Policy Server Guides › Policy Server Configuration Guide › Troubleshooting SSL Authentication Schemes › SSL Troubleshooting

SSL Troubleshooting

The following sections detail the most common problems encountered when dealing with SSL authentication schemes.

There Was No Prompt for a Certificate

If a certificate prompt did not appear, verify that SSL is configured appropriately. If the agent is installed, disable the agent. The first step is to verify a simple SSL connection.

Follow these steps:

1. Disable the agent protecting the realm for which you want to use an authentication scheme over SSL.
2. Using your browser, go to one of the following URLs (using a browser with a certificate):
   • https://web_server_name:port (Netscape Web Servers)
   • https://web_server_name:port/<SSL Virtual Directory> (IIS Web Servers)
   • https://web_server_name:port (Apache Web Servers)

   If this SSL connection is configured to require certificates, you are to select a certificate.

After Following Previous Procedure, Still No Certificate Prompt

Perform the following steps if you are still not receiving a certificate prompt.

• Verify that all Firefox browsers are configured to ask every time.
• Verify that all web servers are configured to use SSL and require certificates.
• Verify the following settings for each Virtual Directory that is used by the product.
• Verify the web server certificate expiration.
• Verify that the browser certificate is valid.

Verify That All Firefox Browsers Are Configured to Ask Every Time

The Firefox web browsers can be configured to pass the same certificate automatically. This setting establishes the SSL connection using a certificate without prompting users to select a certificate.

Follow these steps:

1. In the Firefox browser, select Options from the Firefox menu.
2. Click Advanced.
3. Click the Encryption tab.
4. In the Certificates section, verify that the Ask me every time option is set.

Verify That All Web Servers Are Configured to Use SSL and Require Certificates

For Netscape Web Servers

1. In the Netscape Server Administration, click Admin Preferences.
2. Click Encryption On/Off and verify that the encryption is on, then click OK.
3. Click Encryption Preferences and verify that Required Certificates is set.
4. Restart the Web Server.

For IIS Web Servers

Verify that the virtual directories SMGetCredCert, SMGetCredCertOptional, SMGetCredNoCert are created and have the correct settings.

• SMGetCredCert - Require Certificates will be selected
• SMGetCredCertOptional - Accept Certificates will be selected
• SMGetCredNoCert - Do not accept certificates will be selected

Note: As part of the CA SiteMinder® SSL Authentication setup, CA SiteMinder® configures SSL virtual directories based on the type of SSL connection required by the authentication scheme.

Verify the Following Settings for each SiteMinder Virtual Directory

Follow these steps:

For IIS web servers

1. In the Management Console, right-click a virtual directory and select Properties.
2. Click the Directory Security tab.
3. Click Edit Secure Communications.

For Apache web servers

In the httpd.conf file, be sure to set SSLVerifyClient as follows:

• For Basic over SSL: SSLVerifyClient none
• For Certificate or Basic: SSLVerifyClient optional
• For Certificate/Certificate and Basic: SSLVerifyClient require

  Note: For Apache-based web servers where Certificates are required or optional, the "SSL Verify Depth 10" line in the httpd.conf file must be uncommented.

Check the Web Server’s Certificate Expiration

Netscape Servers

1. In the Netscape Server Administration, click Keys & Certificates.
2. Click Manage Certificates.
3. Click ServerCert.
4. Verify that it is trusted, and has not expired.

IIS Servers

1. In the Management Console, right-click the Web Server and select Properties.
2. Click the Directory Security tab.
3. In the Secure Communications panel, click Key Manager.
4. Select a key. View its properties and verify that the key has not expired.
5. Restart the Web Server.

Apache Servers

If an Apache Web Server certificate expires, you receive an error message at server startup.

Verify Browser Certificate Validity

A missing certificate or an invalid certificate can prevent you from receiving a certificate prompt.

Open your Web browser and verify the validity of the browser certificate.

After Certificate Prompt, Authentication Failure Received

Apache Web Servers

• Verify that the SSL Web Server contains the certificate authority of the certificate supplied.
• Verify that the SSL Web Server Trusts the certificate authority of that certificate.
• Ensure the SSL Verify Depth 10 is uncommented.

Netscape Web Servers

Verify that the Certificate Authority for the certificate is listed and that the Trust for the certificate has not expired. If it is missing or expired, install a new Certificate Authority certificate.

IIS Web Servers

Verify that the certificate is listed and that it is valid. If it is missing or expired, install a new certificate. If you are able to get to the destination directory, then certificates are installed correctly.

Verify Correct Policy Server and Web Agent Configuration

Verify your policy server and web agent configuration.

Follow these steps:

1. Check that the Policy Server is created correctly.
2. Check that the Web Agent contains the correct Policy Server information.
3. Verify that the Web Agent is enabled.
4. Restart the Web Agent and Policy Server.

SiteMinder Policy Should Allow Access, but SSL-Authentication Failed Message Received

This situation can result from a number of configuration errors. Some common errors include:

• The SSL Server is not configured to Require Client Certificates. Therefore, the client is not passing a certificate; hence disabling the authentication process of the product. Verify this situation by enabling the logging option in the Web Agent. A proper log indicates that the user is unknown. To correct this problem, turn on Require Certificates in the SSL Web Server.
• The Policy was not created properly. Check the users that are associated with the policy.
• For Apache Web server, ensure that the SSL Verify Depth is set properly and uncommented.

More information:

Certificate Mapping for X.509 Client Certificate Authentication Schemes

How to Configure a Policy Domain

Error Not Found Message Received

This error occurs when the Authentication Scheme Parameter being configured improperly. The redirect is not configured properly so the web server is unable to find the SSL Web Agent component.

More information:

Authentication Schemes

Running Certificate or Basic but Cannot Enter Basic credentials.

On Netscape Web Servers, the Certificate or Basic scheme requires the Web Server to have encryption that is turned on, but does not require certificates. Be sure that in the Encryption Preferences section of the Netscape Server Administration, the Require Certificate setting is set to No.