Troubleshooting smart card authentication
If smart card authentication fails after it has been configured, it could be due to the format of the CN string in the certificate.
BlackBerry AtHoc
has three regular expressions for validating the mapping ID:- HTTP_CAC_REGEX
- ALT_HTTP_CAC_REGEX
- CAC_SAN_REGEX
These regular expressions are in the
ngaddata.glb_config_tab
. BlackBerry AtHoc
attempts to parse the MID using HTTP_CAC_REGEX. If that fails, it attempts to parse the MID using ALT_HTTP_CAC_REGEX. If that also fails, it attempts to parse the MID using CAC_SAN_REGEX.Sometimes the certificate can be stripped from the header by a proxy server, which causes the validation to fail. In other cases, the regular expression could not parse the data. As a first step, verify that the certificate details are making it through to
BlackBerry AtHoc
. Use the Test Page described in Appendix A: Retrieve certificate information.See the sample verbose log entry below, and note that the subject is missing.
If you are getting a 403 error that prevents the login page from displaying, deselect Require SSL in IIS. Otherwise, the call to GetCACMID is not made.
If the certificate information does not appear, it may be due to SSL settings in IIS, or due to a proxy removing the information from the request.
It is possible that the information from the certificate is available, but the certificate is not. The CAC_CHECK_PRESENT property can be set to N to work around this issue. This setting is not exposed in the user interface.
Sample verbose log entry:
<event> <eventId>12445</eventId> <type>VERBOSE</type> <time>02/03/2015 15:36:53.350</time> <server>D1ASEPRIC090</server> <categorySource>Management System</categorySource> <assembly>MSDotNetClient.dll</assembly> <module>AuthController</module>> <member>GetCACMID</member> <shortMessage> CAC: Issuer: SerialNumber: Subject: Valid From: 2/3/2015 3:36:53 PM Valid Until: 2/3/2015 3:36:53 PM IsValid: True CertEncoding: 0 Cookie: Present: False </shortMessage> . . . .