Problem

When attempting an HTTPS connection to Gateway, where the TLS profile is set to TLS_AUT_MANDATORY (which means that a client certificate is required) and Gateway (or Passport) is also set up to require a username and password, then a login dialog box comes up repeatedly for every action (login, change directory, etc.).

This occurs with Internet Explorer and Firefox, but not with Chrome,

Errors are seen in the log similar to the following:

021 PCNX E TPM_CF (138412125) Connection Failure for user zh992jb reason : Certificate Dual_FTP set in TPM does not match .
004 SUP I INIT_RP- (138412125) connection in server mode refused: reason="14, Invalid remote identifier"
102 HTTP I TRACE (93) GET - /common/gif/download.jpg - 401 "login failed" - length 0 - user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; UHG_Win7_Build 11-15-2010; rv:11.0) like Gecko

Resolution

This is due to the way that IE and Firefox handle the TLS handshake with the server. Where possible, they will reuse the existing TLS security data (for performance reasons) rather than performing a full handshake for each concurrent connection. (See this KB article for details.) The result is that Gateway doesn't have a client certificate to associate with the various HTTP requests.

The solution is to uncheck the "Cache enabled" option in the TLS profile on Gateway. This will force the browser to send its certificate along with each request.