search cancel

Users getting access denied message because of Auth Connector communication errors into WSS

book

Article ID: 213676

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

User started getting access denied messages accessing web sites via WSS first thing in the day, when all worked fine previous day

WSS agents used to connect users into WSS 

Auth Connector shows a number of failed connections to WSS

Auth Connector reporting errors that 'The certificate chain was issued by an authority that is not trusted' as shown below

2021/04/27 09:34:06.368 [8140] [6936:8140] SSL negotiate: AcceptSecurityContext failed: 0x80090325; status=-2146893019:0x80090325:The certificate chain was issued by an authority that is not trusted.
2021/04/27 09:34:06.369 [8140] [6936:8140] SSL setup failed; status=-2146893019:0x80090325:The certificate chain was issued by an authority that is not trusted.

Cause

WSS could not get group information from authenticating users due to Auth Connector communication errors, and any policy that needed the users group info would fail.  

Resolution

Download the DigiCert Global G2 TLS RSA SHA256 2020 CA1 intermediate certificate from https://knowledge.digicert.com/alerts/DigiCert-ICA-Update.html, and install into the Windows Auth Connector server certificate store.

Additional Information

WSS Authentication certificate changed made to switch from Entrust (expiring April 10) to Digicert
Windows server running Auth Connector was missing the Digicert intermediate cert needed to validate the handshake
Windows updates should have updated trust package (July 2020 MS trust package has the right cert)