Configuring User Authentication with Certificates on Windows

To configure Tectia Server to allow user authentication with X.509 certificates, perform the following tasks using Tectia Server Configuration GUI:

  1. Launch Tectia Server Configuration GUI.

    Select Start > All Programs > Tectia Server > Tectia Server Configuration.

  2. Under GUI Mode, select Advanced to view all available options and groups.

    Selecting Advanced GUI mode

    Figure 5.2. Selecting Advanced GUI mode

  3. Go to the Certificate Validation page and select the CA Certificates tab.

  4. Add the trust anchors and intermediate CA certificates that are needed for the certificate validation. Root CA certificates or intermediate CA certificates can be added as trust anchors. Normally you need to add only the CA certificate that can issue certificates for the users into Tectia Server configuration. That is, you need not create the whole trust path in the configuration.


    CA certificates are by default added to the CA Certificates list as trust anchors, meaning that revocation checks are not performed on them. When adding a new intermediate CA certificate, clear the Trusted CA check box to enable revocation checks.

    Adding CA certificates

    Figure 5.3. Adding CA certificates


    In case you have an LDAP server in use, you only need to add the root CA certificate into the server configuration. Tectia Server can retrieve the intermediate CA certificates that are issued by the root CA certificate automatically from the LDAP server. For example, if Company Users is added as a trust anchor and the intermediate CA certificates are stored in the LDAP, end entities certified by the root or intermediate CA certificates will be trusted.

    For more information about certificate validation, see Certificate Validation .

  5. Go to Authentication and select Default Authentication to configure selectors and parameters for the group. Note that this authentication group is available in the default configuration of Tectia Server.

    Creating authentication group

    Figure 5.4. Creating authentication group

  6. On the Selectors tab, enter a name for the authentication group.

    Leave the selectors list empty, all incoming users are selected into this authentication group and to the authentication method chain. This is the first authentication group that you need to create for the authentication method chain. There will be two authentication groups in the chain.

  7. On the Parameters tab, make sure that the Allow public-key authentication option is selected.

    Allowing public key authentication

    Figure 5.5. Allowing public key authentication

  8. Create a child authentication group which will be used to check certain fields from the end user's certificate. That is, you are configuring your selector for the certificates. Click the Add Child button and enter a name for the child authentication group.

    Creating a child authentication group

    Figure 5.6. Creating a child authentication group

  9. On the Selectors tab of the child authentication group, click the Add Selector button. From the list, select Certificate and click OK.

    Adding a selector for a certificate

    Figure 5.7. Adding a selector for a certificate

  10. In the Certificate Selector dialog box, select which field on the certificate you wish to authenticate against.

  11. Enter the pattern in the field.

    It is extremely important to create a mapping between real OS user accounts and the end users' certificates so that a single end user can only access a single specific OS user account with their personal certificate and not all OS user accounts. For example, if you use subject-name, the pattern could be:

    CN=%username-without-domain%, CN=USERS, DC=DEMO, DC=SSH, DC=COM
    Entering a pattern for the certificate selector

    Figure 5.8. Entering a pattern for the certificate selector

  12. Once you have made your changes, click OK.

    Completed selector

    Figure 5.9. Completed selector

  13. On the Parameters tab, unselect all authentication methods because the parent authentication group checks whether the public key authentication is successful.

    Unselecting authentication methods

    Figure 5.10. Unselecting authentication methods

  14. Click Apply to save your changes.

You need to configure user authentication with certificates in Tectia Client also. For more information, see Tectia Client User Manual.

For more information about the authentication settings, see Authentication.

Troubleshooting User Authentication with Certificates

You can troubleshoot problems in user authentication with certificates by taking the following steps:

  • Check that the server authentication phase is successful. When using x509v3 certificates, server authentication issues can sometimes stop client connections in the very beginning. Information about the server authentication issues must be checked from the client-side logs.

  • Check the Windows Event Log. Tectia Server's log messages are stored into the Application sublog.

  • If the logs do not show a clear reason for the user authentication problem, start Tectia Server in troubleshooting mode. Inspect the debugging messages using the View Troubleshooting Log tool in Tectia Server Configuration GUI (see Starting Tectia Server in Debug Mode on Windows).