This is a collection of the current documentation as to setting up Certificate Authentication, which can be used to check sites with certificate authentication access, which also includes Smart Card PIV/PKI Access as long as a certificate is used instead of a physical card.
How WPM Certificate support works:
In order to include certificate in WPM recording, WPM has to be able to export that certificate with private key. The error says that your current certificate does not have private key marked as exportable. In that case there are two options.
- First is to make private key on machine where you record transaction exportable (which means remove certificate and import it again with exportable private key). Then WPM will be able to include certificate in the recording and it will work during playback. However that may be a security risk because certificate is then saved in recording and if someone can access the recording data on WPM server, he may be able to get the certificate from it.
- Second option is to get the certificate and install it on machines where WPM players are installed. That way WPM does not need to have certificate in the recording because it will find it on the machine during playback.
So unless you have many players, it may be easier to go log into each player, and install client certificate on each of them.
Client Certificate support for WPM (SEUM)
WPM supports client certificates beginning with v1.5. Following are the details of how this is done:
- A transaction is recorded. If a page requests a client certificate, the recorder displays a dialog displaying certificate selection.
- The user selects a certificate and the name, issuer, and other identification data is saved into the recording. The certificate itself is not stored.
- When the recording is played back, WPM handles the certificate request when a certificate is requested by a page. The player tries to find an existing certificate that matches the information stored in the recording.
- If a matching certificate is found, it is sent to the page. If a matching certificate is not found, the request is canceled which usually ends with an Access Denied response from the page.
Note: The certificate must already be present and available on the player machine.
WPM not passing client certificates
The customer is trying to create a recording using a Client Certificate in WPM - Web Transaction Recorder. When attempting to play a transaction that requires 2-way authentication the page is directed back to a security landing page, which means that WPM is not passing client certificates. A recorder’s popup message is displayed when playing the transaction from the customer’s remote player which asks the customer to choose a certificate.
This issue happens because the recordings made by customer in WPM - Web Transaction Recorder were created using a domain admin account, not a local admin account.
There is no way to load all certificates from the personal store regardless of the OID - 22.214.171.124.126.96.36.199.6. WPM only loads up the Certificates that have Client Authentication IOD – 188.8.131.52.184.108.40.206.6 attached within them. This is the reason why the customer is not getting a popup in his site during recording.
For more details about Client Certificate support for SEUM, please see the following KB article - http://knowledgebase.solarwinds.com/kb/questions/3989/Client+Certificate+support+for+SEUM
- Make sure that domain accounts: Use domain accounts in Web Performance Monitor
- Open the certificate and check if it has "Enhanced Key Usage" containing "Client authentication (220.127.116.11.18.104.22.168.2)"? If you open certificates console, go to properties for particular certificate and select "Details" tab, there is a filed "Enhanced Key Usage". If it does not contain "Client Authentication" then WPM does not see the certificate and does not know how to use it.
- If WPM does not provide a certificate popup, it is either not installed at all, it is not in user personal store or it does not have Client Authentication OID. Keep in mind that you are running recorder most likely under some other account than accounts, which will be used for actual playback from location.
If the page does not generate a certificate popup, check in IE to see if it works. If IE works, then It seems to me like some permission/security issue. Are you running recorder with recommended settings? If you run recorder with recommended settings, does it work than even in IE after applying of these changes?
This can be caused by many things, so in case that you have feeling that this troubleshooting do not show any way, what can cause issue, feel free to open support case for your issue. In this case one small, but important note how to collect logs:
- Run Log Adjuster (by default at "C:\Program Files (x86)\SolarWinds\Orion\LogAdjuster.exe")
- Find WPM and select DEBUG (You need to select debug even if it is already selected)
- Verify that in whole WPM table selected value under column control is set to DEBUG
- Hit Apply
- Run recorder
- Try to record your recording where certificate selection occurs, at least once.
- Run Orion Diagnostics (by default at "C:\Program Files (x86)\SolarWinds\Orion\SolarwindsDiagnostics.exe")
- Press Start and save zip file.
- Provide this zip file to support in your support case.
- Run Log Adjuster
- set log level for WPM to INFO
- Hit Apply