CLE unable to reach SSPR forgotten password site due to self signed certificate issue

  • 7023802
  • 02-Apr-2019
  • 02-Apr-2019

Environment

Client Login Extensions (CLE) 4.4
Self Service Password Reset
Microsoft Windows 7
Microsoft Windows 10


Situation

Unable to access the Forgotten Password link due to self signed certificate issues. SSPR website added to Internet Explorer trusted sites and self signed certificate added to Internet Explorer certificate Trusted Root store.
User can successfully browse to the SSPR website without any certificate warnings.

When clicking on the Forgotten Password link, a new restricted browser is spawned and an error is displayed: "There is a problem with this web site's security certificate", an error is also displayed at the bottom of the page as follows:  res://ieframe.dll/invalidcert.htm?SSLError=#https://SSPR_server.org/sspr/public/forgottenpassword

CLE RestrictedBrowser.log debug log has the following entries:

19/04/02 10:05:50 ValidateUrl Comparing host SSPR_server.org with target host SSPR_server.org
19/04/02 10:05:50 ValidateUrl Its safe to Navigate to the URL.
19/04/02 10:05:50 OnBeforeNavigate2 Redirection to the site[https://SSPR_server.org/sspr/public/forgottenpasswordA%20security%20error%20occurred] is allowed.
19/04/02 10:05:50 SetIEZoneMap The machine is not Server OS. So adding sites to the IE Trusted Zone is skipped
19/04/02 10:05:50 GetHostFromURL Hostname is ieframe.dll
19/04/02 10:05:50 GetHostFromURL Url is not HTTPS
19/04/02 10:05:50 ValidateUrl Comparing host SSPR_server.org with target host ieframe.dll
19/04/02 10:05:50 OnBeforeNavigate2 Redirection to the site[res://ieframe.dll/navcancl.htm#https://SSPR_server.org/sspr/public/forgottenpasswordA%20security%20error%20occurred] is allowed.
19/04/02 10:05:50 SetIEZoneMap The machine is not Server OS. So adding sites to the IE Trusted Zone is skipped
19/04/02 10:05:50 GetHostFromURL Hostname is ieframe.dll
19/04/02 10:05:50 GetHostFromURL Url is not HTTPS
19/04/02 10:05:50 ValidateUrl Comparing host SSPR_server.org with target host ieframe.dll
19/04/02 10:05:50 OnBeforeNavigate2 Redirection to the site[res://ieframe.dll/invalidcert.htm?SSLError=#https://SSPR_server.org/sspr/public/forgottenpasswordA%20security%20error%20occurred] is allowed.


Resolution

The use of Self Signed certificates is not recommended as per the CLE documentation:

The Restricted Browser Does Not Connect To Self Service Password Reset When Using Self Signed Certificates

Client Login Extension does not support self signed certificates and therefore, NetIQ recommends that you must not use them.
If SSPR is configured with self signed or untrusted certificate then you must import the CA root certificate of signing authority into the local Trusted Root Certification Authorities store.

However, Self Signed certificates can be used in situations such testing/Pre-Production but the Self Signed certificates must be added to the Local (not user) Trusted Root Certification Authorities store.
To add the Self Signed certificate to the Local Trusted Root Certification Authorities store follow the steps below:

1.) Save a local copy of the SSPR website's Self Signed Certificate
2.) Select Run from the Start menu and then type "mmc" and then launch MMC
3.) From the File menu, select Add/Remove Snap In.
4.) From the Available snap-ins list, choose Certificates, then select Add.
5.) Select Computer Account and click next, select Local Computer and click next and then click OK
6.) Expand Certificates and select the Trusted Root Certification Authorities object
7.) Select Certificates then right click and select All Tasks > Import
8.) Browse and select the SSPR Self Signed Certificate and ensure that the certificate is saved in the Trusted Root Certification Authorities store



Cause

The SSPR website's Self Signed Certificate was saved to the Users Trusted Root Certification Authorities store using Internet Explorer. The certificate must be saved in the Local Computer Trusted Root Certification Authorities store otherwise the restricted browser will fail with a certificate error.