Policy Server Guides › Policy Server Configuration Guide › Troubleshooting SSL Authentication Schemes › Certificate-based Authentication Tests › After Following Previous Procedure, Still No Certificate Prompt › Verify Browser Certificate Validity

Verify Browser Certificate Validity

Netscape Browsers

1. In the Netscape Browser, select Security from the tool bar.
2. In the Security Info panel, click Yours under Certificates.
3. In the list box, under These are your certificates: you should see the certificate. If it does not appear, you need to install one.
4. If the certificate is in the list, click Verify to ensure that it is a valid certificate.

Internet Explorer Browsers

1. In the IE browser menu select View, Internet Options.
2. Select Certificates, Personal.
3. Verify that the certificate is listed there and that it is valid. If it is not there or is not valid, install a new certificate.

After Certificate Prompt, Authentication Failure Received

Apache Web Servers

• Verify that the SSL Web Server contains the certificate authority of the certificate supplied.
• Verify that the SSL Web Server Trusts the certificate authority of that certificate.
• Ensure the SSL Verify Depth 10 is uncommented.

Netscape Web Servers

Verify that the Certificate Authority for the certificate is listed and that the Trust for the certificate has not expired. If it is not there or is not valid, install a new CA certificate.

IIS Web Servers

Verify that the certificate is listed and that it is valid. If it is not present or is not valid, install a new certificate. If you are able to get to the destination directory, then certificates are installed correctly.

Verify Correct Policy Server and Web Agent Configuration

After completing the steps in the previous topic based on your specific web server, verify your policy server and web agent configuration.

To verify correct policy server and web agent configuration

1. Check that the Policy Server is created correctly.
2. Check that the Web Agent contains the correct Policy Server information.
3. Verify that the Web Agent is enabled.
4. Restart the Web Agent and Policy Server.

SiteMinder Policy Should Allow Access, but SSL-Authentication Failed Message Received

In this situation, there is a Policy that is being called, but the user is incorrectly being denied access. This can result from a number of configuration errors. Common errors include:

• The SSL Server is not configured to Require Client Certificates. Therefore, the client is not passing a certificate; thereby disabling SiteMinder authentication process. You can verify this is the situation by enabling the logging option in the Web Agent. The log should indicate that the user is unknown. To correct this problem, turn on Require Certificates in the SSL Web Server.
• The Policy was not created properly. Check the Policy’s users and be sure that the selection is correct.
• For Apache Web server, ensure the SSL Verify Depth is set properly and uncommented.

More information:

How to Configure a Policy Domain

Certificate Mapping for X.509 Client Authentication Schemes

Error Not Found Message Received

This is generally caused from the Authentication Scheme Parameter being configured improperly. The redirect is not configured properly so the Web Server is unable to find the SSL Web Agent component.

More information:

Authentication Schemes

Running Certificate or Basic but Cannot Enter Basic credentials.

On Netscape Web Servers, the Certificate or Basic scheme requires the Web Server to have encryption turned on, but does not require certificates. Be sure that in the Encryption Preferences section of the Netscape Server Administration, the Require Certificate setting is set to No.