
which seems alright.

The subject of my Microsoft cert is:
Code Select
DC=se,DC=companyname,DC=companydomain,OU=OrgUnit1,OU=OrgUnit2,CN=My Name,[email protected]
This is the only thing that gets logged:
Code Select
2023.03.29 18:04:10.242 *D* [crypto.cert        ] Validating certificate "OU=OrgUnit1,CN=My Name" for user user1
No log entry saying "validation failed", and the subject string is both cropped and showing the OU part in the wrong place.

This makes me think that there's something failing when parsing the subject string from the Microsoft certificate. There's no funny characters in the subject.

I have tried lot's of variants on certificate mapping methods, no difference.
Is there any way to get this working?

Best regards.

Filipp Sudanov

#1
April 12, 2023, 12:55:11 PM
The issue is with how the subject is parsed when we try to match the user which corresponds to the certificate. Code was written with openssl certs in mind, but for Microsoft certs subject is composed differently (has DC= serveral times, etc).
The certificate itself is validated ok, that's why there's no "validation failed" in the log, but server can not match certificate with a user, thus Access Denied.

Will fix

Victor Kirhenshtein

#2
April 12, 2023, 02:57:56 PM
I just fixed certificate subject parsing, fix will be included into next release.

Best regards,
Victor
Print
Go Up Pages1
User actions