The DC certs were renewed. The CA that signed them had also been renewed. The ssl_ca_certs_file in authproxy.cfg was now pointing to an old/incorrect CA certificate that no longer matched. This caused the SSL verification to fail and preventing users from logging in.
From the authproxy server. Run this power shell. You'lls need to update the name of DC1.domain.local to match your DC
$tcpClient = New-Object System.Net.Sockets.TcpClient("DC1.domain.local", 636)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false, {$true})
$sslStream.AuthenticateAsClient("DC1.domain.local")
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.Build($sslStream.RemoteCertificate)
$chain.ChainElements | ForEach-Object {
$c = $_.Certificate
Write-Host "Subject: $($c.Subject)"
Write-Host "Thumbprint: $($c.Thumbprint)"
Write-Host "---"
}
This should let us know the new thumbprint
Now we can use it to export the certs we need
$tcpClient = New-Object System.Net.Sockets.TcpClient("DC1.domain.local", 636)
$sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream(), $false, {$true})
$sslStream.AuthenticateAsClient("DC1.domain.local")
$chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
$chain.Build($sslStream.RemoteCertificate)
$caCert = $chain.ChainElements | Where-Object { $_.Certificate.Thumbprint -eq "NEW-CA-THUMBPRINT-HERE" } | Select-Object -First 1
$bytes = $caCert.Certificate.Export([System.Security.Cryptography.X509Certificates.X509ContentType]::Cert)
$b64 = [System.Convert]::ToBase64String($bytes, [System.Base64FormattingOptions]::InsertLineBreaks)
$pem = "-----BEGIN CERTIFICATE-----`n$b64`n-----END CERTIFICATE-----"
[System.IO.File]::WriteAllText("C:\certs\DC-CA-new.cer", $pem)
Write-Host "Done - saved to C:\certs\DC-CA-new.cer"
Update authproxy.cfg file
under [ad_client] section
ssl_ca_certs_file=C:\certs\DC-CA-new.cer
Stop/start the authproxy service
net stop DuoAuthProxy && net start DuoAuthProxy
run connection tool again all should be fixed:
C:\Program Files\Duo Security Authentication Proxy\bin> .\authproxy_connectivity_tool.exe
No comments:
Post a Comment