Fortinet black logo

Administration Guide

Certificate-based WebUI login failure

Certificate-based WebUI login failure

FortiWeb supports the certificate-based authentication for administrators' Web UI login. FortiWeb controls an administrator's login by verifying its certificate if it connects to the Web UI through HTTPS.

Common configuration flow for PKI user (Certificate based WebUI login)

  1. Upload the CA's certificate of the administrator's certificate.
  2. Create a PKI user.
  3. Add the PKI user to an Admin group.
  4. Apply the Admin group to an administrator

Certificate based WebUI Login Logic:

  • If you connect to the Web UI through HTTPS, FortiWeb first verifies the certificate you provided.
    • If your certificate is valid, then your access to Web UI will be granted (the username/password login page will not be displayed).
    • If you fail in the certificate authentication, you will be directed to the username/password login page.
  • If you connect to the Web UI through HTTP, FortiWeb will only verify your access by the username/password.
  • You can configure FortiWeb to only apply the certificate-based authentication through the CLI as below. Then If certification authentication fails, WebUI login will fail.

config system global

set admin-HTTPs-pki-required {enable | disable}

end

Login failure and troubleshootin

  • Check if the browser prompts you to select a certificate when connecting to WebUI through HTTPS.

    • If the client certificate is not listed for selecting, you will need to check if it has been imported successfully to the client system.

      For example, on a Windows PC, you need to import a pfx/p12 format certificate instead of a .cert/.der/.crt certificate, because the private key is required by Windows system, otherwise you may import a .cer certificate successfully while cannot see it selectable when using the browser to visit FortiWeb WebUI.

    • If you can select the specific certificate while login still fails, FortiWeb will be redirected to the username/password login page. (Refer to above section Certificate based WebUI Login Logic: )

  • Check FortiWeb event logs to double confirm the login failure is caused by certificate authentication error:

    When certificate authentication fails, an Event log will be generated as "Login failed! Check certificate error! from GUI(172.30.212.60)"

    As a comparison, below is the log when login succeeds:

    User admuser logged in successfully from GUI->HTTPS(172.30.212.127)

  • Follow below steps to do further troubleshooting:

    • Ensure related configuration are added correctly by following the steps in the above section Common configuration flow for PKI user (Certificate based WebUI login);

    • Ensure the CA certificate is selected correctly;

    • Ensure the Subject string is input correctly;

      • If you have input multiple subject fields, try to leave only one or two and test again;

      • On 6.x and 7.0.1 builds, all Subject RDNs with the correct order are required:

        E.g

        C = CA, ST = BC, L = Burnaby, O = Fortinet, CN = 34B6A45C8 can be matched

        CN = 34B6A45C8, C = CA, ST = BC, L = Burnaby, O = Fortinet cannot be matched

      • On 6.x and 7.0.1 builds, the type of RDNs are also case sensitive, while on later builds (schedule in 7.0.2), the type is case insensitive, while the value is still case sensitive:

        E.g

        c = CA, t = BC, l = Burnaby, o = Fortinet, cn = 34B6A45C8 can be matched

        C = ca, ST = bc, L = burnaby, O = fortinet, CN = 34b6a45c8 cannot be matched

      • For the type stateOrProvinceName, please input ST instead of just S.

    • Use openssl command to verify if the CA and client certificate match:

      This is a case for verification failure:

      root@ubuntu:/# openssl verify -verbose -CAfile ca.crt Win10.OA.cer

      C = CA, ST = BC, L = Burnaby, O = Fortinet, CN = Win10.OA

      error 18 at 0 depth lookup: self signed certificate

      error Win10.OA.cer: verification failed

    • Test with a different pair of client & CA certificates; It’s better to guarantee they work well on other service environment.

Certificate-based WebUI login failure

FortiWeb supports the certificate-based authentication for administrators' Web UI login. FortiWeb controls an administrator's login by verifying its certificate if it connects to the Web UI through HTTPS.

Common configuration flow for PKI user (Certificate based WebUI login)

  1. Upload the CA's certificate of the administrator's certificate.
  2. Create a PKI user.
  3. Add the PKI user to an Admin group.
  4. Apply the Admin group to an administrator

Certificate based WebUI Login Logic:

  • If you connect to the Web UI through HTTPS, FortiWeb first verifies the certificate you provided.
    • If your certificate is valid, then your access to Web UI will be granted (the username/password login page will not be displayed).
    • If you fail in the certificate authentication, you will be directed to the username/password login page.
  • If you connect to the Web UI through HTTP, FortiWeb will only verify your access by the username/password.
  • You can configure FortiWeb to only apply the certificate-based authentication through the CLI as below. Then If certification authentication fails, WebUI login will fail.

config system global

set admin-HTTPs-pki-required {enable | disable}

end

Login failure and troubleshootin

  • Check if the browser prompts you to select a certificate when connecting to WebUI through HTTPS.

    • If the client certificate is not listed for selecting, you will need to check if it has been imported successfully to the client system.

      For example, on a Windows PC, you need to import a pfx/p12 format certificate instead of a .cert/.der/.crt certificate, because the private key is required by Windows system, otherwise you may import a .cer certificate successfully while cannot see it selectable when using the browser to visit FortiWeb WebUI.

    • If you can select the specific certificate while login still fails, FortiWeb will be redirected to the username/password login page. (Refer to above section Certificate based WebUI Login Logic: )

  • Check FortiWeb event logs to double confirm the login failure is caused by certificate authentication error:

    When certificate authentication fails, an Event log will be generated as "Login failed! Check certificate error! from GUI(172.30.212.60)"

    As a comparison, below is the log when login succeeds:

    User admuser logged in successfully from GUI->HTTPS(172.30.212.127)

  • Follow below steps to do further troubleshooting:

    • Ensure related configuration are added correctly by following the steps in the above section Common configuration flow for PKI user (Certificate based WebUI login);

    • Ensure the CA certificate is selected correctly;

    • Ensure the Subject string is input correctly;

      • If you have input multiple subject fields, try to leave only one or two and test again;

      • On 6.x and 7.0.1 builds, all Subject RDNs with the correct order are required:

        E.g

        C = CA, ST = BC, L = Burnaby, O = Fortinet, CN = 34B6A45C8 can be matched

        CN = 34B6A45C8, C = CA, ST = BC, L = Burnaby, O = Fortinet cannot be matched

      • On 6.x and 7.0.1 builds, the type of RDNs are also case sensitive, while on later builds (schedule in 7.0.2), the type is case insensitive, while the value is still case sensitive:

        E.g

        c = CA, t = BC, l = Burnaby, o = Fortinet, cn = 34B6A45C8 can be matched

        C = ca, ST = bc, L = burnaby, O = fortinet, CN = 34b6a45c8 cannot be matched

      • For the type stateOrProvinceName, please input ST instead of just S.

    • Use openssl command to verify if the CA and client certificate match:

      This is a case for verification failure:

      root@ubuntu:/# openssl verify -verbose -CAfile ca.crt Win10.OA.cer

      C = CA, ST = BC, L = Burnaby, O = Fortinet, CN = Win10.OA

      error 18 at 0 depth lookup: self signed certificate

      error Win10.OA.cer: verification failed

    • Test with a different pair of client & CA certificates; It’s better to guarantee they work well on other service environment.