In LoadMaster firmware version 7.2.53, support was added for Personal Identity Verification (PIV) smart card authentication. PIV guidance is to match certificate fields to "altsecurityidentities" in the Active Directory (AD). Support has been added for both SSO and WUI authentication.

Select Certificate to User Mapping

The Select Certificate to User Mapping drop-down list appears in the Virtual Services > Manage SSO > Modify screen if the Authentication Protocol is set to Certificates.

The Select Certificate to User Mapping field appears in the Certificates & Security > Remote Access > WUI Authorization Options screen if the following settings are configured:

  • Session Management must be enabled (Certificates & Security > Admin WUI Access) to see the WUI Authorization Options button.

  • The Admin Login Method in Certificates & Security > Remote Access must be set to a Client certificate method.

  • The Pre-Auth Click Through Banner must be set in Certificates & Security > Admin WUI Access before you can select a Client certificate method as the Admin Login Method in Certificates & Security > Remote Access.

The Select Certificate to User Mapping field has the following values:

  • User Principal Name (default value)

  • Subject

  • Issuer and Subject

  • Issuer and Serial Number

Some configuration caveats are below:

  • After a certificate is revoked, the certificate fails authentication. However, sometimes it remains in the cache so to make it fail instantly ensure to use the Flush OCSPD Cache option in System Configuration > System Administration > Logging Options > Debug Options.

  • If the LDAP query returns more than one match, the login fails.

  • If the Authority Information Access (AIA) is present in the certificate, the LoadMaster attempts to connect with the provided AIA. If this does not work, it tries to connect with the local server.

  • If the LoadMaster cannot get the status of the server configured in the certificate AIA, the LoadMaster does not fail back to the local server.

  • If the certificate cannot be validated because the server is unavailable, there is an option in Certificates & Security > OCSP Configuration called Allow Access on Server Failure where you can decide if you want to pass the authentication or not. Enabling this check box treats an OCSP server connection failure or timeout as if the OCSP server has returned a valid response. That is, the client certificate is treated as valid.