Re: Machine Certificate Authentication with SAML (...

Sky · ‎2023-06-07

Hi All,

Trying to figure out why the configuration of the machine certificate authentication is not working....this one seems quite difficult.

SAML is working fine but adding cert auth for machines gives an error "Internal error; connection failed. More details may be available in the logs".

I have placed respectively the Root CA that is in the local machine space as a Trusted CA and the same for the intermediate CA as Subordinate CA. Also have the signed certificate for the machine in the Personal Certificates. Saw some KB in regards to the subject name which was empty before, changed that to use the CN instead, but still no luck at all.

We have a distributed environment with SMS on R81 and a cluster on R80.40 and the Endpoint Security on E87.00

Has anyone faced something similar and were you able to fix this?

Regards.

PhoneBoy · ‎2023-06-07

What is the precise process you used to add machine certificate authentication?
Screenshots (with sensitive details redacted) would be exceptionally helpful here.

Sky · ‎2023-06-07

I was using the approach described on the documentation and everything is running fine without machine cert auth:

Thinking as a more secure way trying to narrow down the access roles to the specific OU containing the machines as well.
Checked also this one :

sk170140

Some logs from the trac.log:

[ 5520 6368][8 Jun 0:19:17][RaisCertManager] SetFriendlyNameOnToken: __start__ 0:19:17.241
[ 5520 6368][8 Jun 0:19:17][RaisCertManager] GenerateFriendlyNameWithSerial: __start__ 0:19:17.241
[ 5520 6368][8 Jun 0:19:17][RaisCertManager] RaisCertManager::_GenerateFriendlyNameWithSerial: ERROR!! subject or serial is empty, return empty string
[ 5520 6368][8 Jun 0:19:17][RaisCertManager] GenerateFriendlyNameWithSerial: __end__ 0:19:17.241. Total time - 0 milliseconds
[ 5520 6368][8 Jun 0:19:17][RaisCertManager] SetFriendlyNameOnToken: __end__ 0:19:17.241. Total time - 0 milliseconds
[ 5520 6368][8 Jun 0:19:17][] fwCAPIProvider_imp::GetToken: Machine certificate, index 1.
[ 5520 6368][8 Jun 0:19:17][] fwCAPIToken::fwCAPIToken: enter (1) start (03331588, imp: 01E0A9F8)
[ 5520 6368][8 Jun 0:19:17][] fwCAPIToken_imp::Init2(PCCERT_CONTEXT TheCert): enter... machineCtx is 1
[ 5520 6368][8 Jun 0:19:17][] MyprintCertName:fwCAPIToken_imp::Init2(PCCERT_CONTEXT TheCert) enter...
[ 5520 6368][8 Jun 0:19:17][] MyprintCertName:fwCAPIToken_imp::Init2(PCCERT_CONTEXT TheCert) cert name is: CN=test.contoso.local

[ 5520 6368][8 Jun 1:15:36][Rais_CAPICERT] Rais_CAPICERT::capi_cert_sign: Failed to sign Buffer
[ 5520 6368][8 Jun 1:15:36][] fwPubKey::SetMachineCtx: enter.. about to set to 0
[ 5520 6368][8 Jun 1:15:36][] fwWinPubKey_imp::SetMachineCtx: about to set machine contex to 0.
[ 5520 6368][8 Jun 1:15:36][Rais_CAPICERT] capi_cert_sign: __end__ 1:15:36.930. Total time - 5 milliseconds
[ 5520 6368][8 Jun 1:15:36][Rais_CAPICERT] CAPICert::Sign: __end__ 1:15:36.930. Total time - 5 milliseconds
[ 5520 6368][8 Jun 1:15:36][Rais_CAPICERT] Rais_CAPICERT::CAPICert::Machine_Sign: done.
[ 5520 6368][8 Jun 1:15:36][IKE] create_MM5(hybrid authentication): Failed to sign hash with the machine's certificate (-996)
[ 5520 6368][8 Jun 1:15:36][rais] [DEBUG] [RaisMessages::CreateMessageSet(s)] message: (msg_obj
:format (1.0)
:id (ClipsMessagesInternalError)
:def_msg ("Internal error; connection failed. More details may be available in the logs")
:arguments ()
)

[ 5520 6368][8 Jun 1:15:36][TR_FLOW_STEP] TR_FLOW_STEP::TrConnEngineConnectStep::operation_failed: Cb arrived
[ 5520 6368][8 Jun 1:15:36][FLOW] TrConnEngineConnectStep::operation_failed: user message set: (msg_obj
:format (1.0)
:id (ClipsMessagesInternalError)
:def_msg ("Internal error; connection failed. More details may be available in the logs")
:arguments ()

I am having hard time to understand why it is not working while I have the whole chain of certificates enrolled and on the relevant local machine relevant areas, have used the same PKI certificates in this case, just created a new one on the Personal Certificates on local machines since the subject was missing and we edited an existing template on the CA server in order to create a new request having the possibility to fill in the "Subject" filed there.
Not sure what important task I might have missed to mention here, please let me know if more needs to be described by me.

Thank you and best regards.

Sky · ‎2023-06-08

Hello,

I was able to find on this community some other situation describing somehow what I am facing:

R81 - New VPN users unable to establish VPN via SHA256

After configuring phase 1 with SHA1 I still see issue when machine certification authentication is on "mandatory".

I get an error mentioning the Subordinate CA while I think the actual issue is with the ROOT CA on Trusted CA, because the real certificate is expiring in 2050 - while the one imported on SMS is expiring on 2038. This is really new to me, so I checked the ICA which is expiring as well on the same month on 2038 (maybe that is just a coincidence). Anyhow I thought to ask if someone might know or faced this before.

Thank you in advance.

PhoneBoy · ‎2023-06-08

According to the product documentation, you can only use Machine Certificates with a Microsoft AD server.
For Azure AD, you would configure the Machine Certification there as one of the authentication methods.

Sky · ‎2023-06-09

Hello,

I missed to mention that I have already configured LDAP Account Unit and Identity Awareness gathering information by using identity collectors which connects to the ADs.

SAML is a second profile, if I use the first one which is based on RADIUS (NPS servers, same one used to host the identity collector agents) the connection works but not with machine certification. SAML works too, but not if I select any of the option related to the Machine Certificate Authentication.

Except of having a certificate with a subject value not empty, and of course importing Root CA and Subordinate CA in the SMS in order to check the local machine certificate, is there any other specific parameter / setting which we need to take care for making this work?

Thank you.

PhoneBoy · ‎2023-06-09

I believe the Machine Certificate setting applies to all profiles and SAML cannot be combined with other authentication methods (including Machine Certificate).
I think this will require a TAC case to more deeply investigate: https://help.checkpoint.com

Sky · ‎2023-06-10

Hello,

I understand that if Machine Certificate Authentication will be used, will impact all realms configured but based on checkpoint documentation, it seems that is supported:

Unless I understand this in a wrong way 😅
Regards

PhoneBoy · ‎2023-06-12

Good to know it's supported.
Still seems like the IdP would be a better place to configure this.
However, since it is supported to use a Machine Certificate to bring up a Machine Tunnel before authenticating with a user via SAML, it makes sense these features would work together.

Sky · ‎2023-06-12

Hello,

Just thought to comment here as an update after I was able to solve this. It was a matter of internal communication from the firewall to the specific server where the certificate was pointing to in order to be checked against the CRL (communication towards that server on port 80 - http ). After that I can use the machine certification authentication as a factor with both SAML or Radius Servers (using Azure MFA as a second authentication factor except credentials).

sambath · ‎2024-01-15

Hello Sky,

Thanks for sharing the very good tips. I am gathering the information, and would like to test out this solution as well. Is there any changes, or attribute needs to modify at Azure side to implement the Machine Authentication? It would be great if you could share the issue/challenging during the implementation.

Regards,

Are you a member of CheckMates?

Machine Certificate Authentication with SAML (Azure) is not working