Over 1 million tech questions and answers.

Client Certificate Authentication RSA certificate ignored when ECC installed

Q: Client Certificate Authentication RSA certificate ignored when ECC installed

Hi,
Having some fun with a windows 7 setup of DirectAccess, have it configured to use ECC certificates on the client for the IPSec authentication, which was working brilliantly, we even have it loaded up behind a Citrix Netscaler to do SSL offloading of the
HTTPS tunnel encryption. But when trying to get Client Preauthentication working, we hit a snag, it seems that the NetScalers dont support ECC certificates, which is a pain, but something we thought we could work around by using an RSA certificate on the client
to performed the pre-authentication (as shown here https://directaccess.richardhicks.com/2016/05/10/directaccess-ip-https-preauthentication-using-citrix-netscaler/).
So we have three CA's, CA1/2 issue RSA certs and CA3 is setup to do the ECC ones, so nice separation of the chains.
So we have our Cert chain for RSA loaded into the load balancer and a new cert issued to the client from CA1... But, every time the client connects to the server (LB) we see the handshake taking place, the server sends a list of its DNs (CA1/2) (https://blogs.msdn.microsoft.com/kaushal/2015/05/27/client-certificate-authentication/)
to the client, but then the client looks in its store, picks out the ECC certificate (issued from CA3) and fails to authenticate saying no suitable certificate can be found, its like its not even looking at the RSA one at all.
So, thinking something was wrong with the way the LB was asking for client authentication, I tried deleting the ECC cert and tried again... this time, the client completes the handshake, finds the RSA cert and passes it back to the LB for authentication.
So, im left wondering why my Windows 7 client is trying to use a Cert issued by a CA which isnt in the list of DN's sent by the LB.
To add insult to this issue, trying this same scenario on Windows 10 seems to work out of the box, with an ECC cert and RSA cert in the Computer personal store the client looks and chooses the RSA one, authenticates and continues through the process of connecting.

Read other answers
RELEVANCY SCORE 200
Preferred Solution: Client Certificate Authentication RSA certificate ignored when ECC installed

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 119.6

Hi all,

I have a problem with the resolution of a case that I will explain below.

In our environment (intranet) we have a website portal that requires http certificate client authentication. 
Subsequently the selection of the right cert from the store, the web service read the FQDN from the certificate's subject and 
based on that permit the access to the portal.

Now, we can deploy the certificate on the machine with autoenrollment, based on our PKI (Window Server 2012 AD CS).  
The problem is that IE (or any other internet browser) read only from the user keystore (LocalMachine\My) while 
the right certificate is on the computer keystore (CurrentUser\My).
How can I figure out this situation?
If I export the certificate from the machine keystore and next import to the user keystore everything works fine but 
I don't want mark the key as exportable in cert template and, however, this would make everything more complicated.

I appreciate any suggestions to accomplish that
Thanks in advance

Read other answers
RELEVANCY SCORE 107.6

Hello,

I am trying to resolve an issue where multiple client computers in the organisation are using an internally deployed Root CA certificate (before my time and no longer required) to sign the end entity certificate for external websites, google.co.uk
for example. All SSL sites appeared to be affected by this.




However this is not the case as sub domains of sites with issues show the correct cert chain, the below is for mail.google.com




Removing or untrusting this root ca cert breaks access to these sites.

I have reset root certs in various ways, removed machines from the domain, applied no GPOs, manually updated CRL and pulled down updated certs with rootsupd.exe.
It always attempts to use this rouge CA cert to sign the websites cert.

Any assistance would be much appreciated.

Read other answers
RELEVANCY SCORE 106.4

Hi,
I am trying to install CA root certificate on Windows 7, IE 9.
Encounter error: "Untrusted Certificate".  "This certificate cannot be verified up to a trusted certificate authority."
I have tried to install the certificate to Trusted Root Certificate Authorities->local computer and import was successful. BUT on IE->Internet Options->Certificate->Trusted Root Certificate Authorities, I am unable to find this root CA on
the list.
On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.
I then restarted the IE and view the ssl site again but failed too, "Untrusted Certificate".
Anyone, any idea ?
Regards,
Eye Gee

A:Unable to Install Root CA Certificate - Certificate cannot be verified up to a trusted certificate authority.

May the following workarounds work for you:
Workaround 1:
Modify the Windows settings to allow the Update Root Certificate feature to update the root certificates automatically. For details, see the following Microsoft TechNet article:
Certificate Support and Resulting Internet Communication in Windows Server 2008
http://technet.microsoft.com/en-us/library/cc771121(WS.10).aspx
Workaround 2?
If the Update Root Certificate feature cannot automatically update the root certificates, you may contact the website vender to see if there is a hotfix can fix the issue.

Read other 8 answers
RELEVANCY SCORE 102

I have a problem with install multiple digital certificate (PKF format) to allow access to one website with different account ID.

Every time I installed the certificate, it is working and allow me access to the website with relevance ID. However, the installed certificate will be missing if I continue to install with another certificate. The way I install the certificate is just double click on the PKF certificate that provided by the website admin, then kept click on the next button until its finish the installation steps. All the certificates will install to "Personal" certificate store folder, but the problem is only one certificate will remain.

I ever try to import all the certificate with using windows certificate manager, is allow me to import all the certificates and able to let me access to the website with select different certificate to login with selected account ID. Anyway this method is only workable if the Internet Explorer is not close after install all the certificates, once the Internet Explorer is close, then all the certificates were gone.

The motioned problem PC is running on Windows XP SP3 with latest update. And the using internet explorer is version 8 with latest update as well.

I had try to reset the Internet Explorer to default, but is not working so, appreciate is anyone can guide me to solve this problem

A:PKF certificate missing after new certificate was installed

Under "Content" in Internet Options, are all your certificates there? Mine are. Either your Admin. or the issuer should have your answer. Some PKFs are not compatible with all OSs or Browsers. Try downloading certificates to Firefox or Chrome and see if that works.

Read other 2 answers
RELEVANCY SCORE 102

I based my actions amongst others on this source:https://www.adlerweb.info/blog/tag/procurve I am using openssl to create my own CA for my company's switches etc.  and i am having trouble with a number of recent procure switches. I created a root CA (2048 bits rsa, sha1 so as not to make things too difficult)I created a custom TA called "netwerk", uploaded the CA root certificate, so far so good Created a CSR:crypto pki create-csr certificate-name sw1113  ta-profile netwerk usage web subject common-name sw1113 key-size 2048 the rest of the info and extensions like CDP alternative names etc. is being pushed while signing in openssl via an extensions file resulting CSR processed with openssl (keeping it a simple 2048/sha1 leafcertificate) Signed this CSR with the afore mentioned and uploaded root certificate: Resulting PEM pasted to install the generated leaf certificate sw1113(config)# crypto pki install-signed-certificatePaste the certificate here and enter:-----BEGIN CERTIFICATE-----MIIEGjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwx.....ASCspazUcVeCueTvvVLr4UPObJB1/IBHKHCwkN7nuaTHuiDD8tQzOlWaxry4MsEFGXojuFv1YtFAtlgLlwxvqndi2NysNyqcnZR1o4l0qe4eSrIlUrCyrvyieK5rdQ==-----END CERTIFICATE-----Certificate being installed is not signed by the TA certificate. So, what is going on? The leaf cert is definitely signed by the root cert that was uploaded as TA cert.    Would really appreciat... Read more

Read other answers
RELEVANCY SCORE 94.4

How can I set up a verification certificate (or whatever I need) so my customers can run my Excel (2003) program without having to change their Macro Security Level to Medium? I want them to be able to keep their setting on High and still run my program (which is full of macros). Is there a way that I can attach a "trusted" certificate to my program? Thanks.
 

A:Authentication Certificate Question

Hello there, welcome to the board!

Take a look at Malcolm's article here...

http://vbaexpress.com/forum/showthread.php?t=9545

HTH
 

Read other 3 answers
RELEVANCY SCORE 93.2

Hi,

I'm trying to setup strongswan using IKEv2 certificate authentication on a raspberry pi. Nearly every other VPN server I've setup previously, has either been Windows, or had a GUI, and was username/password not certificates - so i'm new to strongswan.

I followed this tutorial on youtube

Part 1:
Part 2:


however it didn't work, even after making some changes via other posts I'd read - still no go, I'm just getting authentication failed. For the moment I've just trying over my internal network (as its just purely for learning purposes at the moment).

Here's my ipsec.conf file:

Code:
# ipsec.conf - strongSwan IPsec configuration file
config setup
uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
auto=start
closeaction=restart
keyexchange=ikev2
ike=aes128-sha256-ecp256
esp=aes128-sha256-ecp256
dpdaction=clear
dpddelay=300s
dpdtimeout = 5s
forceencaps=yes
fragmentation=yes
keyingtries=5
rekey=yes
left=%any
leftfirewall=yes
leftid=172.16.0.18
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
leftsendcert=always
mobike=yes
rightid=%any
rightdns=8.8.8.8
rightsourceip=172.16.16.1/24 ## LOCAL IP RANGE FOR VPN CONNECTED DEVICES
type=tunnel

conn IKEv2
rightauth=pubkey
eap_identity=%any
include /var/lib/strongswan/ipsec.conf.inc
and the ipsec.secrets

Code:
# This file holds shared secrets or RSA private keys for authentication.

# RSA priv... Read more

A:Strongswan IKEv2 - Certificate Authentication

moved to networking where you might be more likely to get somebody who knows
 

Read other 2 answers
RELEVANCY SCORE 92.4

This has been happening for awhile...
Everytime i open the Launcher, It says "Certificate Authentication Failed, Please reinstall to correct this problem.
It's very annoying and I already updated my Windows XP 32Bit.
Even updated the Roots December 2011.
Restarted multiple times.
Nothing is working. I even tried reinstalling the game. But it doesn't work aswell.
 

A:[Tera Rising] Certificate Authentication Failed.

Tera Rising support - http://support.enmasse.com/tera OR http://tera.enmasse.com/community
 

Read other 1 answers
RELEVANCY SCORE 91.2

To this day, my employer still issues SHA1 user authentication certificates via internal ADCS SHA1 CAs. I stood up new ADCS SHA256 CA infrastructure and have been using it for server authentication and computer authentication certificates; migrating these
SHA1 user auth certs are the last piece before shutting down the old SHA1 CAs
However, I'm having a problem in my tests of the scenario of a user who is 100% remote and connects to our enterprise remote access VPN after logging into the computer itself.
I set up a test computer with a test user, verified it autoenrolled in one of the SHA1 user auth certs.  Then I set up a new cert template on the SHA256 CA that supersedes the existing one and set it up so only the test user can enroll or autoenroll
into it.
I've verified that the user does autoenroll in a SHA256 user auth cert if connected to the enterprise network prior to logging in, so I know that the template and group policy is set up correctly.  But in this use case, the user is logging in using
cached credentials offline and then connecting to the VPN.
I connect to the VPN and run gpupdate, but it does not seem to autoenroll in the new cert.  I also tried running certutil -pulse as the user, but got an access denied error because the user is not a local administrator on the machine.

How can I ensure that these users migrate to the new SHA256 user auth certs?  Do I have to give them instructions on how to log onto the VPN before Windows... Read more

Read other answers
RELEVANCY SCORE 91.2

Hi,
I posted this on Azure forim with no luck maybe here is a better choise.
When trying to connect a windows 8\8.1 client with a vpn connection for azure virtual network we get the fallowing error.
"A certificate could not be found that can be used with this Extensible Authentication Protocol. (Error 798)"\

I'm fallowing this msdn article about point to site vpn on azure. according to it the certificat is good for both win 7 and win 8.

http://msdn.microsoft.com/en-us/library/azure/dn133792.aspx

this is the commanf to build the client certificat:
makecert.exe -n "CN=ClientCertificateName" -pe -sky exchange -m 96 -ss My -in "RootCertificateName" -is my -a sha1

When runing the installtion of the certificat on the client the defult crtificate store is "Automatic", It does not metter if I leave it on Automatic or choose any of the other options (personal, trusted issuers ...) I always get the same error.

Thanks

Read other answers
RELEVANCY SCORE 90.4

Is there a rvkroots.exe available for download for the mentioned KB so that I can remediate a Nessus finding?
We are on a disconnected network so windows update is disabled in our network.
In the past we are able to just download rvkroots.exe and push it out to all our Win7 computers.

Read other answers
RELEVANCY SCORE 90.4

(I'm cross posting this from
https://answers.microsoft.com/en-us/ie/forum/ie11-windows_7/a-certificate-chain-processed-but-terminated-in-a/e6895c7e-c6b9-4a96-a5f5-a4dcd40b7b45 as directed by the forum moderator there.)
Hello,

First, I have reviewed the other posts with similar questions and noted that I can install the certificate into root certificates and most likely this problem will go away, some specifics:

1) When a client reported this error using a pop.secureserver.net on an outlook 2003 client, I just figured it was godaddy or the REALLY old Outlook client, but nonetheless, I went in to troubleshoot it and was convinced it was godaddy, but when I tried
to start my Outlook 2016 client on my Windows 10 computer on their network, I got the same error.  Two notes are important: 1) I use godaddy as well and 2) I used the same computer at a different client just yesterday without a single error message.
2) They use POP 995 w/ SSL & SMTP 465 w/ SSL to pop.secureserver.net & smtpout.secureserver.net repsectively
3) I called the company that manages their firewall and was told that everything was fine, but was sent a certificate from the firewall that might fix the problem.
4) The firewall company tells me they use a fortinet firewall

I have some questions that I'm hoping one of the experts here can answer for me:

- What in a firewall setup can cause a certificate to fail as listed in the subject?
- Is there a port or configuration change they... Read more

Read other answers
RELEVANCY SCORE 90.4

I have some Windows 7 systems which have not run Windows Updates for many years, and cannot due to regulatory reasons.   We rely upon Windows to automatically update the Trusted Root Certificate store whenever we browse to a web site/web service
that uses a certificate the system doesn't recognize. 
Sometime recently, the Trusted Root Certificate Store no longer updates automatically.  The Windows Event Log shows an error stating that the certificates cannot be downloaded from:
http : // ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
If we browse to this location manually, the cab file contains an invalid Microsoft certificate. 

This was also an issue in Sept 2018.  At that time, the certificate had expired, and Microsoft eventually updated the certificate to resolve the issue.   This time, the certificate does not appear to have expired.  Why is the certificate
invalid this time, and can Microsoft fix it again?

Thanks

Read other answers
RELEVANCY SCORE 90.4

so whats up with this error message ??
Revocation information for the security certificate for this site is not available. Do you want to proceed? [Yes] [No] [View certificate]


i know it can be unchecked in security option under advanced. but is that really safe to do ???

Thx


Steven J Einhorn

Read other answers
RELEVANCY SCORE 89.2

Hi,

Really confusing one here. Since this weekend (16/17 July) we have started getting Certificate errors on some sites and applications. This seems to be due to the structure of the URL compared to the "advertised" name IIS is presenting. I'll try
to explain.
I have a site, Website. This is in my domain, domain.com. Therefore the FQDN is website.domain.com. IIS is running and I can access this site through FQDN,NetBIOS or IP address. Good news.
I create a certificate for the server using the FQDN as the subject, I add the Netbios and IP addresses in the Subject Alternate Names and Bind this to port 443 on the server.
I browse to https://website and all is good. I browse to https://website.domain.com I get a certificate error. Checking the certificate, everything is fine, no errors, chain is trusted. open Chrome and do the same, I get that the certificate website.domain.com
is being presented by Website and may not be the site I want.
Using either URL has never been a problem until this weekend, but it seems that IE/Windows/IIS is not liking any URL that is not EXACTLY what IIS is presenting. so my questions are:-
Is anyone else finding this?
Can we issue a certificate that covers all possible DNS resolutions for a site?
How do I control WHAT IIS advertises itself as?
SO far this has affected two major systems on our network and I can see that more will arise, so any help would be appreciated.

Read other answers
RELEVANCY SCORE 89.2

Hiya

This update addresses the "Certificate Renewal Wizard Concatenates Certificate" issue in Internet Information Services (IIS) 5.0, and is discussed in Microsoft Knowledge Base (KB) Article Q325827. Download now to correct this issue for IIS 5.0

System Requirements
Supported Operating Systems: Windows 2000

Internet Information Services 5.0
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server

http://www.microsoft.com/downloads/...43-c72f-4652-b912-065ee2a83c02&DisplayLang=en

Regards

eddie
 

Read other answers
RELEVANCY SCORE 89.2

I have Windows 7 client and Cisco router is configured as Certificate Authority. Cisco calls it IOS CA. How can I do certificate enrollment of Windows 7 client with my Cisco IOS Certificate Authority?

Read other answers
RELEVANCY SCORE 89.2

In Internet Explorer, when I get a certificate error, if I continue to the web site, I can then view the certificate to see what was wrong.  However, obviously it would be preferable* to see the certificate
before I make the decision to go to the site.  Is this possible?  I'm sure I could use another browser that does this, or maybe use the F12 developer tools, or write a program.   But I'm looking
for a normal-user way to do it.  I think it used to be possible in Internet Explorer, but this might have been 6.x or even earlier.  Or even
way earlier.  Yep.  I'm that old.  I believe this feature is not in Edge either...unless I'm just missing it.  But I'm using ie11 right now.
*understatement level is set to "high".

Read other answers
RELEVANCY SCORE 89.2

Can someone walk me through the steps of having Advanced Threat Analytics (ATA) request a new certificate from Active Directory Certificate Services (ADCS)?  I'm not familiar with either product so I will need detailed steps please.  At a high-level
i'm guessing
1. ATA issues a certificate request
2. I send the request to ADCS
3. ADCS issues a cert for that request
4. Install new cert in ATA
I'll need detailed command line statements.  My ATA Center server is named ATASERVER.DOMAIN.ORG, and I but the URL is configured as ATACENTER.DOMAIN.ORG in ATA.  Can the cert handle both the servername and the URL?
Thank you in advance!

Read other answers
RELEVANCY SCORE 88

I've been trying for a long time to quiet my HD. I have HP Media Center PC with AMD dual core w/2 GB ram and Vista Home Premium 32 bit OS.

I've been fairly successful in getting rid of HD run on. But the latest culprit seems to be Certificate Services Client. From what I can read on the web it seems to have something to do with Corporate Domains and users credentials when using other than their usual PC on the network. I have a 2 PC home Lan and am not on a domain. So I don't understand why I need this or why it's even running. I don't use Windows file encryption afaik.

So my question is, can I safely disable the Certificate Services Client scheduled tasks in Task Scheduler?
Seems like once they kick off I can forget about burning a DVD for 10 or 20 minutes.

Read other answers
RELEVANCY SCORE 87.6

Good Day



We have a problem where we encrypted files using EFS, however we can't access or decrypt these files now.

We have the certificate in the certmgr.msc but we do see that the key is missing.



I have reproduced this on another computer and was able to run certutil -repairstore -user MY "Serial Number" which worked in repairing the store and files was decryptable again.

However on the machine that encrypted the files that we need to access this is not the case as there is a popup asking for your Smart Card.

We are not using Smart Cards at all, and have had a look at the following article regarding this issue, but the hotfix didn't work: https://support.microsoft.com/en-us/kb/2955631




I have software that can remove the encryption but will require the .pfx file, which can't be exported as the certstore doesn't show that it still has this.



It is a self signed certificate generated by Windows, so I can't request a new one using the CA.


Thanks for your help in advance.

Read other answers
RELEVANCY SCORE 86

Scenario: IE browser ends TLS 1.2 handshake prematurely resulting in a page cannot be displayed for the user. Change the browser settings by removing TLS 1.2, leaving
TLS 1.1 and TLS 1.1 handshake completes without a problem.
TLS 1.2 Process - Fail scenario



The client sends a "Client hello" message to the server, along with the client's random value and supported cipher suites.The server responds by sending a "Server hello" message to the client, along with the server's random value.The server sends its certificate to the client for authentication and may request a certificate from the client. The server sends the "Server hello done" message.The Client sends ACK for Server CertificateThe Client sends FIN/ACKThe Server send FIN
The Server sends FIN/ACKThe Client sends ACK


Result Page cannot be displayed
No client error event in logs (looking for information to enable additional logging  or increase verbosity)
Agreed upon Cipher: Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)
Cert Chain

Algorithm Id: 1.2.840.113549.1.1.11Algorithm Id: 1.2.840.113549.1.1.11Algorithm Id: 1.2.840.113549.1.1.5

While TLS 1.2 fails on IE 9,10 and 11:

TLS 1.1 has no issuesFirefox TLS 1.2 has no issues
Chrome using TLS 1.2 has no issues

Read other answers
RELEVANCY SCORE 86

I am not sure where to post this, so I put this into the general section.

I was trying to learn about the Certificate Services Client scheduled tasks today and basically I failed. With lots of information available on various Microsoft sites, the basic questions are apparently very hard to answer.

The question is - what are these tasks doing on a stand-alone machine? I mean, I have a PC at home which is not part of a domain, active directory is disabled as far as I know, no windows networking either (the "network", i.e. my dsl connection, is treated as a "public network"). The Windows credential manager shows zero credentials stored on the machine.

Yet, there are scheduled tasks active and running every time I log onto the machine with the description:

"Certificate Services Client automatically manages digital identities such as Certificates, Keys and Credentials for the users and the machine, enabling enrollment, roaming and other services."

It does not preclude me from doing anything on the computer, but it clearly uses a lot of disk read/write operations. If I am on the HDD, this is fairly noisy. On SSD I am worried about the unnecessary writes.

So, the question is - do I actually need these tasks or they are safe to disable? What exactly is being "managed" by these tasks if there are no credentials at all on the machine?

A:Certificate Services Client scheduled task

SSL, aka., HTTPS uses certificates along with those various services involving certificates. Digital Signatures (which Windows uses extensively) also make use of certificates and the various services provided by the service.

So yes, you need it.

Read other 2 answers
RELEVANCY SCORE 86

A summary of this problem is that "The Client Certificate Private Key release prompt is incorrectly shown on the first login user's desktop rather than on the desktop of the active user who has selected the client certificate to submit
to a website."
We are using RDS 2012 r2 and internet explorer 11.

There is a thread from May 2014, but I see no resolution. Can you offer a suggestion?

Read other answers
RELEVANCY SCORE 86

How may my clients silently import our SPC certificate during the overall program installation process? Originally, I was thinking of kicking off a batch file to do this, but if there is a better way, I'm interested to learn it. So, far I have this much figured out:

rundll32.exe cryptext.dll,CryptExtAddSPC myCert.spc

However, when I run that line from the command prompt, it kicks off the Certificate Import Wizard. My users are not going to know what to do with that. How can I import this certificate silently, so that no user intervention is required? Thanks.
 

A:Solved: Silent Client Import of SPC Certificate

My DEP problems seem to have gone away. I was able to get the print driver uninstalled and do a clean install. Additional solution options can be found here:

http://superuser.com/questions/264893/data-execution-preventing-popup
 

Read other 1 answers
RELEVANCY SCORE 85.2
RELEVANCY SCORE 85.2

We are currently attempting to upgrade a large amount of older machines at our facilities to WES7 thin clients, HP models t5740e. The rollout has been going quite well with one nagging complaint; a warning box when trying to connect to the RDP server.

Every time a user clicks the 'connect' button on the HP Connection Manager, we get the following :



We have joined the thin clients to the domain, created certificates, and we assigned trusted root CAs via Group Policy, but the warning persists. Going in through IE on the machine shows us the certificate IS being trusted despite the warning box stating otherwise.

The only way we've been able to get the warning to stop showing up is by disabling all the local resource redirections (IE : 'redirect local printers', 'redirect comm ports', and so on). I honestly don't know why that would affect the certificate being trusted or not, but it's not a good fix for us. We need local resource redirections for about half our deployments.

Has anyone here had experience with this or a similar issue?

A:Eliminating HP Thin Client RDP Certificate warning popups

Hi CBT, welcome to the Seven Forums.

Do this on remote clients, both in Group Policy > Computer Configuration and Group Policy > User Configuration:

(Click to enlarge)If it does not resolve your issue, see this article for further information: How to resolve the issue: ?A website wants to start a remote connection. The publisher of this remote connection cannot be identified.? - Remote Desktop Services (Terminal Services) Team Blog - Site Home - MSDN Blogs

Don't let the title fool you; in your case it's not a website making a remote connection but the workaround is the same.

Kari

Read other 6 answers
RELEVANCY SCORE 84.4

seems that "Microsoft Certificate Trust List Publisher" Certificate Valid:01.27.2017-04.12.2018 is missing following EKU
'Microsoft Trust List Signing' (1.3.6.1.4.1.311.10.3.1) ?!
-ExtendedKeyUsage
     -Usage
          [ oid] 1.3.6.1.4.1.311.10.3.1
          [ name] Microsoft Trust List Signing
-ErrorStatus
     [ value] 10
     [ CERT_TRUST_IS_NOT_VALID_FOR_USAGE] true
Note: KB2328240 is imho not permanently fixing this problem ! (*curing only some derivated symptoms)

Read other answers
RELEVANCY SCORE 84.4

Hi,

Our company is planning to replace SHA1 certificates to SHA256 certificates. We are now on the testing phase.

Our Radius Server is: Cisco ACS
Current Authentication Method: User Authentication (EAP-TLS using our PKI infrastructure)

Issue: Clients using Windows 7 cannot connect to our Current SSID but Windows 10 users can connect. Using the old SHA1 certificate, both Windows 7 and 10 users can connect. Windows 7 machines are saying "a certificate is required to connect
to <SSID>". even though the certificate is already installed.

Changing the Authentication from "User" to "Machine" Authentication, the windows 7 laptop responds and attempts to connect on the Cisco ACS. 

Cisco TAC says
"ACS is properly configured, but as explained before we are not reaching the TLS handshake between ACS and windows machine since the windows machine is not responding to the WLC EAPOL packet."

What could be the problem on the windows 7 machine? Do we need to upgrade something?

Read other answers
RELEVANCY SCORE 84.4

I tried looking up Certificate Services Client on MS site and it's impenetrable whether I need this thing for everyday Vista use. I'm not running a web server or MS database app. All I know is it's one of the last remaining Scheduled Tasks that wants to run my HD on forever once it kicks off(forever meaning longer than 5 minutes even if the PC is not idle.) It's a PITA waiting around to burn a DVD or whatever for this thing to quit when I don't know what it does. I just hate to shut stuff off trial and error fashion.

edit: additional info. I'm on a 2 PC home Lan. Not a domain. Don't see that I need Roaming and all that but you never know with Windows.

Read other answers
RELEVANCY SCORE 84.4

Hi, in the Event Viewer I have been getting an error, Event ID 64. I have followed it up, but when I click on the Certificate to renew it, I get message that Windows cannot renew it. Apparently the Certificate will expire on 2/7. I tried to delete it and I get message that it is needed for encryption. Below is the exact message. Do I have to do anything????


Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Date: 22/06/2012 2:43:56 PM
Event ID: 64
Task Category: None
Level: Warning
Keywords: Classic
User: N/A

Description:
Certificate for local system with Thumbprint 7e 2f ce f9 7e 33 fb 1a 59 16 f5 0f a5 d3 fc a2 ed 18 21 2f is about to expire or already expired.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-CertificateServicesClient-AutoEnrollment" Guid="{F0DB7EF8-B6F3-4005-9937-FEB77B9E1B43}" EventSourceName="AutoEnrollment" />
<EventID Qualifiers="32768">64</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-06-22T04:43:56.000000000Z" />
<EventRecordID>18541</EventRecordID>
<Correlation />
... Read more

A:Win7, 64 bit, Windows Certificate Services Client-Auto Enrollment

Have a look at the Resolve section on this page:

Event ID 64

A Guy

Read other 9 answers
RELEVANCY SCORE 83.2

Dears

Hi, I Faced below Error in all my virtual machines in our Domain, how can I fix it?its a big headache for me.

note:We don't use template in office and also CA cert was done till 2020.

Error 0xc800042d

Read other answers
RELEVANCY SCORE 83.2

Hi,

Our company is planning to replace SHA1 certificates to SHA256 certificates. Our parallel PKI infrastructure using SHA256 is now in place.

Root and Policy CA are shutdown. Only Issuing CA is online. AIA and CDP were already published. Clients can now get the new SHA256 certificates.
We are now on the testing phase.

Our Radius Server is: Cisco ACS
Current Authentication Method: User Authentication (EAP-TLS using our PKI infrastructure)

Issue: Clients using Windows 7 cannot connect to our Current SSID but Windows 10 users can connect. Using the old SHA1 certificate, both Windows 7 and 10 users can connect. Windows 7 machines are saying "a certificate is required to connect
to <SSID>". even though the certificate is already installed.

Changing the Authentication from "User" to "Machine" Authentication, the windows 7 laptop responds and attempts to connect on the Cisco ACS. 

Cisco TAC says
"ACS is properly configured, but as explained before we are not reaching the TLS handshake between ACS and windows machine since the windows machine is not responding to the WLC EAPOL packet."

What could be the problem on the windows 7 machine? Do we need to upgrade something?

Read other answers
RELEVANCY SCORE 82.8

Option "Find Certificate" is missed when I try to edit certificate on another computer using mmc.Could you please let me know how can I solve that? I'm sure I'm admin on the remote machine.

Read other answers
RELEVANCY SCORE 82.8

Hi All,

I think I've just done a dumb thing! I never learn, don't make decisions first thing in the morning, before I've finished my coffee and have had a chance to boot up.

I had a pop up telling me that there was an unverified certificate from the revocation list, do you wish to proceed? There was a choice of install certificate or not to proceed, no prizes for anyone guessing what I did!

My question is, how can I now find this certificate and actually see what it's about and get rid of it if it's suspect. The prompt was accompanied by the Java Logo down on my task bar so I assumed it was ok. Big mistake, I know, as Java has been on the usual suspects list for years now so I'm feeling pretty stupid at the moment. Is it possible to find it by date of installation, I've found by searching already that all the certificate have expiry dates but nothing to show when they were installed. Can anyone help me out?

Hiconic

A:How do I Find the last Certificate installed

These ?

Read other 3 answers
RELEVANCY SCORE 82.4

Hi,

Our company is planning to replace SHA1 certificates to SHA256 certificates. Our parallel PKI infrastructure using SHA256 is now in place.

Root and Policy CA are shutdown. Only Issuing CA is online. AIA and CDP were already published. Clients can now get the new SHA256 certificates.
We are now on the testing phase.

Our Radius Server is: Cisco ACS
Current Authentication Method: User Authentication (EAP-TLS using our PKI infrastructure)

Issue: Clients using Windows 7 cannot connect to our Current SSID but Windows 10 users can connect. Using the old SHA1 certificate, both Windows 7 and 10 users can connect. Windows 7 machines are saying "a certificate is required to connect
to <SSID>". even though the certificate is already installed.

Changing the Authentication from "User" to "Machine" Authentication, the windows 7 laptop responds and attempts to connect on the Cisco ACS. 

Cisco TAC says
"ACS is properly configured, but as explained before we are not reaching the TLS handshake between ACS and windows machine since the windows machine is not responding to the WLC EAPOL packet."

What could be the problem on the windows 7 machine? Do we need to upgrade something?

Read other answers
RELEVANCY SCORE 82.4

We have a strange issue going on with a couple of freshly imaged Windows 7 workstations over here.

At first we were unable to remote in to them because of a message that the remote computer does not support NLA. Setting the option to Allow connections from computers running any version of Remote Desktop (less secure) works, but then RDP goes directly
to the remote machine and authentications happens there, which would be the case with a XP (or other non-NLA-capable) machine.
I tried troubleshooting the issue by opening the Certificates snap-in in mmc and deleting the Remote Desktop self-signed certificate but I seem to be unable to reissue/recreate it again...
I have read that i need to restart the Remote Desktop Configuration service in order for the certificate to recreate itself, but whenever I try to do this, Event Viewer logs the following error:
Log Name: System
Source: TerminalServices-RemoteConnectionManager 
Event ID: 1057
The Terminal Server has failed to create a new self signed certificate to be used for Terminal Server authentication on SSL connections. The relevant status code was An internal error occurred.
.

Any help or ideas on that would be greatly appreciated!





MCTS ConfigMgr 2012 | Twitter: @SergeiBiliarski | LinkedIn:
Sergei Biliarski

A:How can I reissue the Remote Desktop self-signed certificate for a standard Windows 7 client machine?

Hi,

Please check if this post can help:
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/8df42746-465f-4902-95a6-121ef1f0fd68

Meanwhile, you can try the following:
Check the MachineKeys directory.
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\XXX

Copy the keys to a different directory by taking a backup and go into the file system and also delete the files in C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\.
After deletion log off and log in to see how it works.

If this cannot help,
I recommend to post in Server Forum to get more insights.
http://social.technet.microsoft.com/Forums/en-US/winserverTS/threadsTracy Cai
TechNet Community Support

Read other 7 answers
RELEVANCY SCORE 81.2

I have IIS 7.5 running in Win7 Pro.

When I install a certificate I first create a certificate request. The certificate does install fine. After a while the certificate doesn't work any more. I try to install the certificate again and it says it doesn't match the certificate request. What is deleting the certificate request and the friendly name of the certificate so the certificate doesn't work?

Could it be CCleaner that is deleting the info?
In what file/registry is that information stored. Maybe it's a bat file I created to delete temp files?
If I knew where it was stored I could possibly figure it out.

Thanks,

Docfxit

Read other answers
RELEVANCY SCORE 80.8

Please Note: System worked perfectly with ATA prior to ATA 1.8 and ATA 1.8 Update 1.
Upgraded to 1.8 & Update 1. GW Service would not upgrade and constantly restarted. Event log errors 7031.
Uninstalled, Cleaned System (Certs, Files, etc.), Reinstalled. Same issues.  Uninstalled/Reinstalled both GW & Center. Same Issues.  Verified json files are correct and match Certs installed.
Certs are Enterprise Root CA issued with proper CSP and 2048 bits. (Remember, system worked perfectly prior to 1.8 or 1.8 Update 1).
ATA Version 1.8.6645.28499 (1.8 Update 1)


ATA Center: Windows Server 2012 R2
ATA GW: Windows Server 2012 R2 (AD Domain Controller)


ATA GW Event logs (7031 repeated):
The Microsoft Advanced Threat Analytics Gateway service terminated unexpectedly.  It has done this [x] time(s).  The following corrective action will be taken in 5000 milliseconds: Restart the service.
ATA Center Event Logs: No error


ATA GW file log (Microsoft.Tri.Gateway.Updater-Errors.log):


2017-08-17 19:49:54.3592 5620 17  14689fae-b5a6-4658-81d9-1468df0bd0b6 Error [GatewayConfigurationManager] Failed to get configuration, using default configuration
2017-08-17 19:49:55.5624 5620 16  38e075a2-44a1-4458-8892-20785b231106 Error [GatewayConfigurationManager] Failed to get configuration, using default configuration
(This line Repeats)



2017-08-17 19:49:55.6092 5620 15  e0d63b07-714a-4a77-b954-e698ce5949d2 Error [WebClient+... Read more

Read other answers
RELEVANCY SCORE 80.4

I have an MCSA, MCP, etc... but got out of Network Management World in 2004, so I'm a little "rusty" in the Tech world now.  That being stated...
I just purchased a new PC from a PC manufacturer.  I will call them...Well, Inc.  I found and purchased one with a Windows 7 Professional 64 bit Operating System installed.  When I opened the box, I found that the Certificate of Authenticity
/ Product Key label is NOT on the CPU anywhere.  The COA/Product Key is NOT on the Restore and Recovery CD, either.  Which brings me to two questions:
1. Is it NOT a legal requirement for Dell to install a COA/Product Key on the outside of the box for Windows 7 Professional (or at least on their "Recovery CD"?
2. If I find myself having to reinstall the Operating System (i.e., hard drive failure, motherboard failure, super-bad virus), won't I need the Windows 7 Professional Product Key to reinstall the OS and validate as genuine? 
From experience, getting help from Well, Inc. is like pulling teeth with a pair of tweezers with blinders on.  It will take several thousand e-mails and several months for them to correct what I see as a problem.  Based on that fact, it might be
easier to ship the unit back and request another one... one that has a COA/Product Key label attached to the box, or at least on the "Recovery/Restore CD."  Am I missing something here?  Can you elaborate/educate this "rusty" ... Read more

Read other answers
RELEVANCY SCORE 80.4

Need help to overcome the issue, not able to use installed Third-party certificate for IPsec authentication in Windows 7 Embedded SP1.
Whatever Third party certificate Imported in certificate manager(Certificate store in Third-Party Root Certification Authorities) on the windows 7 system is disappears to select the certificate(CA name) from certification authority that require for IPsec
authentication.
we tried to install and choose the third party certificate from IIS(Internet Information Service) and Certificate manager, but both scenarios certificate disappears.
Can you please help us to overcome issue.

Read other answers
RELEVANCY SCORE 77.6

Hi all
Basically, I have a Kyocera printer driver that has an expired certificate. I can get the certificate installed with no issues. When trying to deploy the driver to the machines through a script, it asks to be trusted again. This happens every time the driver
is removed and reinstalled on the same machine. It does not like the certificate that is in the store for the driver.

Is there a way to accept the certificate so it does not prompt repeatedly? 
Thanks
Charles

Read other answers
RELEVANCY SCORE 76

I am having trouble decrypting some files even though I have the correct EFS certificate/private keys installed.
My original system crashed (hard drive failure). Thankfully, I had backed-up my files and the original EFS certificate that was used to encypt the files. I re-installed Windows 7 (clean install) on the new hard drive, and restored the encrypted files from
a backup. I then imported the original EFS certificate that was used to encrypt the files, and used certmgr to verify that the certificate was properly installed in Personal/Certificates. I also verified that the EFS certificate has the correct private key.
Additionally, I verified that the Thumbprint of the EFS certificate matches the "Certificate thumbprint" specified in file properties of the encrypted file.
So with the original EFS certificate/private key corresponding to my encrypted files installed, I attempted to decrypt the files using several methods... first just by simply un-checking the "Encrypt" option in file properties, and then by using "cipher"
in the command prompt. Every time the decryption failed with an error message "Access is denied." I thought it might have been a file permissions problem, so I tried to seize ownership of the file to get the correct read/write/modify privileges... same problem.
Any ideas?

A:Windows re-installed / original EFS certificate+private key imported, thumbprint matches / EFS Access denied on decrypt

I had thought that it might be a problem with the new User account not matching the original User the Certificate was issued to...  but then what would be the point of backing up the Certificate + key, if it couldn't be used to decrypt the files? Would
be totally pointless!
But I figured it out. The problem was that the EFS Certificate + key I installed were not marked as Trusted. So even though they were installed in the "Personal" directory where EFS certificates are kept, Windows refused to use them. (You can see this if
you examine the certificate properties in certmgr.) The solution is to install another copy of the certificate in "Trusted Root Certificates," then uninstall/reinstall the Certificate + key in "Personal." Then, voila, I was able to decrypt all my old encrypted
files using EFS!!
I am not in a domain environment, it's a standalone machine. I don't know if this procedure works for domain environments... I suspect that EFS might require that the User account match the User the certificate was issued to on a domain. However, this was
not a problem on my machine. It turns out that (on a standalone machine, at least) the encrypted file is not tied to a specific User account--it only cares about the Certificates that are installed.

Read other 4 answers
RELEVANCY SCORE 62.8

We've shipped an server (Proliant DL380 G7) and a switch (Procurve j9836A) to China.But the Chinese government/customs are holding up are whole container shipment, because of missing CCC certificates. Where can I obtain these certificates. I've called with HPE on serveral numbers. Spoke with several people. With each call I've given the start information like my name etc. This took 6 times 5 minutes. But still getting no where. All tech support and phone support is outsourced to India or something. Sadly they only ask information over and over again, but are not helping me with the actual request. Please, can someonetell me how to obtain CCC certificates for my HP hardware. It can't be true that HPE itself cannot help me with this. It are theire products. 

Read other answers
RELEVANCY SCORE 62.8

We have some Win 7 clients on our network and same updated OS and IE on them. When we connect to a secure website (HTTPS) from mentioned clients, we will see various reactions; some of them connect and open website
normally and others show security caution which included "there are issues with the site's certificate chain(net::ERR_cert_authority_invalid)
It is necessary to add this item that I checked certificate publisher on IE and find the intermediate certificate authority of certificate chain in website can not be seen in clients  have problem.

How is it possible from same updated OS and IE clients, we can see different messages?
How can I solve this issue?

Read other answers