Skip Navigation
  1. BlackBerry Docs
  2. BlackBerry AtHoc
  3. 7.15
  4. Smart Card Authentication
  5. Troubleshooting smart card authentication

Troubleshooting smart card authentication

If smart card authentication fails after it has been configured, it could be due to the format of the CN string in the certificate. 
BlackBerry AtHoc
 has three regular expressions for validating the mapping ID:
  • HTTP_CAC_REGEX
  • ALT_HTTP_CAC_REGEX
  • CAC_SAN_REGEX 
These regular expressions are in the 
ngaddata.glb_config_tab
BlackBerry AtHoc
 attempts to parse the MID using HTTP_CAC_REGEX. If that fails, it attempts to parse the MID using ALT_HTTP_CAC_REGEX. If that also fails, it attempts to parse the MID using CAC_SAN_REGEX.
Sometimes the certificate can be stripped from the header by a proxy server, which causes the validation to fail. In other cases, the regular expression could not parse the data. As a first step, verify that the certificate details are making it through to 
BlackBerry AtHoc
. Use the Test Page described in Appendix A: Retrieve certificate information.
See the sample verbose log entry below, and note that the subject is missing.
If you are getting a 403 error that prevents the login page from displaying, deselect Require SSL in IIS. Otherwise, the call to GetCACMID is not made.
If the certificate information does not appear, it may be due to SSL settings in IIS, or due to a proxy removing the information from the request.
It is possible that the information from the certificate is available, but the certificate is not. Version 6.1.8.87 CP1 with CHF3 and later 
BlackBerry AtHoc
 releases have a new property, CAC_CHECK_PRESENT, which can be set to N to work around this issue. This setting is not exposed in the user interface.
Sample verbose log entry
<event>
<eventId>12445</eventId>
<type>VERBOSE</type>
<time>02/03/2015 15:36:53.350</time>
<server>D1ASEPRIC090</server>
<categorySource>Management System</categorySource>
<assembly>MSDotNetClient.dll</assembly>
<module>AuthController</module>>
<member>GetCACMID</member>
<shortMessage> CAC: Issuer: SerialNumber: Subject: Valid From: 2/3/2015 3:36:53 PM Valid Until: 2/3/2015 3:36:53 PM IsValid: True CertEncoding: 0 Cookie: Present: False </shortMessage>
. . . .