Web Agent :: X509 Certificate Authentication : smgetcreds.scc shows a blank page

Document ID : KB000097679
Last Modified Date : 23/05/2018
Show Technical Document Details
Issue:
We're running Web Agent, when user reaches the X509 Authentication Scheme
/siteminderagent/smgetcreds.scc, no authentication is done, and the
browser keeps on a blank page.

If we reload the page, then we get access to the protected page 
and get authenticated and authorized.

How can we solve this issue ?
Environment:
Web Agent 12.52SP01CR02 64bit on IIS 8.5 with ARR module on Windows 2012; 
Policy Server 12.52SP01 on RedHat 6; 
Policy Store Odbc Oracle 12c; 
 
Resolution:
1. You need to remove on the IIS Server OS from the "Trusted Root
   Certification Authorities" all signed certificate and insure the
   list only contents self signed certificates (Root Certificates);

   Follow the command given by this page : 

   Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} 
   Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Move-Item -Destination Cert:\LocalMachine\CA 

   HTTP error 403.16 - client certificate trust issue 
   https://stackoverflow.com/questions/26247462/http-error-403-16-client-certificate-trust-issue?utm_medium=organic&utm_source=google_rich_qa&utm_campaign=google_rich_qa 

2. You need to set the exact Issuer DN in the certificate as in the
   Certificate mapping :

   Certificate : CN=duspa01lab.ca.com,OU=Support,O=CA,L=Barcelona,ST=Barcelona,C=ES 
   Mapping : C=ES, ST=Barcelona, L=Barcelona, O=CA, OU=Support, CN=duspa01lab.ca.com 

   from the Mapping, remove the spaces to get this : 

   Mapping : C=ES,ST=Barcelona,L=Barcelona,O=CA,OU=Support,CN=duspa01lab.ca.com 

3. In IIS configuration, set

   Default Web Site 
   Anonymous Authentication Enabled 
   Require SSL 
   Ignore 

   Default Web Site 
   siteminderagent 
   cert 
   Anonymous Authentication Disabled 
   Require SSL 
   Require 

   If "Default Web Site" is configured with "Anonymous Authentication
   Disabled" too, the browser will show blank after some seconds.

   Setting "Default Web Site" configured with "Anonymous
   Authentication Enabled", then when you reach the IIS default page,
   you get the popup to select the certificate, and once done, I get
   the IIS start page.

   c:\> start /B iexplore https://duspa01-p2983.ca.com/iisstart.htm 

   It is expected to see this line in the Web Agent traces : 

   "User 'unknown' is authenticated by Policy Server. 

   This means that the identity has been found from the certificate and
   passed successfully to the Policy Server.