No announcement yet.

Client certificate based authentication, help needed.

  • Filter
  • Time
  • Show
Clear All
new posts

    Client certificate based authentication, help needed.


    Axigen running on Windows Server 2019 Core, x64.

    MUA is K9 Mail for android.

    I have the IMAP listener running on port 993, SSL is enabled for the listener, STARTTLS is not enabled in the IMAP settings.

    In the listener SSL settings:

    I configure the listener to use a certificate that has been signed by my domain CA in the certificate file field.

    I include the domain CA public certificate in the certificate authorities file field.

    I have "request certificate based authentication from client" checked.

    The MUA is configured to use "client certificate" authentication as per the first screenshot below.

    The client certificate used by the MUA is signed by the same domain CA that signed the IMAP server certificate.

    When attempting to connect the error in the second screenshot appears.

    Relevant log screenshot following this failed login is also provided.

    I have an LDAP connector configured to my DC that is working.

    Login works correctly when "request certificate based authentication from client" is unticked and the MUA is set to use "Encrypted Password" (MUA supports CRAM-MD5)

    Is it possible to authenticate a mobile device or desktop client using a client certificate? If so please provide required steps to rectify.

    Looking at the log, the server indeed seems to not be advertising AUTH=EXTERNAL in it's IMAP capabilities. Is this a bug or is the feature not supported? Or is the problem with the MUA?

    Thank you for your time.





    From the Capability response of your Axigen server we could see that it contains LOGINDISABLED.

    Could you confirm that IMAP service have all authentications enabled "on SECURED connections (SSL / TLS)"?

    On the other side is there any setup on the MUA side (BTW - could you share the application name so we could test on our side as well) that will allow you to authenticate with client certificate + your account password? Because in our current setup the "client certification" is not something that will replace the main euthentication but is used to validate the encrypted session on port 993 (on this example).

    Same will apply for WebMail interface, where despite using a client certificate (when connecting HTTPS on port 443) you will still get a "login" page.

    Does make this sense?



      Hi Ioan,

      Thank you for your response.

      I tested with several combinations of different authentication methods enabled, but to be 100% certain I will test again tomorrow with all auth methods enabled for secured connections.

      The MUA application is called K-9 mail, it is a mobile application for android handsets, it can be downloaded from either f-droid or the google play store:

      The app is a little rough looking, but unlike most other Android mail clients it doesn't monetise your personal data.

      Your point about authenticating with user credentials after presenting a user certificate makes perfect sense. In fact that kind of "double-authenticated" setup is exactly what I would prefer to use, but the application doesn't offer it. In the first of the original screenshots, if I were to expand "Authentication", the three options presented are "Normal password", "Encrypted password" and "Client certificate".

      Perhaps I will put a feature request to the K9 developer to add a "PEAP" authentication method.



      This is the legacy Axigen forum, which is no longer active.

      To create new topics & posts, please visit the new Axigen community.

      Axigen Community