[HELP] ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS Auth provider certificate

[alecorgit]

ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS Auth provider certificate

AMS Server: Version 2.0.9514.0
AMS OS version: Windows Server 2022 (21H2)
Client Edge version 122.0.2365.52

Configuring: User Authentication --> Authentication provider --> Smart card or other certificate, we receive the following Edge error:

Hmmm… can't reach this page
It looks like the webpage at ...... might be having issues,
or it may have moved permanently to a new web address.
ERR_SSL_CLIENT_AUTH_NO_COMMON_ALGORITHMS

The same configuration on another AMS installation on Windows Server 2019 works fine.

Thanks

[red-erik]

Hello,
I suppose it's due to TLS 1.3 enabled (by default) on Windows 2022.
Will AMS fully support TLS 1.3 ?

Regards,
Red.

[ryannewington]

It sounds like there is disagreement between the ciphers enabled on the client vs server.

[alecorgit]

Hello, I solved it by disabling TLS 1.3 on Windows Server 2022 where AMS is installed. Thanks @red-erik for the tip

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.

[red-erik]

Hello,
not stale, according to me. IS the tool fully supporting Windows 2022 with TLS 1.3 enabled ?

Regards,
Red.

[ryannewington]

Hi @red-erik

We can't reproduce this in our lab. Server 2022 using mTLS is working fine out of the box.

Are there any other circumstances in play here? I'm not sure what we are missing from our environment that means we are not seeing this.

[red-erik]

Hello,
I should say we are on a "standard" configuration. ASM on a fresh new Windows 2022 VM (TLS 1.3 enabled) and client coming from Windows 11 and Windows 2019 RDP sessions with standard Edge configuration. I'm sure into IIS TLS 1.3 needs to be manually enabled but, if I remember well, you are using http.sys (and I don't know how much it depends on IIS config).

https://techcommunity.microsoft.com/t5/networking-blog/troubleshooting-http-3-in-http-sys/ba-p/3273139

Regards,
Red.

[red-erik]

Hello,
my fault. Our management RDP sessions are on Windows 10 and , obviously, TLS 1.3 is not supported. I tested from Windows 11 and Windows 2022 and it works fine. If the client is Windows 2019, it will never work as well, as clearly stated by MS
https://learn.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

Regards,
Red.

[ryannewington]

Shouldn't the Win10 client and 2022 server negotiate TLS 1.2 between them though? TLS 1.3 should only be used when both sides support it. Or is TLS 1.2 disabled on the 2022 server?

[red-erik]

Hello,
it should but we don't understand why it's not happening. TLS 1.2 is enabled (both client and server on Windows 2022) and Windows 10 has usual (default) ciphers suite

[ryannewington]

I tried a few different combinations of things, and still can't reproduce this in the lab. I'm not really sure where to go next on this one. Would you be comfortable sharing screen shots of IIS crypto from a client and server combination that are not working

https://www.nartac.com/Products/IISCrypto

Need to see the schannel and cipher suites pages from both client and server.

What's the certificate type? RSA 2048?

[red-erik]

Hello,
Can't run Nartac software on Windows client (Win 10) but registry settings show TLS 1.2 client ENABLED and no restriction on ciphers

On server Side, TLS 1.2 is enabled the same, with removal of RC4 Ciphers

Regards,
Red.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs.