To configure Tectia Server to allow user authentication with X.509 certificates, perform the following tasks using Tectia Server Configuration GUI:
Launch Tectia Server Configuration GUI.
Select Start > All Programs > Tectia Server > Tectia Server Configuration.
Under GUI Mode, select Advanced to view all available options and groups.
Go to Certificate Validation and select the CA Certificates tab.
Add the trust anchors that are needed for the certificate validation. Root CA certificates or intermediate CA certificates can be added as trust anchors. Normally you need to add only the CA certificate that can issue certificates for the users into Tectia Server configuration. That is, you need not create the whole trust path in the configuration.
Note | |
---|---|
Revocation checks are not performed on the certificates that are added to the CA Certificates list. |
Note | |
---|---|
In case you have an LDAP server in use, you only need to add the root CA
certificate into the server configuration. Tectia Server can retrieve the intermediate CA
certificates that are issued by the root CA certificate automatically from the LDAP
server. For example, if |
For more information about certificate validation, see Certificate Validation .
Go to Authentication and select Default Authentication to configure selectors and parameters for the group. Note that this authentication group is available in the default configuration of Tectia Server.
On the Selectors tab, enter a name for the authentication group.
Leave the selectors list empty, all incoming users are selected into this authentication group and to the authentication method chain. This is the first authentication group that you need to create for the authentication method chain. There will be two authentication groups in the chain.
On the Parameters tab, make sure that the Allow public-key authentication option is selected.
Create a child authentication group which will be used to check certain fields from the end user's certificate. That is, you are configuring your selector for the certificates. Click the Add Child button and enter a name for the child authentication group.
On the Selectors tab of the child authentication group, click the Add Selector button. From the list, select Certificate and click OK.
In the Certificate Selector dialog box, select which field on the certificate you wish to authenticate against.
Enter the pattern in the field.
It is extremely important to create a mapping between real OS user accounts and the end users' certificates so that a single end user can only access a single specific OS user account with their personal certificate and not all OS user accounts. For example, if you use subject-name, the pattern could be:
CN=%username-without-domain%, CN=USERS, DC=DEMO, DC=SSH, DC=COM
Once you have made your changes, click OK.
On the Parameters tab, unselect all authentication methods because the parent authentication group checks whether the public key authentication is successful.
Click Apply to save your changes.
You need to configure user authentication with certificates in Tectia Client also. For more information, see Tectia Client User Manual.
For more information about the authentication settings, see Authentication.
You can troubleshoot problems in user authentication with certificates by taking the following steps:
Check that the server authentication phase is successful. When using x509v3 certificates, server authentication issues can sometimes stop client connections in the very beginning. Information about the server authentication issues must be checked from the client-side logs.
Check the Windows Event Log. Tectia Server's log messages are stored into the Application sublog.
If the logs do not show a clear reason for the user authentication problem, start Tectia Server in troubleshooting mode. Inspect the debugging messages using the View Troubleshooting Log tool in Tectia Server Configuration GUI (see Starting Tectia Server in Debug Mode on Windows).