login about faq

What are the steps needed to setup user authentication with certificates on Windows?

asked Sep 22 '11 at 14:51

SSH%20KB's gravatar image


edited Sep 28 '11 at 13:42

Tectia Server

To configure Tectia Server to allow user authentication with X.509 certificates, perform the following tasks using Tectia Server Configuration GUI:

  1. Launch Tectia Server Configuration GUI.

    Select Start > All Programs > Tectia Server > Tectia Server Configuration.

  2. Under GUI Mode, select Advanced to view all available options and groups.

  3. Go to Certificate Validation and select the CA Certificates tab.

  4. Add the trust anchors that are needed for the certificate validation. Root CA certificates or intermediate CA certificates can be added as trust anchors. Normally you need to add only the CA certificate that can issue certificates for the users into Tectia Server configuration. That is, you need not create the whole trust path in the configuration.

    Note! Revocation checks are not performed on the certificates that are added to the CA Certificates list.

    Note! In case you have an LDAP server in use, you only need to add the root CA certificate into the server configuration. Tectia Server can retrieve the intermediate CA certificates that are issued by the root CA certificate automatically from the LDAP server. For example, if Company Users is added as a trust anchor and the intermediate CA certificates are stored in the LDAP, end entities certified by the root or intermediate CA certificates will be trusted.

  5. Go to Authentication and select Default Authentication to configure selectors and parameters for the group. Note that this authentication group is available in the default configuration of Tectia Server.

  6. On the Selectors tab, enter a name for the authentication group.

    Leave the selectors list empty, all incoming users are selected into this authentication group and to the authentication method chain. This is the first authentication group that you need to create for the authentication method chain. There will be two authentication groups in the chain.

  7. On the Parameters tab, make sure that the Allow public-key authentication option is selected.

  8. Create a child authentication group which will be used to check certain fields from the end user's certificate. That is, you are configuring your selector for the certificates. Click the Add Child button and enter a name for the child authentication group.

  9. On the Selectors tab of the child authentication group, click the Add Selector button. From the list, select Certificate and click OK.

  10. In the Certificate Selector dialog box, select which field on the certificate you wish to authenticate against.

  11. Enter the pattern in the field.

    It is extremely important to create a mapping between real OS user accounts and the end users' certificates so that a single end user can only access a single specific OS user account with their personal certificate and not all OS user accounts. For example, if you use subject-name, the pattern could be:

    CN=%username-without-domain%, CN=USERS, DC=DEMO, DC=SSH, DC=COM

  12. Once you have made your changes, click OK.

  13. On the Parameters tab, unselect all authentication methods because the parent authentication group checks whether the public key authentication is successful.

  14. Click Apply to save your changes.

For more information about the authentication settings, see Certificate Validation and Authentication.
You need to configure user authentication with certificates in Tectia Client also.

Tectia Client

To configure Tectia Client for user authentication with X.509 certificates on Windows using Tectia Connections Configuration GUI:

  1. Launch Tectia Connections Configuration GUI.

    Right-click alt text in the system tray and select Configuration.

  2. Under General, click Default Connection. Select the Authentication tab. Ensure that public-key authentication is enabled and it is the first or only method in the list. By default, it is enabled.

    Under Public-Key Authentication, you can select to use public keys or certificates or both in the authentication.

  3. If you are using connection profiles, select the profile name under Connection Profiles. Select the Authentication tab and ensure that public-key authentication is enabled.

  4. Tectia suggests installing the certificate into the Microsoft Certificate store that is a personal store for the user.

  5. Under User Authentication, select Key Providers. Enable Microsoft Crypto API and click Apply.

    You can also read certificate information from USB tokens or smartcards via Microsoft Crypto API if they are compatible with the API. Alternatively USB tokens or smartcards can be used by enabling PCKS#11.

  6. The certificate is now loaded into the client automatically. Under User Authentication, select Keys and Certificates. You can see the available certificates under Key and Certificate List.

    Tectia Client can also read key and certificate information from the file system. These can be defined under Additional Directories and Files.

    Note! Ensure that the client certificate is set up for client authentication only. It makes troubleshooting several certificates easier, for example, as server authentication certificates cannot be used as user certificates.

    For more information about the key and certificate settings, see Managing Keys and Certificates.

answered Sep 28 '11 at 13:42

SSH%20KB's gravatar image


I followed your instructions and got this:

  • 1101 Certificate_validation_success, Username: ssh, CA list: Internal CA, Session-Id: 6
  • 801 Authentication_block_selected, Username: ssh, Policy name: implicit-certificate-deny, Session-Id: 6
  • 803 Authentication_block_deny, Username: ssh, Policy name: implicit-certificate-deny, Session-Id: 6
  • 701 Auth_method_failure, Username: ssh, Auth method: publickey, Session-Id: 6
  • 703 Auth_methods_available, Username: ssh, Auth methods: publickey, Session-Id: 6

answered Apr 21 '14 at 12:17

hienbt88's gravatar image


edited Apr 22 '14 at 13:17

Martin%20Dobsik's gravatar image

Martin Dobsik

"implicit-certificate-deny" means that your certificate didn't match any selector. But I am not completely sure. I would have to reproduce it myself.

(Apr 22 '14 at 13:22) Martin Dobsik Martin%20Dobsik's gravatar image
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Sep 22 '11 at 14:51

Seen: 12,764 times

Last updated: Apr 22 '14 at 13:22

All user contributed content licensed under the cc-by-sa license.
Powered by OSQA.