Novell iChain Xtier Authentication fails using a 3rd Party Certificate

  • 3300195
  • 01-Mar-2007
  • 27-Apr-2012


Novell iChain 2.3 Support Pack 4
iChain accelerator Configured with:
Xtier Authentication
3rd Party Certificate storing a 2048 bit RSA key assigned

Microsoft Windows XP Service Pack 2
Novell Client 4.91 Service Pack 2
Novell Netidentity Client 1.23
Novell ZENworks 7 Desktop Management Support Pack 1 - ZDM7 SP1 Middle Tier


  • Using a certificate created by the Novell iChain proxy server assigned to the Xtier accelerator the Netidentity client returns the expected Netidentity authentication prompt and authentication works fine
    The iChain internal Certificate size = 1632 bytes (Base64 encoded)
  • Using a 3rd Party certificate assigned the Novell NetIdentity Client authentication prompt does not appear instead the browser displays a line of garbled characters
  • The 3rdParty Certificate size = 2148 bytes (Base64 encoded)


For ZDM7: To obtain early access to a hot patch with the fix for this problem, follow the instructions in KB 3484245 "Updates to Novell ZENworks 7 Desktop Management" which can be found at

Additional Information

The Netidentity client does not work with x509 certificates having a size greater than 2048 bytes.

  • Looking at into the details of the Base64 encoded 3rd Party certificate the line of characters returned by the browser client are matching exactly the last 101 Base64 encoded characters
  • Taking traces with Wireshark at the workstation with the Novell iChain internal certificate assigned and the non working 3rd Party Certificate assigned scenario shows that in both cases the assigned certificate to the Xtier enabled accelerator will be send to the browser client together with the Xtier realm, nonce and GUID to the browser client in two TCP segment.