SSH

Configuring User Authentication with Certificates on Windows

You can configure user authentication with X.509 certificates on Windows using Tectia Connections Configuration GUI. You also need to configure Tectia Server for user authentication with certificates, see Tectia Server Administrator Manual.

  1. Launch Tectia Connections Configuration GUI.

    Right-click in the notification area of the Windows taskbar and select Configuration.

  2. Under General, click Default Connection. Select the Authentication tab. Ensure that public-key authentication is enabled and it is the first or only method in the list. By default, it is enabled.

    Under Public-Key Authentication, you can select to use public keys or certificates or both in the authentication.

    Enabling public-key authentication

    Figure 4.7. Enabling public-key authentication

  3. If you are using connection profiles, select the profile name under Connection Profiles. Select the Authentication tab and ensure that public-key authentication is enabled.

  4. Tectia suggests installing the certificate into the Microsoft Certificate store that is a personal store for the user.

  5. Under User Authentication, select Key Providers. Enable Microsoft Crypto API and click Apply.

    Enabling Microsoft Crypto API as a certificate provider

    Figure 4.8. Enabling Microsoft Crypto API as a certificate provider

    You can also read certificate information from USB tokens or smartcards via Microsoft Crypto API if they are compatible with the API. Alternatively USB tokens or smartcards can be used by enabling PCKS#11.

  6. The certificate is now loaded into the client automatically. Under User Authentication, select Keys and Certificates. You can see the available certificates under Key and Certificate List.

    Viewing available certificates

    Figure 4.9. Viewing available certificates

    Tectia ConnectSecure can also read key and certificate information from the file system. These can be defined under Additional Directories and Files.

    [Note]Note

    Ensure that the client certificate is set up for client authentication only. It makes troubleshooting several certificates easier, for example, as server authentication certificates cannot be used as user certificates.

For more information about the key and certificate settings, see Managing Keys and Certificates.

Troubleshooting User Authentication with Certificates

If the certificate authentication does not succeed for some reason, running Tectia Server in the troubleshooting mode and viewing the troubleshooting log can provide a lot of information about the end-user connection. For more information, refer to Section Starting Tectia Server in Debug mode on Windows in the Tectia Server Administrator Manual.