You might experience difficulty when you configure Cert-to-Kerberos in your environment. You can use a variety of procedures for diagnosing and fixing these problems.

Error Message: Internal error. Please contact your administrator

Check the /opt/vmware/gateway/logs/authbroker.log for the message

"OSCP validation of CN=clientCert, OU=EUC, O=<org name>, ST=<state name>, C=IN failed with "Could not send OCSP request to responder: Connection refused (Connection refused) , will attempt CRL validation"

This indicates that the OCSP URL configured in "X.509 Certificate" is not reachable or incorrect.

Error when OCSP certificate is invalid

"revocation.RevocationCheck: OSCP validation of CN=clientCert failed with "Could not verify signing certificate for OCSP responder:http://asdkad01/ocsp". will attempt CRL validation."

displays when an invalid certificate for OCSP is uploaded or if the OCSP certificate is revoked.

Error when OCSP response verification fails

"WARN ocsp.BouncyCastleOCSPHandler: Failed to verify OCSP response: CN=asdkAD01.Asdk.ADrevocation.RevocationCheck: 08/23 14:25:49,975" [tomcat-http--26] WARN revocation.RevocationCheck: OSCP validation of CN=clientCert failed with "Could not verify signing certificate for OCSP responder: http://asdkad01/ocsp". will attempt CRL validation."

sometimes displays when OCSP response verification fails.

Error Message: unable to retrieve client certificate from session: <sessionId>

If this message displays:

  • Check the X.509 certificate settings and determine whether or not it is configured

  • If X.509 certificate settings is configured: check the client certificate installed on the client side browser to see if is issued by the same CA uploaded in the field "Root and Intermediate CA Certificates" in the X.509 certificate settings.