SecureAuth IdP Version affected: All
Description:
SecureAuth IdP clients without direct access to the internet might experience and issue on Client Certificate SSL realms where authentication fails with HTTP 403.13
Cause:
Client Certifciates are validated against the Certificate Revocation List provided in the Certificate Distribution Point attribute of the X509.3 certificate. The CRL validation occurs at the IIS layer so it uses the WinHttp API, which will ignore the Inetcpl.cpl proxy config or the IdP Realm proxy config.
Resolution:
You must set the proxy at the WinHttp API layer to validate CRLs.
Warning: Setting global proxy configuration at the WinHttp API layer might cause unintended consequences. It is advised that you review proxy bypass configuration for your environment before committing this change.
Proxy all traffic
netsh winhttp set proxy proxy_server "proxyserver.domain.local:80"
Provide Proxy ByPass so that local network traffic is allowed (Adjust for your environment)
set proxy proxy-server="proxyserver.domain.local:80" bypass-list="*.mydomain.com, 10.*"
Comments
Please sign in to leave a comment.