Federated Authentication Service (FAS) | Unable To Launch App “Invalid User Name Or Wrong Password”

Federated Authentication Service (FAS) | Unable to launch apps “Invalid user name or wrong password”

System logs:

Event ID 8

The domain controller rejected the client certificate of user U1@abc.com, used for smart card logon. The following error was returned from the certificate validation process: A certificate chain processed correctly, but one of the CA certificate is not trusted by the policy provider.

Related:

  • No Related Posts

Error: “Invalid Certificate” When Installing SSL Certificate on ADC Appliance

Hidden Control Characters in CertificateKey File

You can use OpenSSL implementation of BSD Unix distribution on ADC to import/export the certificate and key files. The exported files are free of the control characters that are preventing successful installation of the certificate and key files:

  1. Use a secure copy program (WinSCP ) to copy the certificate and key files to the/nsconfig/ssl directory of the ADC appliance.

    The Certificate and Key files can also be uploaded to the ADC using the Configuration Utility. Navigate to Traffic Management > SSL > Manage Certificates / Keys / CSRs > Upload as shown in the following screen shots:

    User-added image

    User-added image

  2. Open a Secure Shell (SSH) session to the appliance, and after authentication, run the shell command to switch to shell.

  3. Navigate to /nsconfig/ssl directory:

    cd /nsconfig/ssl

  4. Use OpenSSL to import and export the certificate file. The following example is for PEM or Base64 certificates:

    openssl x509 -in <certificateFileName> -out <newCertificateFileName>

  5. Use OpenSSL to import and export the key file. The following example is for PEM or Base64 key files:

    openssl rsa -in <keyFileName> -out <newKeyFileName>

You will now be able to successfully import the certificate on the ADC appliance by using the new exported version of the files.

SSL Certificate not Encoded in Base-64 Format

Open the certificate on a Windows computer and convert it to Base-64 encoded X.509 (.CER) and then install the certificate on the appliance:

  1. Go to Start > Run and type mmc on a Windows machine.

    User-added image

  2. Double-click and open the certificate file that you want to convert.

    User-added image

  3. Click Details.

    User-added image

  4. Click Copy to File.

  5. Select the Base-64 encoded X.509 (.CER) option.

  6. Click Next.

    User-added image

  7. Browse to the location you want to save the converted certificate. Name the file with a .cer extension.

    User-added image

  8. Click Next.

Install the converted certificate on the NetScaler appliance.

PKCS #7 Certificate Incorrectly Converted to PEM Format

This error occurs when the PKCS #7 (.p7b) certificate is incorrectly converted to PEM format. Refer to CTX124783 – How to Convert a PKCS #7 Certificate to PEM Format for the correct procedure.

Related:

  • No Related Posts

Unable to load host key “/nsconfig/ssh/ssh_host_dsa_key”: invalid format

Regenerate a new ssh dsa key

======================

Delete/Backup existing corrupted dsa private and pub key locate in /nsconfig/ssh/

> rm /nsoconfig/ssh/ssh_host_dsa_key

> rm /nsoconfig/ssh/ssh_host_dsa_key.pub

Generate a new dsa private and pub key.

> ssh-keygen -t dsa

Give same location and name as previous key :: /nsconfig/ssh/ssh_host_dsa_key

> reboot or reload config file with command: /usr/sbin/sshd -f /etc/sshd_config


Another solution is disable dsa ssh key as is not really required since rsa key is present.

=================

Edit file /etc/sshd_config and comment out [#] dsa key line

root@adc# cat /etc/sshd_config

Port 22

#ListenAddress 0.0.0.0

#ListenAddress :: Protocol 2

HostKey /nsconfig/ssh/ssh_host_rsa_key

#HostKey /nsconfig/ssh/ssh_host_dsa_key Safe file

Copy sshd_config to /nsconfig/

> cp /etc/sshd_config /nsconfig/

Reload sshd with command:

> /usr/sbin/sshd -f /nsconfig/sshd_config

Related:

  • No Related Posts

Error: “Invalid Certificate” When Installing SSL Certificate on NetScaler Appliance

Hidden Control Characters in CertificateKey File

You can use OpenSSL implementation of BSD Unix distribution on NetScaler to import/export the certificate and key files. The exported files are free of the control characters that are preventing successful installation of the certificate and key files:

  1. Use a secure copy program (WinSCP ) to copy the certificate and key files to the /nsconfig/ssl directory of the NetScaler appliance.

    The Certificate and Key files can also be uploaded to the NetScaler using the Configuration Utility. Navigate to Traffic Management > SSL > Manage Certificates / Keys / CSRs > Upload as shown in the following screen shots:

    User-added image

    User-added image

  2. Open a Secure Shell (SSH) session to the appliance, and after authentication, run the shell command to switch to shell.

  3. Navigate to /nsconfig/ssl directory:

    cd /nsconfig/ssl

  4. Use OpenSSL to import and export the certificate file. The following example is for PEM or Base64 certificates:

    openssl x509 -in <certificateFileName> -out <newCertificateFileName>

  5. Use OpenSSL to import and export the key file. The following example is for PEM or Base64 key files:

    openssl rsa -in <keyFileName> -out <newKeyFileName>

You will now be able to successfully import the certificate on the NetScaler appliance by using the new exported version of the files.

SSL Certificate not Encoded in Base-64 Format

Open the certificate on a Windows computer and convert it to Base-64 encoded X.509 (.CER) and then install the certificate on the appliance:

  1. Go to Start > Run and type mmc on a Windows machine.

    User-added image

  2. Double-click and open the certificate file that you want to convert.

    User-added image

  3. Click Details.

    User-added image

  4. Click Copy to File.

  5. Select the Base-64 encoded X.509 (.CER) option.

  6. Click Next.

    User-added image

  7. Browse to the location you want to save the converted certificate. Name the file with a .cer extension.

    User-added image

  8. Click Next.

Install the converted certificate on the NetScaler appliance.

PKCS #7 Certificate Incorrectly Converted to PEM Format

This error occurs when the PKCS #7 (.p7b) certificate is incorrectly converted to PEM format. Refer to CTX124783 – How to Convert a PKCS #7 Certificate to PEM Format for the correct procedure.

Related:

  • No Related Posts

Linux VDA with FAS enabled fails with “Invalid Login”

1) Copy the root Certificate and intermediate certificate to the linux VDA

2) Use openssl command to convert it to pem

openssl x509 -inform der -in root.cer -out root.pem

openssl x509 -inform der -in intercacert.cer -out inter.pem

3) Copy it to /etc/pki/CA/certs/

4) Mention root certificate and intermediate path in /etc/krb5.conf as following

pkinit_anchors = FILE:/etc/pki/CA/certs/root.pem

pkinit_pool = FILE:/etc/pki/CA/certs/inter.pem

Related:

  • No Related Posts

Secure Hub 10.5 : Enrollment fails with error : “Can't enroll device- WorxHome cannot enroll device because it failed to establish a secure connection with server”

Certificate on discovery.mdm.zenprise.com was renewed on 30th of April 2018, which is what caused the issue in the first place.

In order to be able to get past the enrollment URL screen, upgrading Secure Hub is needed.

Known to work version is 10.6.20.

Related:

  • No Related Posts

Intermittent Slowness SSL sites and RDP

I do not need a solution (just sharing information)

Hi all,

Recently encountered a weird slowness on one of the subnets at a customer site, https and rdp appear to be extremely slow. Sometimes reporting that certificate revocation information is not available. RDP sessions after initial password prompt also take between 30-60 seconds to connect. SSL and RDP are fine at other sites / subnets. All go to two proxySG’s upstream (set via wpad file). Feels like the slowness is due to some form of security / certificate checking going on, it’s strange that we only see this issue on one subnet as there are lots of others all going to the same ProxySG devices. Haven’t ruled out other area’s of investigation (e.g. group policy, firewall, switches etc.) but we have seen if disabling the certificate revocation checks speed is hugely improved (sometimes a reboot has been needed to kick this in). However it’s not something I’m overly comfortable leaving disabled.

Does anyone have any suggestions on what this could possibly be or how best to troubleshoot? Seen a couple KB’s related to OCSP and CRL but nothing thats a match for intermittent symptoms we’re seeing. We’re upgrading the devices next week (approxy 10 months out of date) and if no better logging a case with Symantec to see if they could help. 

Thanks

0

Related:

  • No Related Posts