ACS CERTIFICATE ISSUE
Hi
We have Cisco AP's set up around our buiding. This is controlled by our WLC. We also have a Cisco ACS server set up. Some of our domain users are able to go our customers sites which are on different domains and are able to gain access to thier own home domains by logging on with laptops. I know the customers IT department are using RADAIUS and ARUBA Wireless.
I have been asked if we can allow customers to come to our office and allow then to log onto thier laptops, connect remotly through our wireless and let them connect to thier domain.
I believe this is possible through the ACS server, The ACS server would have the customer domain name configured in user and identity, Radius identity servers. The user would log in and authentication and would be directed through a different vlan to the cust AD.
I have set up a test WAP on our WLC, Logged in with a laptop which is running windows 7 that does not belong to our domain. The ACS can see this but will not grant access. I believe that this is a certificate problem.
Are there any settings that I may have missed or can anyone shed any light or advice on this please.
Thank you
Regards
Jayesh,
You can use the radius proxy feature in ACS, when the external users connect you can build a rule such that "username ends with external.com" to use the radius proxy server "A". you will need to build the proxy connect with their radius server.
Thanks,
Tarik Admani
*Please rate helpful posts*
Similar Messages
-
Certificate issues in ACS 4.0 for Windows
Hi,
One of the ACS is configured as CA using third party Certificate, But the server certificate on ACS was self generated and is expired.
I tried using the same third party certificate to replace the existing expired server certificate on ACS both by generating CSR on ACS and install new certificate using local storage and read from file options but failed.It gives the following error while using CSR generated private key
"private key doesnt fit for this certificate"
Next assuming that the installed third party certificate with its own private key can be used to install certificate from the storage gives the following error:
"Cannot get the private key from certificate. It's absent or not marked as exportable"
Again assuming that third party certificate has multi server/seat licences.
Any solution to this issue will be of great help.
Thanks
Regards,
AhmedRe-installing the certificate may resolve this issue.
Install CA Certificate on your Appliance
===============================
A. Go to System Configuration > ACS Certificate Setup > ACS Certification Authority
Setup
B. Click "Download CA certificate file"
C. Type the IP address or hostname of the FTP server in the FTP Server field
D. Type a valid username that Cisco Secure ACS can use to access the FTP server in the
Login field
E. Type the above user's password in the Password field
F. Type the relative path from the FTP server root directory to the directory containing
the CA certificate file in the Remote FTP Directory field
G. Type the name of the CA certificate file in the Remote FTP File Name field
H. Click Submit
I. Verify the filename in the field and click Submit
J. Restart the ACS services in System Configuration > Service Control -
CA and Certificate Issue in ACS 4.0 For Windows 2003 Enterprise Server
Hi,
I have configured Microsoft CA server on the same ACS 4.0 for Windows 2003 enterprise server which was configured earlier using the self generated certificates for EAP and PEAP authentications.
After I change the certificate from self generated to the new CA certificate that can be viewed under install ACS certificate option on ACS server but having the following problems
1. SSL is not functioning while internet browser access to the ACS server and going through http instead of https.
2. Wireless clients are authenticated successfully even after the certificate is uninstalled.
Any help on these problems will be appreciated.
Thanks
Best Regards,
AhmedHi Rohit,
Thanks for reminding the HTTPS option under Administration Control on ACS.
I have some doubts pertaining to installation of certificates on Wireless clients though it is optional for Self Generated Certificates but what in case of Mirosoft CA as I tested wireless client authentications even after removing the certificate from microsoft supplicant WindowsXP SP2 having installed the patch KB885453 for PEAP. How the certificate on wireless client works.
Is it mandatory or optional to keep certificate on Wireless Clients as they could able to get authenticated through ACS after removing the certificate.
Thanks
Best Regards,
Ahmed -
EAP-TLS 802.1x certificate issue..
Hi All,
I m trying to setup eap-tls 802.1x using ACS SE 4.1.1.23.4 , WLC & CA. The problem i m facing is with installing the CA certificate on ACS appliance. Tried everything from cisco docs but not able to install certificate as its giving " Unsupported private key file format." The steps whic i had performed are...
1) Generate Certificate Signing Request:
Certificate subject ---- CN=idea_acs_01
Private key file ---- privatekeyfile.pem
Private key password -- cisco
Retype private key password -- cisco
Key length --- 1024
Digest to sign with --- SHA1
Then coppied the certificate signing request from the right side & pasted it on CA using "advanced certificate request" & then "Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file" option on CA & pasted the output in Base-64-encoded
certificate request. Then issued the certificate from CA & downloaded it on my desktop & then from my desktop to FTP server.
Even made a file naming privatekeyfile.pem with the output got during Generating Certificate Signing Request & uploaded the same on FTP.
2)Install ACS Certificate:
Then downloaded the certificate certnew.cer from FTP server using Download certificate file option. And also Download private key file from the FTP & typed password cisco. But after Submiting it gives error:
"Unsupported private key file format."
m not able to get why this srror is comming. Even tried all the steps above changing the format of Private key file ie .pvk , .pk but its not working for me.
Can anyone guide me whats the issue. Thanks in advance..
Regards,
PiyushHave you looked at this:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00804b976b.shtml#appb
Try to open up the certificate and verify that it looks something like this:
-----BEGIN CERTIFICATE-----
IFNlY3VyZSBHbG9iYWwgZUJ1c2weluZXNzIENBLTEwHhcNMDgwNTIzMTc0MTM4Wh
MTMwNTIzMTc0MTM4WjCB1jELMAkGA1UEBhMCVVMxJjAkBgNVBAoTHWd1ZXN0d2lm
aS5pbnRlcm5hbC5qZW5uwrZXIuY29tMRMwEQYDVQQLEwpHVDcwODk1Njc1MTEwLw
VQQLEyhTZWUgd3d3LnJhcGlkc3NsLmNvbS9yZXNvdXJjZXMvY3BzIChjKTA4MS8w
LQYDVQQLEyZEb21haW4gQ29asudHJvbCBWYWxpZGF0ZWQgLSBSYXBpZFNTTChSKT
MCQGA1UEAxMdZ3Vlc3R3aWZpLmludGVybmFsLmplbm5lci5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAKTItrvHtgKSb+7671dndS1RyMfQleF9Jp+ebuPj
Fd4JDjQdv3Ex7fSWrMarHivCok7rivw2c3BAP+sHYikosuwFTQTyf+4vuOzY2B2M
reUWkFA3PX4wYBN54DXUSpLzbmNvf+Vr3SmMIUNJ6rBMxeasXIBc9k3k/BoGp8Ad
dIeZAgMBAAGjgber0wgbowDgYDVR0fdPAQH/BAQDAgTwMB0GA1UdDgQWBBSsQk/8
ySPY+6j/s1draGwwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1Ud
EwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAlwu0GebX/w2TcxfE3lDUoIyCeLbS
A6V+f812YMiXG46in1Qp0BuZtjQyDfvhOT1bszCzGLU39EVsSc5If63tIVi2Onq6
iFMoa/BIbb9vK9o25Zy6FuxSizbMeKKrfFLp4RiEGkCOe68jZ8lFzT/hVvYspe72
eUv4viaap9fTfcVM=
-----END CERTIFICATE----- -
802.1x - ACS authentication issue.....
I will attempt to explain the history of our wireless controller configurations as best I can. We are currently using a 4400 controller running 7.x software which authenticates to and ACS 4.1 appliance. All of this was set up prior to my arrival on the job and the previous engineers had already left with no documentation in place so I'm trying to piece it together. The ACS is setup to map to AD for specific groups.
In the controller we have an SSID called triton which is our corporate SSID that all internal users connect to. Three different interfaces have been defined, a general one for most users and two others( lets call them INT1 and INT2) that place users on separate ip networks. The reason for this is those ip networks can reach certain services that are not allowed for general users. ACS maps those users upon authentication to the Vlans associated with those separate ip networks.
Problem 1. When I first took this job, users could not map drives or any services because only user authentication was taking place..After some troubleshooting and realization that ACS was authenticating, placing the "Domain Computers" group as an ACS group mapping fixed that issue, allowing the computers to authenticate prior and therefore execute the login script
Problem 2. Recently it has come to my attention that some of the users on one of the other interfaces (INT1 and INT2) that should be placed in the vlans associated with their AD group mapping are not. Upon further investigation it was discovered that the reason they are not is that the authentication is not correct. When the computer first authenticates before the user logs on its shows in ACS as host/xxxxx.yyyy.org where the user authentication shows as xxxxx/username . So some of the computers never change from authenticating as a host to a user and the ip address ends up in the wrong vlan.
Please help. I'm not extremely familiar with Cisco 802.1x setup and the documentation is poor at best.Ok, maybe I should be asking what the proper way to set up both machine authentication and user authentication through the 4400 and ACS 4.1 is then.
The topology that I know of is this. Single 4.1 ACS appliance and single 4400 controller with approximately 35 LWAPP's. In the past ONLY user authentication was being used which presented problems with Group Policies and login scripts executing. Adding the AD "Domain Computers" group as an ACS mapped group solved that problem by allowing the domain computers to authenticate and gain access to the network prior to logon (but maybe they were still actually using "user authentication"?). Not sure if this was the proper way to solve the issue but it worked and we at the time didn't notice any side effects. Although now we are seeing users end up in the wrong VLans and when we look at the logs in the controller the computer they are on is only registering as host/xxxx.yyyy.org (machine authentication) which drops them into the default vlan instead of the vlan which they should be based upon AD group membership from ACS.
I am very familiar with other wireless products and controllers such as Aruba. In the Aruba, when the machine first booted up and gained access to the network it was using machine authentication, but as soon as the user logged on the supplicant would push the user credentials and change the method to user authentication. In the Aruba we used the windows supplicant. I'd like to do the same with Cisco.
As far as I can tell, there is only a server side (ACS) certificate from Thwate that is used to authenticate. -
Security certificate issue for Provider Hosted App (SP Online)
Hi all,
I am having a hard time with SP Online debugging a basic provider hosted app.
Steps I have taken to create the app:
created a new provider hosted app in Visual Studio 2013 and setting my SP Online debugging site (wich works perfectly for SP hosted apps).
Chose Azure ACS option, although I do not have an Azure account
When I deploy the app I get to the page on my debugging site where I must choose "Trust It", but when I do I get the message that the Connection is Unsecure/unsafe:
How can I fix this? Do I need to create an Azure account for debugging purposes already? Or is there another way to solve the problem?Hi,
I understand that you get Security certificate issue for Provider Hosted App (SP Online).
Per my knowledge, you need to create an Azure account for debugging purposes.
To create a SharePoint 2013 app for Office 365 and publish it to an Azure web site, you can refer to:
http://blogs.msdn.com/b/kaevans/archive/2014/02/24/creating-a-sharepoint-2013-app-with-azure-web-sites.aspx
Best Regards,
Linda Li
Linda Li
TechNet Community Support -
Basically my Ipad2 stopped allowing me to go to sites such as Tumblr a little while ago. It wouldn't display the page properly because of 'security certificate' issues. This in itself would not have been such a problem, but when I went to the App store to try and download the Tumblr App, a pop up appeared asking me to answer some security questions before I could successfully install the App. However, the pop up would not display correctly because of 'security certificate' issues and as a result I can't download any apps from the App Store. Can anyone help with this??
Well, I maged to delete some stuff, download the update...
My Mac mail is still not ok. Still only displays today, yesterday and everything is the 16th of the month previous to this?
All a bit strange to say the least any suggestons on how to resolve this.
I now have a second issue in all my emails at the very top of each it describes in detail the full information of
Delivered-To:
Received:
Received:
Received:
Received:
X-Received:
Return-Path:
Received-Spf:
Authentication-Results:
Content-Type:
Mime-Version:
X-Mailer:
X-Cloudmark-Analysis:
Surely this should not be displayed rather insecure I would think. Any suggestions on how to amend -
Certificates issued by communications server for client authentication
Hi,
we ran into problem with those certificates, that are being issued by the lync server itself. In our enteprise we have CX600 and CX3000 phones, and i know that certificate authentication is required for the phones to work (both for registrar and webservice).
However, now that users have lync installed, they have their communications server certificate assigned as well. The problem is when a user needs to sign a document with the certificate from our private CA, for most of the users, word or excel suggests to
use a certificate issued by communications server, not our ent CA. Maybe there is a way for LYNC to trust private enteprise CA and not give out its own certificates and STILL use certificate authentication?
Thanks!Facing almost the same issue, Lync (server) issues ClientAuth certs from "Communication Server", (btw
is not trusted of course), and in turns forces users to make a selection of which VPN cert to use when dialing in, instead of only one ClientAuth cert installed, they now have 2 ClientAuth certs installed, which our internal CA's should care about and NOT
the Lync (server).
Don’t get how an MS product of this caliber can be built without proper PKI integration, how can it NOT utilize internally issued certs for client authentication???
Not the first though, SCCM and OSD is another example....
However, are you saying that Lync communication can’t be used without certificate authentication,
without the user being spammed with credential prompts?
Trying to get clarification on this… -
Checklist for Exchange Certificate issues
Checklist for Exchange Certificate issues
1.
Why certificate is important for Exchange and What are Certificates used for
Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to
securing web services, it has also incorporated Transport Layer Security (TLS) for session based authentication and encryption.
Certificates are used for several things on Exchange Server. Most customers also use certificates
on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.
IIS (OWA, ECP, EWS, EAS, OA, Autodiscover, OAB, UM)
POP/IMAP
SMTP
2.
Common symptoms for
certificate issue
Here we can see three different types of the certificate warning, mainly from the Outlook
side.
a.
Certificate mismatch issue
b.
Certificate trust issue
c.
Certificate expiration issue
3.
Checklists
In this section, checklists will be provided according to the three different scenarios:
Certificate Mismatch Issue
[Analysis]:
This issue mainly occurs because the URL of the web services Outlook tries
to connect does not match the host name in the certificate.
[Checklist]:
Firstly make sure how many host name in your certificate the certificate. Run “Get-ExchangeCertificate | select certificatedomain”.
Secondly, check the web services URLs which Outlook are trying to connect to. Run “Test Email AutoConfiguration”
In this scenario, you need to check the host name for the following services:
Autodiscover
EWS
OAB
ECP
UM
If any of the urls above does not match the one in the certificate, refer to the following article to change
it via EMS:
http://support.microsoft.com/kb/940726
1.
Do not forget to restart the IIS service after applying the changes above.
2. Make sure a valid certificate is enabled on the IIS service.
Certificate Trust Issue
[Analysis]:
For the self-signed and PKI-based (Enterprise)
certificates, they are not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. On the other hand, Third-party or commercial
certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates
greatly simplifies deployment.
[Checklist]:
If it’s an Enterprise CA certificate, manually install the root certificate to the “Trusted Root Certification Authorities” folder:
If it is a 3<sup>rd</sup>-party certificate, first remove and reinstall the certificate. Check whether the Windows Certificate Store on the local
client is corrupted. If it still does not work, please contact the third-party CA support to verify the certificate.
Certificate Expiration Issue
[Checklist]:
When a certificate is about to expired, we just need to renew it by referring the following article:
Renew an Exchange Certificate
http://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx
To avoid any conflictions, it’s recommended to remove the expired certificate from the certificate store.
[How to set a reminder to alert the administrator when a certificate is about to expired]:
It’s easy to fix the certificate expire issue. But it should be more important to set a reminder before the
certificate expiration. Or there can be a large user impacts.
Generally, the Event ID “^(24|25)$” will appear in Application log when a certificate is about to expire.
If it’s not quite visible, we can refer to the following solution:
http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
OWA certificate revoked issue
[Analysis]:
IE
includes support for server certificate revocation which verifies that an issuing
CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions
are present. If the URL for the revocation information is unresponsive, IE cancels the connection.
[Solution or workaround]:
1. Contact CA provider and check whether the questioned certificate is in the Revoked List.
2. If not, check whether the certificate has a private key.
3. Remove the old certificate and import the new one.
Workaround:
IE Internet Options -> Advanced tab -> Clear the "Check for server certificate revocation"
checkbox.
4.
More References
Digital Certificates and SSL
http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
More on Exchange 2007 and certificates - with real world scenario
http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx(Reported previous post with link to SIS package to moderator)
This is not the correct SIS package for the N73. The package shown is for S60 3.2 devices, but the N73 is not S60 3.2, I believe it is S60 3.0.
Most features may work with this SIS, but if you experience strange problems, try using the S60 3.0 version.
But there are no significant difference between 2.5.3 and 2.5.5 with regard to attachments. The only changes were with localization (languages).
At this point, try 2.7.0 which is out now:
http://businesssoftware.nokia.com/mail_for_exchange_downloads.php
Make sure to pick the right phone on the drop down list. It does matter! There are 4 different packages. This list makes sure you get the right one.
I have seen some issues with attachments not completing that seem to be carrier dependent. You can test this my using Wifi (if possible).
Message Edited by m4e_team_k on 28-Sep-2008 12:25 AM -
CF7 and JDK 1.4.2 - EV SSL Certificate Issue
Let me start off by telling the group that we do not use CF for any of our applications. We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use. We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API. About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy. I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck. Here are the details:
EV Certificate issued by DigiCert (4096-bit).
Customer is on CF7 and JDK 1.4.2.
When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application. He is using cfhttp to post his requests. We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates. Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
Thanks in advance to those gurus that reply. I have attached a sample post from our customers logs with non-essential data removed.
I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
- DaveDave,
I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
to either CF 8 or CF 9 to get the issue quickly resolved.
I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
if I do find a solution, I'll definitely post it there for you.
Cheers -
How to fetch certificates issued in past
Hi,
I have a long list of templates issued in my Client's Issuing CA, some of them are not in use. If I try to export " Issued Certificates" list from CA, it hangs.
I want to know how many certificates and last certificate issed from a specific template for fine-tuning and seggregation purpose. Please let me know how we can check that status.
Thanks
Neha GargHi Paul,
I am getting the output like this :
C:\Windows\system32>certutil -view -restrict "certificate template=<1.3.6.1.4.1.
311.21.8.10269956.2688026.1196953.3333800.9810006.227.1092942.575204>"
Schema:
Column Name Localized Name Type MaxLength
Request.RequestID Request ID Long 4 -- Index
ed
Request.RawRequest Binary Request Binary 65536
Request.RawArchivedKey Archived Key Binary 65536
Request.KeyRecoveryHashes Key Recovery Agent Hashes String 8192
Request.RawOldCertificate Old Certificate Binary 16384
Request.RequestAttributes Request Attributes String 32768
Request.RequestType Request Type Long 4
Request.RequestFlags Request Flags Long 4
Request.StatusCode Request Status Code Long 4
Request.Disposition Request Disposition Long 4 -- Index
ed
Request.DispositionMessage Request Disposition Message String 8192
Request.SubmittedWhen Request Submission Date Date 8 -- Index
ed
Request.ResolvedWhen Request Resolution Date Date 8 -- Index
ed
Request.RevokedWhen Revocation Date Date 8
Request.RevokedEffectiveWhen Effective Revocation Date Date 8 -- Index
ed
Request.RevokedReason Revocation Reason Long 4
Request.RequesterName Requester Name String 2048 -- In
dexed
Request.CallerName Caller Name String 2048 -- In
dexed
Request.SignerPolicies Signer Policies String 8192
Request.SignerApplicationPolicies Signer Application Policies String 8192
Request.Officer Officer Long
4
Request.DistinguishedName Request Distinguished Name String 8192
Request.RawName Request Binary Name Binary 4096
Request.Country Request Country/Region String 8192
Request.Organization Request Organization String 8192
Request.OrgUnit Request Organization Unit String 8192
Request.CommonName Request Common Name String 8192
Request.Locality Request City String 8192
Request.State Request State String 8192
Request.Title Request Title String 8192
Request.GivenName Request First Name String 8192
Request.Initials Request Initials String 8192
Request.SurName Request Last Name String 8192
Request.DomainComponent Request Domain Component String 8192
Request.EMail Request Email Address String 8192
Request.StreetAddress Request Street Address String 8192
Request.UnstructuredName Request Unstructured Name String 8192
Request.UnstructuredAddress Request Unstructured Address String 8192
Request.DeviceSerialNumber Request Device Serial Number String 8192
RequestID Issued Request ID Long 4 -- Index
ed
RawCertificate Binary Certificate Binary 16384
CertificateHash Certificate Hash String 128 -- Ind
exed
CertificateTemplate Certificate Template String 254 -- Ind
exed
EnrollmentFlags Template Enrollment Flags Long 4
GeneralFlags Template General Flags Long 4
PrivatekeyFlags Template Private Key Flags Long 4
SerialNumber Serial Number String 128 -- Ind
exed
IssuerNameID Issuer Name ID Long 4
NotBefore Certificate Effective Date Date 8
NotAfter Certificate Expiration Date Date 8 -- Index
ed
SubjectKeyIdentifier Issued Subject Key Identifier String 128 -- In
dexed
RawPublicKey Binary Public Key Binary 4096
PublicKeyLength Public Key Length Long 4
PublicKeyAlgorithm Public Key Algorithm String 254
RawPublicKeyAlgorithmParameters Public Key Algorithm Parameters Binary 4096
PublishExpiredCertInCRL Publish Expired Certificate in CRL Long 4
UPN User Principal Name String
2048 -- In
dexed
DistinguishedName Issued Distinguished Name String 8192
RawName Issued Binary Name Binary 4096
Country Issued Country/Region String 8192
Organization Issued Organization String 8192
OrgUnit Issued Organization Unit String 8192
CommonName Issued Common Name String 8192 -- In
dexed
Locality Issued City
String 8192
State Issued State
String 8192
Title Issued Title
String 8192
GivenName Issued First Name String 8192
Initials Issued Initials String 8192
SurName Issued Last Name String 8192
DomainComponent Issued Domain Component String 8192
EMail Issued Email Address String 8192
StreetAddress Issued Street Address String 8192
UnstructuredName Issued Unstructured Name String 8192
UnstructuredAddress Issued Unstructured Address String 8192
DeviceSerialNumber Issued Device Serial Number String 8192
Maximum Row Index: 0
0 Rows
0 Row Properties, Total Size = 0, Max Size = 0, Ave Size = 0
0 Request Attributes, Total Size = 0, Max Size = 0, Ave Size = 0
0 Certificate Extensions, Total Size = 0, Max Size = 0, Ave Size = 0
0 Total Fields, Total Size = 0, Max Size = 0, Ave Size = 0
CertUtil: -view command completed successfully.
but it doesnt give me the output that I am looking for. I want to know details of last certificate issued by a given template and its validity status.
Please let me know if I need to make any changes in command.
Thanks
Neha Garg -
Clean Access Agent 4.0.5 certificate issue
Dear all,
I ran into an issue that I hope you could help me resolve.
We have NAC 4.0.5 and windows active directory domain.... the clients log on to the client to access the network with their domain credentials and they used to get the "Certificate is issued from an untrusted...." until I installed the www.perfigo.com certificate to the local certificate store...
But as I'm a newbie... I seem to have done something on the NAC manager that messed up something, cause now the client considers the certificate issued from a trusted source, BUT a warning stating that the name on the certificate does not match the name (image attached)..
What would be the possible solution to this??Hi,
This can happen if you change IP address or hostname of the issued certificate...
Have you done any of these?
As side note, please beaware that 4.0.5 is End of Life since March 16th 2009... so you may want to consider upgrading your setup.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/end_of_life_notice_c51-524732.html.
HTH,
Tiago -
When accessing Intranet sites with that have SSL Certificates issued by our internal PKI, FF for Windows gives an error messsage - An error occurred during a connection to myshaw. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
Chrome and IE work fine. This is a new PKI using the SHA-2 signature algorithm.Hi Guigs2,
From the other post you link too, I can confirm that both the Root and Subordinate CA have been commissioned with the:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
registry key set. As can be seen above, the Signature algorithm on an issued certificate is RSASSA-PSS. This is been Microsoft suggested deployment IF you do not wish to support either XP or Windows 2003 machine and lower. In fact, I believe the option has been around since Windows 2008, however, there were of course, a lot more XP machines back then.
The obvious answer is that we would like to maintain the updated algorithm, AND see support for it added for Firefox. I think you will see a LOT more posts like this as people deploy more 2012 PKI infrastructure supporting only Windows 7 and up. Heavens, we may well be forced to Chrome or even back to IE!!! Whilst I do not what to necessary open up other potential vulnerabilities, for the sake of testing, what do you mean by disabling mozilla:pkix? -
On a server 2012R2 Essentials when trying to install the essentials experience the first install works ok but the configuration allways stops with the message "Certificate Issuer is installed on this server" and no way to continue the configuration.
Windows/Logs/CBS/
2014-07-24 21:10:04, Info CBS TI: --- Initializing Trusted Installer ---
2014-07-24 21:10:04, Info CBS TI: Last boot time: 2014-07-24 18:36:03.489
2014-07-24 21:10:04, Info CBS Starting TrustedInstaller initialization.
2014-07-24 21:10:04, Info CBS Ending TrustedInstaller initialization.
2014-07-24 21:10:04, Info CBS Starting the TrustedInstaller main loop.
2014-07-24 21:10:04, Info CBS TrustedInstaller service starts successfully.
2014-07-24 21:10:04, Info CBS No startup processing required, TrustedInstaller service was not set as autostart
2014-07-24 21:10:04, Info CBS Startup processing thread terminated normally
2014-07-24 21:10:04, Info CBS Starting TiWorker initialization.
2014-07-24 21:10:04, Info CBS Ending TiWorker initialization.
2014-07-24 21:10:04, Info CBS Starting the TiWorker main loop.
2014-07-24 21:10:04, Info CBS TiWorker starts successfully.
2014-07-24 21:10:04, Info CBS Universal Time is: 2014-07-24 19:10:04.379
2014-07-24 21:10:04, Info CBS Loaded Servicing Stack v6.3.9600.17200 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17200_none_fa7026dd9b04586e\cbscore.dll
2014-07-24 21:10:04, Info CSI 00000001@2014/7/24:19:10:04.379 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7ffd2cb360e5 @0x7ffd2de92e53 @0x7ffd2de924ac @0x7ff60b37d2df @0x7ff60b37d9e4
@0x7ffd588d2385)
2014-07-24 21:10:04, Info CBS Could not load SrClient DLL from path: SrClient.dll. Continuing without system restore points.
2014-07-24 21:10:04, Info CBS SQM: Initializing online with Windows opt-in: True
2014-07-24 21:10:04, Info CBS SQM: Cleaning up report files older than 10 days.
2014-07-24 21:10:04, Info CBS SQM: Requesting upload of all unsent reports.
2014-07-24 21:10:04, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2
2014-07-24 21:10:04, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6
2014-07-24 21:10:04, Info CBS NonStart: Set pending store consistency check.
2014-07-24 21:10:04, Info CBS Session: 30386034_3758808251 initialized by client WinMgmt.
2014-07-24 21:10:04, Info CBS Enumerating Foundation package: Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.3.9600.16384, this could be slow
2014-07-24 21:10:05, Info CSI 00000002 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x172dbed940
2014-07-24 21:10:05, Info CSI 00000003 Creating NT transaction (seq 1), objectname [6]"(null)"
2014-07-24 21:10:05, Info CSI 00000004 Created NT transaction (seq 1) result 0x00000000, handle @0x25c
2014-07-24 21:10:08, Info CSI 00000005 Poqexec successfully registered in [ml:26{13},l:24{12}]"SetupExecute"
2014-07-24 21:10:08, Info CSI 00000006@2014/7/24:19:10:08.151 Beginning NT transaction commit...
2014-07-24 21:10:08, Info CSI 00000007@2014/7/24:19:10:08.182 CSI perf trace:
CSIPERF:TXCOMMIT;32854
2014-07-24 21:10:08, Info CSI 00000008 CSI Store 99552754976 (0x000000172dce7d20) initialized
2014-07-24 21:10:08, Info CSI 00000009@2014/7/24:19:10:08.182 CSI Transaction @0x172e9bcaa0 initialized for deployment engine {d16d444c-56d8-11d5-882d-0080c847b195} with flags 00000002
and client id [26]"TI5.30386034_3758808251:1/"
2014-07-24 21:10:08, Info CSI 0000000a@2014/7/24:19:10:08.182 CSI Transaction @0x172e9bcaa0 destroyed
2014-07-24 21:10:19, Info CBS Session: 30386012_3156824848 initialized by client DISM Package Manager Provider.
2014-07-24 21:12:19, Info CBS Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
2014-07-24 21:12:19, Info CBS TiWorker signaled for shutdown, going to exit.
2014-07-24 21:12:19, Info CBS Ending the TiWorker main loop.
2014-07-24 21:12:19, Info CBS Starting TiWorker finalization.
2014-07-24 21:12:19, Info CBS Ending the TrustedInstaller main loop.
2014-07-24 21:12:19, Info CBS Starting TrustedInstaller finalization.
2014-07-24 21:12:19, Info CBS Ending TrustedInstaller finalization.
2014-07-24 21:12:20, Info CBS Ending TiWorker finalization.
Any ideas?
//ChristerHi Justin!
nltest /server:"servername" /sc_reset:"domaninname" returns: "I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN"
Dcdiag /q returns : An error occurred. EventID: 0xC0001B77
The text log was not small enough to post here..
Regards.
Christer
Can not find anything directly related in windows-logs but here is the latest log from CBS folder..
2014-07-28 11:04:25, Info CSI 00000888 [DIRSD OWNER WARNING] Directory [ml:520{260},l:118{59}]"\??\C:\Windows\Inf\Windows Workflow Foundation 3.0.0.0\041D" is not owned but specifies
SDDL in component Microsoft-Windows-WWFCoreComp.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"sv-se", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:25, Info CSI 00000889 [DIRSD OWNER WARNING] Directory [ml:128{64},l:126{63}]"\??\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en" is not owned but specifies
SDDL in component Microsoft.Dtc.PowerShell.Non_msil.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088a [DIRSD OWNER WARNING] Directory [ml:134{67},l:132{66}]"\??\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en-US" is not owned but specifies
SDDL in component Microsoft.Dtc.PowerShell.Scripts.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088b [DIRSD OWNER WARNING] Directory [ml:520{260},l:134{67}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework" is not owned but specifies
SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088c [DIRSD OWNER WARNING] Directory [ml:520{260},l:118{59}]"\??\C:\Windows\Inf\Windows Workflow Foundation 3.0.0.0\0000" is not owned but specifies
SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088d [DIRSD OWNER WARNING] Directory [ml:520{260},l:114{57}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft" is not owned but specifies SDDL
in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088e [DIRSD OWNER WARNING] Directory [ml:520{260},l:144{72}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0" is not owned
but specifies SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088f [DIRSD OWNER WARNING] Directory [ml:520{260},l:94{47}]"\??\C:\Program Files (x86)\Reference Assemblies" is not owned but specifies SDDL in component
Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:30, Info CSI 00000890 Ignoring duplicate ownership for directory [l:72{36}]"\??\C:\Windows\microsoft.net\authman" in component Microsoft.Interop.Security.AzRoles, Version
= 6.3.9600.16384, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:31, Info CSI 00000891 [SR] Verify complete
2014-07-28 11:04:31, Info CSI 00000892 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:31, Info CSI 00000893 [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:36, Info CSI 00000894 [SR] Verify complete
2014-07-28 11:04:36, Info CSI 00000895 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:36, Info CSI 00000896 [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:40, Info CSI 00000897 [DIRSD OWNER WARNING] Directory [ml:520{260},l:120{60}]"\??\C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList" is not owned but specifies
SDDL in component NetFx-ASSEMBLYLIST_XML, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope neutral, PublicKeyToken = {l:8 b:b03f5f7f11d50a3a}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:42, Info CSI 00000898 [SR] Verify complete
2014-07-28 11:04:42, Info CSI 00000899 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:42, Info CSI 0000089a [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:46, Info CSI 0000089b [SR] Verify complete
2014-07-28 11:04:46, Info CSI 0000089c [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:46, Info CSI 0000089d [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:52, Info CSI 0000089e [SR] Verify complete
2014-07-28 11:04:52, Info CSI 0000089f [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:52, Info CSI 000008a0 [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:58, Info CSI 000008a1 [SR] Verify complete
2014-07-28 11:04:58, Info CSI 000008a2 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:58, Info CSI 000008a3 [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:02, Info CSI 000008a4 [SR] Verify complete
2014-07-28 11:05:02, Info CSI 000008a5 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:05:02, Info CSI 000008a6 [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:08, Info CSI 000008a7 [SR] Verify complete
2014-07-28 11:05:08, Info CSI 000008a8 [SR] Verifying 52 (0x0000000000000034) components
2014-07-28 11:05:08, Info CSI 000008a9 [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:09, Info CSI 000008aa [DIRSD OWNER WARNING] Directory [ml:520{260},l:56{28}]"\??\C:\Windows\system\Speech" is not owned but specifies SDDL in component Windows-Media-SpeechSynthesis-WinRT,
pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:05:09, Info CSI 000008ab Ignoring duplicate ownership for directory [l:56{28}]"\??\C:\Windows\system\Speech" in component Windows-Media-SpeechSynthesis-WinRT, Version =
6.3.9600.16384, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:05:09, Info CSI 000008ac [SR] Verify complete
2014-07-28 11:05:09, Info CSI 000008ad [SR] Repairing 1 components
2014-07-28 11:05:09, Info CSI 000008ae [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:09, Info CSI 000008af Hashes for file member \??\C:\Program Files\Windows Server\Bin\WebApps\RemoteAccess\Web.config do not match actual file [l:20{10}]"Web.config"
Found: {l:32 b:jiP+IRWGZxsG0nX6il5MCZofFThiSfytb8Ih27r5EPk=} Expected: {l:32 b:KR7DbPqdCKMwdiZI2XDSr42o4ujtpZlzfX9ud+ODKRM=}
2014-07-28 11:05:09, Info CSI 000008b0 [SR] Repairing corrupted file [ml:520{260},l:120{60}]"\??\C:\Program Files\Windows Server\Bin\WebApps\RemoteAccess"\[l:20{10}]"Web.config" from
store
2014-07-28 11:05:09, Info CSI 000008b1 [SR] Repair complete
2014-07-28 11:05:09, Info CSI 000008b2 [SR] Committing transaction
2014-07-28 11:05:09, Info CSI 000008b3 Creating NT transaction (seq 2), objectname [6]"(null)"
2014-07-28 11:05:09, Info CSI 000008b4 Created NT transaction (seq 2) result 0x00000000, handle @0xba4
2014-07-28 11:05:11, Info CSI 000008b5@2014/7/28:09:05:11.308 Beginning NT transaction commit...
2014-07-28 11:05:11, Info CSI 000008b6@2014/7/28:09:05:11.470 CSI perf trace:
CSIPERF:TXCOMMIT;163479
2014-07-28 11:05:11, Info CSI 000008b7 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction have been successfully repaired
2014-07-28 11:07:13, Info CBS Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
2014-07-28 11:07:13, Info CBS TiWorker signaled for shutdown, going to exit.
2014-07-28 11:07:13, Info CBS Ending the TiWorker main loop.
2014-07-28 11:07:13, Info CBS Starting TiWorker finalization.
2014-07-28 11:07:13, Info CBS Ending the TrustedInstaller main loop.
2014-07-28 11:07:13, Info CBS Starting TrustedInstaller finalization.
2014-07-28 11:07:13, Info CBS Ending TrustedInstaller finalization.
2014-07-28 11:07:13, Info CBS Ending TiWorker finalization.
Regards. Christer -
Hello everyone,
I am attempting to setup an enterprise network with a HTTPS Inspection proxy. I have installed the certificate (that the proxy is using to issue other certificates) onto the Macs that are in the network (using keychain) and set the permisions to "always trust". From what I have been reading this is all that I would need to do (http://www.techrepublic.com/blog/mac/managing-ssl-certificate-authorities-on-os- x/314).
However when I enable the policy on the proxy server to intercept the SSL connections I get the following issue in Safari: "This certificate has an invalid issuer" (see attachment).
Does anyone have any ideas on how to fix this? or what I may have done wrong?
AshleyI did two URL mappings similar as below.
Regular Mapping
==============
http://proxy.buyer.com
https://origin.buyer.com (example)
Reverse Mapping
==============
https://origin.buyer.com
http://proxy.buyer.com
I have downloaded the CA root certificate from https://origin.buyer.com and installed it to Netscape under the alias name "proxy".
However when I typed the URL http://proxy.buyer.com on my browser, it returned an error page to me and on the iPlanet error log, it said "The certificate issuer for this server is not recongnized by Netscape.......Netscape is refused to connect to this server".
Maybe you are looking for
-
No Internet Access on Private Network
Hi, I have an and ESXi Host with few VM's and i require Internet Access on these servers. This is Mini lab i have created at home. I have My Home Broadband Router (192.168.0.1) acting as a DHCP server handing out DHCP addresses as usual. A Cisco 3750
-
HP Laserjet P1006 won't work with Windows 8.1
I have an HP Laserjet P1006 which I installed on my new Windows 8 laptop. Everything was working fine. I did an update last night to 8.1. The printer no longer works. I went to the website and downloaded the latest driver which said it would work wit
-
hello there: can i use an imac as the display for a mac mini? i have an old Power PC imac and i'm considering the purchase of a new mac mini and need to know if i need to buy a new monitor or not. thanks in advance.
-
How do i change the name of my songs on itunes?
How do i change song names on itunes? it says " 1 Select the information you want to change. 2 Type the new information. 3 Press enter. this does nothing.
-
what is size of PACKED FILED? please explain