topic Re: Mobile Client doesn't accept Certificate in Firewall and Security Management

Mobile Client doesn't accept Certificate

Exonix — Wed, 24 May 2023 14:20:02 GMT

Hello All,

we have a GW R80.30 and many VPN users. But recently one user got an issue: his VPN Client doesn't accept any Certificates. We even imported the certificate into Windows Certificate Storage to let the user connect without password - still doesn't work. The logs schow the following:

[ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] gw_uses_login_options return value true, because it is Default variable. Scope: site My_Company VPN, gw VPN_GW ,user USER [ 16532 9924][24 May 15:17:13][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::GetGatewayLoginOptionState: gw VPN_GW support login option [ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] site_uses_login_options return value true, because it is Gateway config variable. Scope: site My_Company VPN ,gw NULL ,user USER [ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] selected_realm_id return value vpn, because it is User config variable. Scope: site My_Company VPN ,gw NULL ,user USER [ 16532 9924][24 May 15:17:13][RealmConfiguration] [COVERAGE] [RealmConfiguration::getRealmByName(s)] __start__ [ 16532 9924][24 May 15:17:13][RealmConfiguration] [DEBUG] [RealmConfiguration::getRealmByName(s)] getRealmByName where realm ID=vpn [ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] login_options_list return value is object type, because it is Gateway config variable. Scope: site My_Company VPN ,gw NULL ,user USER [ 16532 9924][24 May 15:17:13][RealmConfiguration] [INFO] [RealmConfiguration::getRealmByName(s)] Found realm with matching realm ID: vpn [ 16532 9924][24 May 15:17:13][RealmConfiguration] [COVERAGE] [RealmConfiguration::getRealmByName(s)] __end__ Total: 0 milliseconds. [ 16532 9924][24 May 15:17:13][TR_REALM_CONFIG_MANAGER] TrRealmConfigManager::GetGatewayRealmObj: siteName My_Company VPN, gwName VPN_GW, realm_display_name=vpn, realm_id=vpn [ 16532 9924][24 May 15:17:13][TR_AUTH_MANAGER] TrCredKey::TrCredKey: creating credKey [ 16532 9924][24 May 15:17:13][TR_AUTH_MANAGER] TrAuthenticationManager::CredsInCache: enter, item - (gw = My_Company VPN, authMethod=p12-certificate, realmId=vpn) [ 16532 9924][24 May 15:17:13][TR_AUTH_MANAGER] TR_AUTH_MANAGER::TrAuthenticationManager::CredsInCache: cred item is null [ 16532 9924][24 May 15:17:13][TR_AUTH_MANAGER] TR_AUTH_MANAGER::TrAuthenticationManager::CredsInCache: did not find an appropriate auth object in cache [ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] IsCredsAvailable: Creds not in cache looking in CPLogon [ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TrConnManager::GetRegOrCPLogonCreds: site name is: My_Company VPN [ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] save_cli_credentials_for_ATM return value false, because it is Default variable. Scope: site My_Company VPN, gw NULL ,user USER [ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TrConnManager::IsCredsInRegOrCPLogon: site name is: My_Company VPN [ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] save_cli_credentials_for_ATM return value false, because it is Default variable. Scope: site My_Company VPN, gw NULL ,user USER [ 16532 9924][24 May 15:17:13][ICS] TrFeatureManager::isATM: return value - is ATM = false [ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::IsCredsInRegOrCPLogon: Check if CPLogon enabled [ 16532 9924][24 May 15:17:13][TR_CPLOGON] IsEnabled: LogonAgentAPI dll not loaded [ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::IsCredsInRegOrCPLogon: Credentials are not in cplogon and not in registry [ 16532 9924][24 May 15:17:13][ICS] TrFeatureManager::isATM: return value - is ATM = false [ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::GetRegOrCPLogonCreds: Creds are not in registry or cplogon [ 16532 9924][24 May 15:17:13][TR_API_TRANSLATE] TR_API_TRANSLATE::TrAPI_Translate::ToSet: converting realmAuthFactor struct to set [ 16532 9924][24 May 15:17:13][TR_SRV2CL] TR_SRV2CL::GetConfig: Entering [ 16532 9924][24 May 15:17:13][TrMsg] TrMsg::TrMsgFromMsgObj: Entering [ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] is_secondary_connect_enabled_and_supported_on_gw is not client decide [ 16532 9924][24 May 15:17:13][TR_SRV2CL] TR_SRV2CL::GetConfig: Recieved Get config message, will get the configuration from the site's scope [ 16532 9924][24 May 15:17:13][CONFIG_MANAGER] is_secondary_connect_enabled_and_supported_on_gw return value false, because it is Gateway config variable. Scope: site My_Company VPN ,gw NULL ,user USER [ 16532 9924][24 May 15:17:13][TrMsg] TrMsg::TrMsgArgIterGetNextArg: No more TrArgs [ 16532 9924][24 May 15:17:13][MSGOBJ] msg_obj_init: format=1.0 id=TR_CONFIGURATION

What I don't like here:

[ 16532 9924][24 May 15:17:13][ICS] TrFeatureManager::isATM: return value - is ATM = false [ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::IsCredsInRegOrCPLogon: Check if CPLogon enabled [ 16532 9924][24 May 15:17:13][TR_CPLOGON] IsEnabled: LogonAgentAPI dll not loaded [ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::IsCredsInRegOrCPLogon: Credentials are not in cplogon and not in registry [ 16532 9924][24 May 15:17:13][ICS] TrFeatureManager::isATM: return value - is ATM = false [ 16532 9924][24 May 15:17:13][TR_CONN_MANAGER] TR_CONN_MANAGER::TrConnManager::GetRegOrCPLogonCreds: Creds are not in registry or cplogon

I know that on the user's computer some security applications are installed, like Zscaller, ByoundTrust, maybe something else. Is it possible that such applications block some libraries? I asked him to check it with his Security team.

Thank you for any ideas!

Re: Mobile Client doesn't accept Certificate

the_rock — Wed, 24 May 2023 14:28:20 GMT

Logically, if its only one user, plus the fact there might be some 3rd party apps installed that could block this, definitely makes sense. Any way they could uninstall that other software and see if that works?

Andy

Re: Mobile Client doesn't accept Certificate

the_rock — Wed, 24 May 2023 14:31:35 GMT

To add to my initial post, I recall 3 years ago or so, customer had similar issue and what they did to fix it was put the 3rd party app into "hibernate" mode...no clue in the world what app it was and how they did it, but that was the workaround, at least for the time being, until they found more permanent solution.

Re: Mobile Client doesn't accept Certificate

Exonix — Wed, 24 May 2023 14:47:48 GMT

I've asked them to test it on a Vitual Machine without any security Apps. Let't see what they answer...

Re: Mobile Client doesn't accept Certificate

the_rock — Wed, 24 May 2023 14:49:14 GMT

K, great...so if that does work, then you know 100% where the issue is. Question at that point would be what needs to be modified in order to make it work properly?

Andy

Re: Mobile Client doesn't accept Certificate

Exonix — Wed, 24 May 2023 14:53:33 GMT

first the security departmentwill have to find what is blocking. One more point: we already had problems during the installation of the VNP client... They solved it...

Re: Mobile Client doesn't accept Certificate

the_rock — Wed, 24 May 2023 14:55:22 GMT

Ah, I see...was something else blocked when client was installed?

Andy

Re: Mobile Client doesn't accept Certificate

Exonix — Wed, 24 May 2023 15:02:06 GMT

I don't know that. the problem occurred only with the VPN client

Re: Mobile Client doesn't accept Certificate

the_rock — Wed, 24 May 2023 15:04:53 GMT

Hang on, just to confirm...was this issue ONLY with single user? So, say for argument's sake, if vpn client was E87.10 (does not really matter), was install issue present just with single person or multiple people?

Andy

Re: Mobile Client doesn't accept Certificate

Exonix — Wed, 24 May 2023 15:12:18 GMT

as I know only a single user has complained. probablly onle one user in this company uses our VPN. full story: the initial request was for a new certificate - I enrolled it (by the way, the self-issue of the certificate on the client computer works without any issues), but then the user said it didn't work. I connected to him with MS Teams and I see - the client is old (the client has been connecting the last time 9 months ago). We began to update the client and faced the problem.... ^_^

Re: Mobile Client doesn't accept Certificate

the_rock — Wed, 24 May 2023 15:18:14 GMT

K, so if its just single user, then Im 100% sure it has to be something else on their machine (most like one of those 3rd party apps) and NOT the actual vpn client.

Andy

Re: Mobile Client doesn't accept Certificate

the_rock — Wed, 24 May 2023 15:35:51 GMT

@Exonix Anyway, keep us posted on what the outcome is.

Cheers,

Andy

Re: Mobile Client doesn't accept Certificate

Exonix — Wed, 24 May 2023 15:37:26 GMT

yes, sure. but from tomorrow I'm on vacation (*_*) the update comes later

Re: Mobile Client doesn't accept Certificate

the_rock — Wed, 24 May 2023 15:38:33 GMT

Well, have a nice vacation...Im sure this person will have someone else sort it out, hehe ; - )

Re: Mobile Client doesn't accept Certificate

Exonix — Wed, 24 May 2023 15:39:47 GMT

thank you! yes, i will give to my colleagues, but only me can post here 8)

Re: Mobile Client doesn't accept Certificate

the_rock — Wed, 24 May 2023 15:42:15 GMT

Im sure you wont lose any sleep over it and it willnot ruin your vacation ; - )