Auth via client SSL cert problem

Similar Messages

• SSL Cert problem with smtp

  If I use a self signed cert and name it default the smtp mail service works.
  If I try to use the cert I got from the CA, the imap service works with the cert, however the smtp service does not.
  This is most odd

  You don't need to buy a new one.
  See here for more info:
  http://discussions.apple.com/thread.jspa?messageID=6251145&#6251145

• Webdav with client ssl certificate

  I have created one webdav enable site in apple mac mini server using apache. The webdav site is secured with https as well as client certificate.
  While browsing the website using safari/IE everything is working fine,but with ipad's webdav utility it is not working.Client cert is not picking up by webdav nav tool, although the client ssl cert is installed in ipad.

  Some more checking using wireshark on the destination server.
  I created a simple html page that is contained under a directory that requires SSL and a client certificate, as configured in the apache configuration.
  This works fine from the IE and Firefox desktop browsers.
  Now, using Safari on the iPad with the appropriate certificates installed (client cert and CA cert) using the profile management tool, I attempted to connect to this page.
  Wireshark shows the iPad contacting the server and the TLSv1 protocol selection (Client Hello and Server Hello).
  Following this the server issues the requested server certificate and the CA cert to the iPad device.
  The iPad device responds with an ACK and this is where it stops the communication. No further packets appear.
  During this time, the iPad has requested that a client certificate be selected using the dialog and the appropriate client cert is selected, however the network transaction does not show the iPad ever sending this certificate to the server.

• Exchange 2007 - Outlook Anywhere problems after installing new SSL cert

  *** Original thread posted on wrong forum ***
  Hi all,
  Exchange 2007 environment (2x CAS, ISA2006). Not much familiar with Exchange.
  Problem: 20-odd machines off the domain use Outlook Anywhere (XP with Outlook 2010). AUthentication pop-up and not able to connect.
  Company has recently changed its name and we have to renewed the SSL cert. Previous SSL cert. was issued to: webmail.oldcompname.co.uk (several SANs on that cert., including internal server names).
  Applied for a new UCC SSL cert issued to: newcompanyname.com (also includes webmail.newcompanyname.com ; autodiscover.newcompanyname.com + old SANs).
  The setting on those machines point the proxy to the following:
  Https://webmail.oldcompname.co.uk (which is fine since it is in the cert and can be accessed)
  Only connect to proxy servers that have this principal name in their cert.: 
  msstd:webmail.oldcompname.co.uk (I believe this is the problem since the new UCC SSL cert. was issued to newcompanyname.com).
  Browsing technet + internet it seems that I need to look into OutlookProvider EXPR.
  When I run Get-OutlookProvider everything is blank (I believe I should be concerned to EXPR only for Outlook Anywhere).
  I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com
  My only concern is whether this might break something else in the Exchange environment, especially as we have 100+ users on smartphones connecting via SSL on webmail.oldcompname.co.uk
  Is it save to run this command? Do I need to re-start IIS? Do I need to look into any settings on ISA2006?
  Comments/help are much appreciated.
  Regards 

  Hi,
  According to the description, I found that we re-new a SSL certificate.
  "I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com"
  Just do it. Then remove the old certificate on ISA server and install a new one.
  Found a similar thread for your reference:
  Renewal of SSL certificate in exchange 2007 with ISA 2006
  http://social.technet.microsoft.com/Forums/exchange/en-US/25770038-8491-470a-92fa-8ae50674b7a6/renewal-of-ssl-certificate-in-exchange-2007-with-isa-2006
  Hope it is helpful
  Thanks
  Mavis
  Mavis Huang
  TechNet Community Support

• FTP with SSL cert on ACNS via WCCP

  I have a client using an SSL cert to connect to an ftp server. The user is being redirected to a CE-511 via WCCP v2 but the FTP connection does not work. If I bypass the user (in my wccp acl) it works fine - following a default route to my PIX.
  Any info, good or bad will be greatly appreciated.
  - Matt

  What is the software version running on the CE-511. Did you try upgrading to the latest version of the firmware. This should solve the issue.

• How to get OS X to accept an SSL Cert the way other UNIX clients do?

  I'm hoping some of the network gurus can suggest a solution for me. My current config is 10.5.4 on PPC.
  I have a host that I need to connect to using SSL but their certificate has a host name mismatch (they are a small org, and can't afford another SSL cert for the moment). I know the cert is valid, so I'm not worried about the security implications of using it.
  On other *NIX clients, I simply have to add the cert into the root chain (e.g. /etc/ssl/certs/ca-certificates.crt), restart the application, and all apps will then accept it as valid.
  On OS X, I've imported the cert into Keychain Access, marked it as "Always Trusted" and set up a policy to "alias" it to the URL I need to access with my application (not a web browser) (ref: KB article: HT1679) in both the login and the System keychains, yet the client application still errors out and refuses to connect to the URL.
  How can I configure client SSL on OS X to work like other UNIX configurations? There doesn't seem to be a way to override the extremely restricted behavior.
  I have MacPorts installed and am open to an application specific "hack" if necessary, ala "LDLIBRARYPATH", if anyone thinks that's feasible (which is what I am looking at now). Conceivably I could recompile the client application since it's OSS, though I'd rather avoid that if possible.
  Any suggestions would be appreciated.
  Thanks in advance--
  =N=

  when you connect with a web browser to an https site that has a mistmatched cert it warns you and you have to tell the browser to ignore the security issue to let you carry on.
  what unix apps are you using to connect to this server?

• SSL Cert used to sign Jars for distribution via WebStart

  Hi,
  I have an SSL cert (Comodo InstallSSL) for my website and wondered if I can use it to sign jars so, when distributed via webstart, the old "untrusted source" message doesn't get displayed. I've been doing a lot of reading but, to be honest, I can't really find my bearings! I have imported the cert into my keystore but get the message when I try to sign a jar:
  Certificate chain not found for: myalias  myalias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.I have the following files in relation to my cert:
  xxx.cabundle (this can be imported into keytool easily)
  cert/xxx.crt (looks like a PGP file, cannot be imported (-import) into keytool)
  private/xxx.key
  My questions I suppose are:
  1. Can I use a cert issued for SSL to sign jars for webstart distribution?
  2. If yes to 1; what steps other than importing the cert alone (which generates the message above) do I need to do to achieve this?
  Any help would be appreciated!
  Rich

  Hi,
  yes, the pkcs12 certificate includes the private key, as opposed to pb7 which does not.
  Sent from Cisco Technical Support Android App

• SPA122 1.3.2(014) HTTPS ssl cert profile problem

  Hello,
  I have a problem since upgrading SPA122 from 1.3.1(003) to 1.3.2(014). The profile rule is using https to get the config files every 1 hour or so
  this was never a problem: the rule is a FQDN, the SPA does DNS lookup gets the IP and asks the web server for the config file. both 1.3.1 and 1.3.2 do ask the file with the resolved IP address rather then the FQDN.
  now the web server has a valid certificate for that FQDN, but as the SPA122 is asking the file with the IP address the cert is not valid (CN Incorrect: CN is wildcard *.domain.com and IP address is not the FQDN)
  in 1.3.1 the SPA didn't seem to care too much , got the file and provisioned, the 1.3.2 nos gives error and sais cert err!
  I changed the FQDN for security reasons: here is what the log of the SPA says: prule is https://FQDN:9192
  Nov 15 14:37:13 Y.Y.Y.Y SCAPC_init(): provision_enable=1 prule=https://ruxxx1.axxxxxxxxxxs.com:9192/xm-$MA.ipr tftp=192.168.1.3
  but here is what the SPA asks then:
  Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:40:43 Y.Y.Y.Y FMM >>>> Requesting profile
  Nov 15 14:40:43 Y.Y.Y.Y ssl cert err 20
  Nov 15 14:40:43 Y.Y.Y.Y create ssl connection failed
  Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Resync failed: https_get failed
  Nov 15 14:40:43 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Resync failed: https_get failed
  Nov 15 14:40:43 Y.Y.Y.Y FMM >>>> Failed profile
  while in 1.3.1 it got it fine:
  Nov 15 14:36:42 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:36:42 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Requesting resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:36:42 Y.Y.Y.Y FMM >>>> Requesting profile
  Nov 15 14:36:44 Y.Y.Y.Y ok=20
  Nov 15 14:36:44 Y.Y.Y.Y content len (hdr) =21056"
  Nov 15 14:36:44 Y.Y.Y.Y content len (pld) =21056
  Nov 15 14:36:44 Y.Y.Y.Y response code =200
  Nov 15 14:36:44 Y.Y.Y.Y [FPRV] Upgrade status flags cleared
  Nov 15 14:36:44 Y.Y.Y.Y [FPRV] Upgrade status flags cleared
  Nov 15 14:36:44 Y.Y.Y.Y Firmware downgrade limit()
  Nov 15 14:36:44 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Successful resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:36:44 Y.Y.Y.Y SPA122 ac:12:34:56:2d:0a -- Successful resync https://X.X.X.X:9192/xm-ac1234562d0a.ipr
  Nov 15 14:36:44 Y.Y.Y.Y FMM >>>> Successful profile
  IS this a BUG??:
  - Shouldn't the SPA do the https GET with the FQDN rather then the IP address?
  - Is this because the certificate is a wildcard?
  - the cert is from GEOTrust (RapidSSL), should be trusted
  Thanks
  Sven

  - the cert is from GEOTrust (RapidSSL), should be trusted
  Definitely no. Why you think RapidSSL certificate should be trusted ?
  If you are going to configure device in factory default state, then you need to have certificate issued by CA trusted by your device. Or you can add certificate of your preferred CA to device by hand, then you can use certificate issued by such CA as well (but not after reset to factory default).

• Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

  Coldfusion 11
  Windows Server 2012 R2
  Both the Coldfusion admin and additonal site work fine on HTTP.
  As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
  Coldfusion 11 - Web Sockets via SSL
  The Coldfusion-error.log shows
  Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
  INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
  Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
  Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
  If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
  Any assistance welcome - I can't allow this site to made publicly available with using SSL.
  SM

  @Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release.  And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
  If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
  First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
  Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
  You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
  Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
  Finally, when you say that if you “comment out the SSL sections  it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
  To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
  /charlie

• Is there any way to treat expired SSL certs in HTTPS connections as non-secure?

  Is there a way of navigating HTTPS websites as though they were HTTP, without adding any SSL exceptions?
  Obviously an expired/self signed SSL cert over HTTPS is no more dangerous than no encryption at all over HTTP.
  The Untrusted Connection dialog is a usability nusance, particularly for those of us who understand HTTPS.

  Check out:
  http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
  You will need to turn on Client Auth as described above. Hope it helps.

• SSL certificate problem on most https websites

  Some https sites can not be reached in my system, and it is going to include more https sites as times goes by. I have noticed that the problem is the SSL certificate. I even check an arch iso and there I have the same problem. I tetsted two thing in case it rings any bell for you
  omid@localhost›~⁑ curl -v https://github.com
  * Rebuilt URL to: https://github.com/
  * Adding handle: conn: 0x1757250
  * Adding handle: send: 0
  * Adding handle: recv: 0
  * Curl_addHandleToPipeline: length: 1
  * - Conn 0 (0x1757250) send_pipe: 1, recv_pipe: 0
  * About to connect() to github.com port 443 (#0)
  * Trying 192.30.252.128...
  * Connected to github.com (192.30.252.128) port 443 (#0)
  * successfully set certificate verify locations:
  * CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * Unknown SSL protocol error in connection to github.com:443
  * Closing connection 0
  curl: (35) Unknown SSL protocol error in connection to github.com:443
  in which  you can see the problem. But
  omid@localhost›~35↵⁑ curl -v3 https://github.com
  * Rebuilt URL to: https://github.com/
  * Adding handle: conn: 0xf31250
  * Adding handle: send: 0
  * Adding handle: recv: 0
  * Curl_addHandleToPipeline: length: 1
  * - Conn 0 (0xf31250) send_pipe: 1, recv_pipe: 0
  * About to connect() to github.com port 443 (#0)
  * Trying 192.30.252.129...
  * Connected to github.com (192.30.252.129) port 443 (#0)
  * successfully set certificate verify locations:
  * CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
  * SSLv3, TLS handshake, Client hello (1):
  * SSLv3, TLS handshake, Server hello (2):
  * SSLv3, TLS handshake, CERT (11):
  * SSLv3, TLS handshake, Server finished (14):
  * SSLv3, TLS handshake, Client key exchange (16):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSLv3, TLS change cipher, Client hello (1):
  * SSLv3, TLS handshake, Finished (20):
  * SSL connection using RC4-SHA
  * Server certificate:
  * subject: businessCategory=Private Organization; 1.3.6.1.4.1.311.60.2.1.3=US; 1.3.6.1.4.1.311.60.2.1.2=Delaware; serialNumber=5157550; street=548 4th Street; postalCode=94107; C=US; ST=California; L=San Francisco; O=GitHub, Inc.; CN=github.com
  * start date: 2013-06-10 00:00:00 GMT
  * expire date: 2015-09-02 12:00:00 GMT
  * subjectAltName: github.com matched
  * issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert High Assurance EV CA-1
  * SSL certificate verify ok.
  > GET / HTTP/1.1
  > User-Agent: curl/7.33.0
  > Host: github.com
  > Accept: */*
  >
  < HTTP/1.1 200 OK
  * Server GitHub.com is not blacklisted
  < Server: GitHub.com
  < Date: Fri, 06 Dec 2013 09:55:10 GMT
  < Content-Type: text/html; charset=utf-8
  < Status: 200 OK
  < Cache-Control: private, max-age=0, must-revalidate
  < Strict-Transport-Security: max-age=2592000
  < X-Frame-Options: deny
  < Set-Cookie: logged_in=no; domain=.github.com; path=/; expires=Tue, 06-Dec-2033 09:55:10 GMT; secure; HttpOnly
  which seems OK.  Is there even anyway to add certificate to avoid this strange behavior. I use an updated x86_64 KDE.
  Last edited by nikta (2013-12-06 11:37:06)

  [omid@localhost ~]$ ldd `which curl`
  linux-vdso.so.1 (0x00007fff8bd7c000)
  libcurl.so.4 => /usr/lib/libcurl.so.4 (0x00007f9f479c6000)
  libz.so.1 => /usr/lib/libz.so.1 (0x00007f9f477b0000)
  libpthread.so.0 => /usr/lib/libpthread.so.0 (0x00007f9f47592000)
  libc.so.6 => /usr/lib/libc.so.6 (0x00007f9f471e7000)
  libssh2.so.1 => /usr/lib/libssh2.so.1 (0x00007f9f46fbe000)
  libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x00007f9f46d51000)
  libcrypto.so.1.0.0 => /usr/lib/libcrypto.so.1.0.0 (0x00007f9f46949000)
  /lib64/ld-linux-x86-64.so.2 (0x00007f9f47c2b000)
  libdl.so.2 => /usr/lib/libdl.so.2 (0x00007f9f46745000)
  [omid@localhost ~]$ pacman -Q|egrep '(openssl|curl|ca-cert)'
  ca-certificates 20130906-1
  ca-certificates-java 20130815-1
  curl 7.33.0-3
  lib32-openssl 1.0.1.e-2
  mingw-w64-openssl 1.0.1e-4
  openssl 1.0.1.e-5
  Last edited by nikta (2013-12-06 13:15:18)

• Dreaded "must be configured to use a valid SSL cert" - 2008 R2

  Hello everybody,
  I've been browsing through hundreds of topics on the dreaded "The RD Gateway server must be configured to use
  a valid SSL certificate" error using BPA (Windows Server 2008 R2 Std), but still haven't found a proper solution.
  Here's the issue: RDGW not operating properly and sometime accepting connections, sometimes not. 
  I have an external domain example.com and internally, the domain is example.local. I have one server serving Exchange and RD, this is the server responding to mail.example.com and I have an StartSSL issued cert for mail.example.com, which is properly configured
  on the server (OWA is working properly with autodiscover etc.). SSL bindings seem alright, default site is using the mail.example.com SSL cert.
  If I open the RDGW Manager and go to the SSL Certificate tab, the system looks happy by having the cert installed, everything looks fine. Sometimes I even manage to connect - connection is successful, I can normally connect to any of the servers or computers.
  On a second attempt, I just get the message, that the logon attempt had failed. If I run BPA on the server, I get the error of not having a proper SSL cert. If I select a self-signed cert, then also the BPA goes through, but then I have problems with connections
  since everybody would need this cert to have installed.
  From what I read, my problems are related to the issue that the FQDN of my server is servername.example.local and the cert is issued to mail.example.com. How can I make the thing only to talk via the mail.example.com cert? I don't think I can get a cert
  that'd also contain a SAN of servername.example.local from the CA.
  What can I do?

  Hi Andrej,
  Thanks for posting in Windows Server Forum.
  Here providing you the article for BPA’s configuration logs, where you can check. It also states that certificate are main problem related to this error. Please check certificate which you have bound have FQDN name of gateway server, the certificate is SSL
  certificate and it’s a trusted certificate. Also check that certificate which you have importing to RD gateway must be in local computer/personal store. For more information refer below article.
  1. Using the Remote Desktop Services BPA to analyze a Remote Desktop Gateway
  implementation
  2. RDS: The RD Gateway server must be configured to use a valid SSL certificate
  In addition, you need to specify the FQDN name of RD gateway under
  DefaultTSgateway in IIS setting. Please go through below article for details.
  RD Gateway/Web Access Outside the Firewall
  Hope it helps!
  Thanks,
  Dharmesh

• Guest Cert problems ISE and Anchor WLC

  I'm setting up new Guest Wireless, I have 2 internal foreign 5508 WLC's talking to 2 DMZ anchor WLC's. The guest connects to Guest SSID and the anchor controllers acts as a DHCP server, the Guest interface configured on the WLC is the in the range of the DHCP scope I've setup. The DHCP scope is using the anchor WLC Mgmt interface as the DHCP server.
  Guest SSID - is setup for Webauth and Guest is redirected to the ISE server https://wlc.company.com/login...., when the page is presented to the Guest they get cert problem because the cert is not trusted (its an Internal Cert), Guest logins in ok and the AUP says "cert not trusted" 1.1.1.1 name of the WLC wlc.company.com.
  In the browser Guest has https://wlc.company.com/loginredirecthttps://1.1.1.1........
  1.1.1.1 is the Virtual interface of the Anchor WLC.
  How can I get the client to stop using the Virtual Interface for cert. Why is the WLC doing this? I gather something to do with DHCP?
  My plan is to apply a External Cert on the ISE for Guests, that way they will automatically trust a cert from Geotrust for example. But I'm going to still run into this Cert "not trusted" problem where the Guest is not trusting the WLC anchor  Virtual Interface 1.1.1 . Why is the guest using the Virtual interface error 1.1.1.1. I've even added the ISE name of the cert to the Virtual interface, same problem, instead its just says  wlc.company.com not trusted. I have also imported the cert onto the WebAuth cert on anchor WLC, still doesn't work.
  Hopefully I've explained this ok.....any ideas? but if the Guest page keeps getting presented with
  https://wlc.company.com/loginredirecthttps://1.1.1.1........ it will never work.

  I followed Richard's advice and started from scratch, removing LWA and implementing CWA -MAB. It didn't take too long to setup CWA and get authentication working, I appled a Preauth ACL on WLC's and on ISE under Authorization pofile (CWA)
  This is when the problems started happening, I was using the default ISE Authorization profile
  cisco-av-pair = url-redirect=https://ip:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa.which is not what I want, again the certificate is the server cert which is not an external Cert that the guest wants to see. The user can login fine, unlike LWA, with Firefox or IE it would accept the cert and login so at least I had a working Guest wifi solution. Though there was a cert error symbol at the end of the browser url.
  The next step I tried was to change the Authorization Profile to
  (wireless.company.com which is a C-NAME for ISE box and has this Alias in the cert, this was a test before I apply the external cert)
  cisco-av-pair = url-redirect=https://wireless.company.com:8443/guestportal/gateway?sessionid=SessionValueIdValue&action=cwa
  I applied the change and the new page appeared on the users laptop, great, but this time users were declined access via live Authentications, reason "Cannot login due to session id expiry, please login a again", I created a new user a/c, same problem. Not good. Ok so I thought well if I want clear all these stale session id's that appartenly exist I'll stop/start the application which I did from the command line, still the same error "Cannot login due to session id expiry". hmmm, whats going on here.
  I then rebooted the ISE (this must clear all the sessions!), reboot I performed from home and now for some reason I cannot login to the ISE front end GUI with the admin account or my account. Tried resetting the GUI password for admin and other admin users, the message "Error: cannot reset password this can only be performed on Standalone or Primary node" Well what have I done, just rebooted ISE nothing else apart from changing authorization profile. This box is a Standalone node. Without seeing if the clients connect due t no GUI access, I have referred this issue to TAC!
  Also I don't like the fact that your have to install a external cert against the internal node name, epsecially when its external. But again I haven't reached this part yet.

• IMAP Mail Setup with self-signed SSL certs

  I am unable to set up IMAP access to an email account of mine on the new iPhone mail app. The setup stalls at "verifying" and I can't seem to save the info entered and then disable SSL in the advanced setup.
  Also, it doesn't seem possible to install SSL certs out of safari. On the computer I was able to navigate to the server via https and permanently accept the SSL cert. The option doenst exisit in Safari Mobile. If you have the servers cert (.der) file in the web root of the server, possible to download and install the certificate. This solved a similar problem for my ExchangeMail push with our Kerio server. Unfortunately, the certificate file of that other IMAP account is unavailable..

  If possible, instead of configuring it on the iPhone, try configuring it on your computer and using iTunes to sync the configuration itself to the iPhone. I am connecting fine to an IMAP server with a self-signed certificate. The first time I opened Mail (on the iPhone) it prompted me with a dialog saying the certificate was invalid but I was able to accept it. Since then, it has never prompted me again about validity of the certificate (even after rebooting the phone) so I believe the Mail program can permanently accept a self-signed certificate.
  And yes, there doesn't seem to be a way for Safari Mobile to permanently accept self-signed certificates. I have read that the iPhone is supposed to pull certificates from the Keychain but this does not appear to be the case.

• Configure OWA to require a client ssl certificate only for external connection

  Hello.
  At now i migrated OWA client from Exchange 2003 to Exchange 2010 and faced with a problem.
  I want to then external client (somebody like user from home PC) connect to Outlook Web App, client certificate will be required.
  But then client connect (somebody from work PC) to internal Outlook Web App Url, Integrate Windows Auth will be used and client ssl certificate not required.
  Is it possible? Or i need to enable Outlook Anywhere?

  Hi,
  Base on my konwledge, I don't think it is possible.
  When you install Exchange 2003, only one Default Web Site in Internet Information Services (IIS). if you change the authentication method and enable SSL on OWA, client ssl certificate always be required whether it's external or internal.
  I recommend you refer to the following articles:
  http://www.msexchange.org/articles-tutorials/exchange-server-2003/mobility-client-access/Securing-Exchange-Server-2003-Outlook-Web-Access-Chapter5.html
  http://www.msexchange.org/articles-tutorials/exchange-server-2003/security-message-hygiene/SSL_Enabling_OWA_2003.html
  Note: Microsoft is providing this information as a convenience to you. The sites are not controlled by Microsoft.
  Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. Please make sure that you completely understand the risk before retrieving any suggestions from the above link.
  Thanks.
  Niko Cheng
  TechNet Community Support