I’ve set up an accelerator with the option “Enable Secure Exchange” checked, because I want to enable SSL comunication from the browser to iChain (but plain http from iChain to the protected web server). If I use an LDAP authentication module with login and password, every thing works correctly: ichain lets me browse to the public resources of my application, and the ichain login page only appears if I try to browse to some protected resources.

My problem is when I use a mutual certificate authentication profile instead of the LDAP profile. With this configuration, the browser prompts the cerfificate request to pop up even when I try to browse my public resource. In fact, it seems that iChain asks me for authentication (using a certficate) even if I’m trying to get public pages! This happens only if I enable the certificate authentication module together with “Enable Secure Exchange”. If I configure the accelerator in plain http (no SSL between the browser and iChain), even with the certificate authentication module every thing works as expected, and the browser asks for certificate only when I try to access protected resources.


There is a solution on a case opened on iChain 2.2. It seems there is a bug, and there is no patch yet. Fortunally there is a workaround.

To avoid the prompt for the Client certificate, enable the following option:

set accelerator <acc_name> authentication authovercd = Yes set accelerator
<acc_name> authentication authcddbenabled = Yes APPLY

Once this has been done, I can access the website without being prompted for a user certificate. The two set commands above enable the “Cross Domain Authentication”. In summary, enabling cross-domain authentication solve this problem.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: coolguys
Oct 4, 2006
12:00 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow