Hi
I have UAG 3.0 deployed with Horizon 7.1. External access works fine but I want to lock it down so that only computers that are domain members can connect. I followed the guide for deploying with Powershell and added these lines to the ini file.
authMethods=certificate-auth && sp-auth
[CertificateAuth]
pemCerts=C:\certs\domain-cachain.pem
Both domain and non domain members get the same error message;
/opt/vmware/gateway/logs/esmanager.log shows this error when connecting
unable to retrieve client certificate from session: <sessionId>
The troubleshooting guide for UAG 3.1 says to check the client side certificate if X.509 is configured.
How should this certificate be configured?
Thanks
An update for anyone who cares.
Tried to get this working on a LAN, with Connection Servers and UAG on the same subnet. Had the same errors.
This worked for me on the LAN connection.
The certificate template is a copy of the Workstation template. Edit template with the following
Subject Name | Subject Name Format
Changed from None to Common Name
Request new certificate
Edit certificate
Right-click certificate | All Tasks | Manage Private Keys | Add 'Domain Users' group to have Read permission
Cheers
** Update **
Having tested with the UAG through the firewall from an external connection, I can confirm this now works after the changes to the certificate.
An update for anyone who cares.
Tried to get this working on a LAN, with Connection Servers and UAG on the same subnet. Had the same errors.
This worked for me on the LAN connection.
The certificate template is a copy of the Workstation template. Edit template with the following
Subject Name | Subject Name Format
Changed from None to Common Name
Request new certificate
Edit certificate
Right-click certificate | All Tasks | Manage Private Keys | Add 'Domain Users' group to have Read permission
Cheers
** Update **
Having tested with the UAG through the firewall from an external connection, I can confirm this now works after the changes to the certificate.