Certificate Authentication Fails

Problem: After a user connects to the Transfer Client, the error message says, "X.509 client authentication is required. Please ensure you are passing a valid X.509 certificate that corresponds to a valid user in the system." This message appears when Gateway Administrator is configured to require authentication using X.509 certificates and authentication is not successful. This may be due to any of the following:

  • PKI Services Manager is not running or is not correctly configured in the Gateway Administrator.

    Try testing the connection to PKI Services Manager from Gateway Administrator. Go to System > PKI Servers. Select your added server, click Edit, then click Verify Connection.

  • No certificate is available on the client system.

    Has the client system been configured to use a smart card or present a personal certificate from the browser's personal certificate store?

  • The certificate is mapped to an invalid user account or is mapped to multiple user accounts.

    The PKI Services Manager identity mapping must return a single, valid user for the presented certificate. Use the PKI Services Manager test utility to view allowed identities. (Start the PKI Services Manager console and go to Utility > Test Certificate.) The allowed identity list should consist of exactly one user, and that user must be provisioned in Gateway Administrator.

  • The certificate is valid, but PKI Services Manager is not correctly configured to validate it.

See "Troubleshooting PKI Services Manager Configuration" in the PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html.

  • The certificate presented by the user is invalid.

    The certificate is expired, has been revoked, or does not meet other certificate requirements for user authentication. Use the PKI Services Manager test utility to test the certificate. (Start the PKI Services Manager console and go to Utility > Test Certificate.) For detailed information about certificate validation requirements, see "Certificate Attribute Requirements Enforced by PKI Services Manager" in the PKI Services Manager User Guide, which is available from http://support.attachmate.com/manuals/pki.html.

Problem: The user has more than one valid certificate. After selecting the correct certificate during authentication, the browser continues to present additional windows and the connection fails.

  • This is a known issue with Internet Explorer. If you have multiple certificates, connect using Chrome or Firefox.