Certificates in Windows 7

Similar Messages

• WebID (x509 certificate) on Windows Server 2012

  How can a (end) user log in to Windows Server 2012 using his WebID (x509 certificate)?

  Hi,
  I assume that you are talking about smart card logon, which makes it possible for user to logon using a smart card and a PIN (Personal Identification Number).
  More information for you:
  Set up a smart card for user logon
  http://technet.microsoft.com/en-us/library/cc775842(v=WS.10).aspx
  How to implement x.509 certificate-based windows logon and authentication
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/0291dee1-1b10-4139-b36d-f1b953f8a09a/how-to-implement-x509-certificatebased-windows-logon-and-authentication?forum=winserversecurity
  I hope this helps.
  Amy Wang

• Java Applet Certificate Signing Window comes up BLANK!

  Hi Everyone I have a problem where
  Java Applet Certificate Signing Window comes up BLANK!
  It comes up as blank gray panel with the java logo on the upper left.
  the title bar says "Java Plugin Security Warning"
  And I can't figure out what to do to make it come up properly. I tried double clicking it dragging it around to make it repaint itself nothing happens.
  I have tried clearing temp files deleting files from IE, deleting cookies, clearing the history.
  Now i'm going to restart the computer and see if it works.
  It is supposed to give me buttons.
  1. Accept for this session
  2. Grant
  3. Deny
  4. View Certificate
  But does anyone have any idea how to address this issue ?
  Stephen

  You might try setting the trace level to 5 in the plugin's Java console and looking what it spits out while the applet is launching. I remember seeing loads of information in there including stuff relating to certificate validation. It might be helpful.
  The trick to getting this info during start up:
  1) get the plugin to load by directing your browser to page with a known applet. Write your own little stub applet and load it or go to http://java.sun.com/. There's an applet on that page.
  2) bring up the plugin's console if it's not already and then go to a blank page.
  3) set the trace level to 5 in the console. (just press the 5 key).
  4) go to the page that launches your applet. You'll have tons of information pour out in your console.
  Happy hunting.

• Update for Root Certificates for Windows 7 [March 2014] (KB931125) - Expired on SCCM 2012 March 2014 SUG

  Hi all,
  The "Update for Root Certificates for Windows 7 [March 2014] (KB931125)" is Expired on SCCM 2012 March 2014 SUG. Is this a problem and is there going to be any fix for this which we can expect in the future?

  I don't have a 931125 for March 2014; however, I do have a November 2013 for 931125 which is still valid. Per the KB (http://support.microsoft.com/kb/931125) the November 2013 is the current and valid versions.
  931125 is an unusual update as they simply update it with a new version instead of creating a new KB that supersedes it. Now, why they expired the March 2014 version is unknown but they probably found an issue with it shortly after it was released.
  As a rule, you should always ensure that the search you use or criteria in your ADR excludes expired updates.
  So, to answer the question, no this isn't an issue.
  Jason | http://blog.configmgrftw.com

• Troubles with client certificates in Windows Phone 8.1 WebViews

  Hi,
  I'm having difficulties using a client certificate in Windows Phone 8.1 WebViews.
  My code works fine in my Windows 8.1 App but i get a WebErrorStatus=[CertificateIsInvalid] in WebView.NavigationCompleted in WP.
  I'm using this code to import my certificate :
  await CertificateEnrollmentManager.ImportPfxDataAsync(certificateBase64, certificatePassword, ExportOption.NotExportable, KeyProtectionLevel.NoConsent, InstallOptions.None, "MyClientCertificate");
  I have no problem using this cert in HttpClient with either Windows 8.1 or Windows Phone 8.1.
  I don't understand why it doesn't work with the WebView control only on Windows Phone.

  Tried it with no success.
  But I just found this : https://blogs.msdn.com/b/wsdevsol/archive/2014/07/31/programmatically-create-and-configure-a-client-certificate-for-use-in-your-windows-runtime-based-app.aspx?Redirected=true
  With the note at the bottom: 
  Note: For Windows Phone 8.1, you need to attach the Client Certificate programmatically. For Windows, once you install the Client Certificate to the app container
  store and do not attach the client certificate with the HttpClient request, the HttpClient class will automatically detect that there is a single certificate installed in the app container store and forward it to the server. However in the case of Windows
  Phone 8.1, there is no such “automatic” selection of the certificate and one MUST provide the certificate programmatically.
  Since there seems to be nothing to attach a custom HttpBaseProtocolFilter to a WebView, it doesn't seem possible atm.

• Update for Root Certificates for Windows 7 [March 2014] (KB931125) Expired

  Hi All
  Today i wanted to deploy the security updates of the month march 2014 to my production environment.
  I noticed that the update "Update for Root Certificates for Windows 7 [March 2014] (KB931125)" is Expired
  Strange last week I added this update in our Acceptation environment with no problems.
  Someone knows what happend to this update , i cannot find it on the microsoft site
  regards
  Johan

  Hi Yan Li,
  I don't understand what you're trying to say.
  Why do you quote that old information from the KB article? It's not really relevant to the update Johan asked about because the December 2012 version of KB931125 is not the same update that was released on March 11, 2014 which then immediately expired.
  It's not only the server updates that have been expired this time. It's the Windows 7 update and the Windows XP updates as well. I don't have any other OS versions in my managed environment so I don't know which other OS versions it affects but my guess is
  it's expired on all of them.
  It would be nice with some real information about why this particular version (March 2014) was recalled.
  If there is a problem with it I would like to know what kind of problems I'll be facing on the clients that did install it before it expired.
  And if there is a problem with it, will there be an interim fix available? Will a new update be released and if so- when?
  Can you please see if you can provide us with some relevant information?

• Remote Desktop Connection With Custom Certificate on Windows 8.1 fails

  I'm trying to establish a secured remote desktop connection without success.
  The setting
  There are some local pcs with windows 8.1 Pro and windows 7 Pro, no server-edition. I've created a self signed ca-certificate with openssl for Windows. I used this to sign custom certs for the local windows-pcs, which are installed at mmc -> certificate
  snap-in for local computer -> My Certificates -> Certificates. The networkdriver has the right to read the key. The sha1-fingerprint of the custom signed certs are registered at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  -> SSLCertificateSHA1Hash = sha-1 hash of the custom local cert. Additionally the revocation-list is restrained to the local list by setting HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Credssp -> UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors
  = 1.
  The results
  The connection form win 8.1 to win 7 works. The connection info confirms that it is a veryfied connection. The connection to windows 8.1 fails after entering the credentials with error: No connection possible. Network Level Authentication is set, but other
  level don't work as well. The log (Event Views -> Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-RemoteConnectionManager -> Admin) says "Remote Desktop Services has taken too long to load the user configuration
  from server" and "The Local Security Authority Cannot Be Contacted" (error 0x80090304)
  Aditional information
  The connection via linux (remmina) works for win 7 and win 8.1, but I have no information about the encryption. It is the same with the Microsoft Remote Desktop Tool for Android.
  Maybe it is accociatet with a different cert handling by Windows 8.1 but I couldn't find further information or a solution in the internet.
  Best regards
  abditus

  I solved the problem!
  The default openssl certificate signature algorithm is md5RSA but it doesn't work with windows 8.1.
  It is at least sha1RSA needed.
  By adding "default_md = sha1" to the openssl.cnf you create certs with sha1RSA and it works fine.
  Beste Gegards
  abditus

• IPhone Apps Distribution Certificate on Windows XP

  Hi there! total newbie here!
  I had an idea for an application which i wanted to be programmed. being a total total newbie i asked someone to make it for me. its coming along nicely and will soon (hopefully) be on the app store.
  The thing is, i need to get a app distribution Certificate for the application.
  I do not have a mac and was wondering if i can get it some how using my windows computer?
  If that is not possible, could it be done by someone using THEIR mac....or is a certificate something which can only be done using my own machine?
  Hope someone can help me.
  Thanks

  If you trust your developer, your best bet would be to do all the downloading at that end. Your key and certificate can then be archived for your future use. In any case, you won't be able to use these docs without a development environment on a Mac. No matter where you download them, they need to be installed on a Mac and only an experienced developer should attempt to build the distribution package with them.

• Machine authentication by certificate and windows domain checking

  Hi,
  We intend to deploy machine?s certificate authentication for wifi users.
  We want to check certificate validity of the machine, and also that the machine is included on the windows domain.
  We intend to use EAP-TLS :
  - One CA server.
  - each machine (laptop) retrieves its own certificate from GPO or SMS
  - the public certificate of the CA is pushed on the ACS as well as on each of the machine (laptop)
  - ACS version is the appliance one
  - one ACS remote agent installed on the A.D.
  - when a user intends to log on the wifi network :
  - the server (ACS appliance) sends its certificate to the client. This client checks the certificate thanks to the CA server certificate he already trusts, results : the client also trusts the ACS?s certificate signed by the CA server .
  - the client sends its certificate to the server (ACS appliance). This ACS checks the certificate thanks to the CA server certificate he already trusts, results : the ACS also trusts the client?s certificate signed by the CA server but the ACS also checks that this certificate isn?t revocated (the ACS checks this thanks to the CA server CRL ? certificate revocation list).
  Am I right about these previous points ?
  And then my question is : is it possible to check that the machine is also included in the windows domain ?
  That is, is it possible for the ACS to retrieve the needed field (perhaps CN ?? certificate type "host/....") and then perform an authentication request to the A.D. (active directory) thanks to the ACS remote agent ? We want to perform only machine authentication, not user authentication.
  Thanks in advance for your attention.
  Best Regards,
  Arnaud

  Hi Prem,
  Thanks for these inputs.
  I've passed the logs details to full, performed other tests and retrieved the package.cab.
  I've started investigating the 2 log files you pointed.
  First, we can see that the requests reach the ACS, so that's a good point.
  Then, I'm not sure how to understand the messages.
  In the auth.log, we can see the message "no profile match". I guess it is about network access profile. For my purpose (machine authentication by certificate), I don't think Network Access Profiles to be mandatory to be configured.
  But I'm not sure this NAP problem to be the root cause of my problem.
  And when no NAP is matched, then the default action should accept.
  We can see the correct name of the machine (host/...). We can see that he's trying to authenticate this machine "against CSDB". Then we have several lines with "status -2046" but I can't understand what the problem is.
  I don't know what CSDB is.
  I've configured external user database: for this, I've configured windows database with Remote Agent. The domain is retrieved and added in the domain list. And EAP-TLS machine authentication is enabled.
  I copy below an extract of the auth.log.
  I also attach parts of auth.log and RDS.log.
  If you have any ideas or advices ?
  Thanks in advance for your attention.
  Best Regards,
  Arnaud
  AUTH 04/07/2007 12:25:41 S 5100 16860 Listening for new TCP connection ------------
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::CreateContext: new context id=1
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PdeAttributeSet::addAttribute: User-Name=host/nomadev2001.lab.fr
  AUTH 04/07/2007 12:25:41 I 0143 16704 [PDE]: PolicyMgr::SelectService: context id=1; no profile was matched - using default (0)
  AUTH 04/07/2007 12:25:41 I 0143 1880 [PDE]: PolicyMgr::Process: request type=5; context id=1; applied default profiles (0) - do nothing
  AUTH 04/07/2007 12:25:41 I 5388 1880 Attempting authentication for Unknown User 'host/nomadev2001.lab.fr'
  AUTH 04/07/2007 12:25:41 I 1645 1880 pvAuthenticateUser: authenticate 'host/nomadev2001.lab.fr' against CSDB
  AUTH 04/07/2007 12:25:41 I 5081 1880 Done RQ1026, client 50, status -2046

• Go Daddy Certificate on ISE Repeat accept certificate on Windows 7/8/8.1

  We have moved from a self signed certificate to a Go Daddy certificate to avoid trust issues around self signed certificates.  IOS devices continue to work fine, but Windows devices have to accept the certificate trust many times.  Sometimes it takes 4-6 times clicking connect while on some machines it takes 10-14 times of clicking connect when it prompts you to verify the certificate.  Sometimes it will never connect and you have click terminate once and then click connect a few times.  What is the deal?  This happens equally on Windows 7, 8, and 8.1 machines when connecting to the ISE SSID the first time.  This also only happens when using the Microsoft PEAP.  On my machine, I have an Intel WIFI card so I have the option of using Intel control and Intel PEAP instead of Microsoft.  This works fine.  Something to do with the Microsoft supplicant and ISE on this trust?  Anyone else have this issue or know how to fix it?  The system does work.  It is just annoying for low end users who don't understand to just keep clicking connect...windows will believe you eventually.
  More information: I have also installed the provided Go Daddy intermediate cert in Intermediate Certification Authorities and in Trusted Root Certification Authorities.  Neither help the process.

  #8 The Start Menu and User Interface
  1. The Start Menu
  Allow Drag and Drop from the left list to the right pinned icons. Update build 10041, Microsoft have done this.
  The Start menu is bloated with Metro Apps, making it more cumbersome to find useful installed programs. Example of Start Menu to the left bloated with Metro Apps.
  These should all be in a Windows Apps folder similar to all the (more useful) items in the Windows Accessories folder.
  2. Windows and X Menu (Right Click Start)
  Please add your votes to my Windows UserVoice suggestion here.
  Add the following to the “Windows and X” menu:
  Windows Defender
  Windows Defender Offline
  Devices and Printers
  .iso to Bootable USB Utility
  "Settings" → This definitely has to be here
  Make the Windows and X Menu look like part of Windows 10.
  3. Windows Defender
  Add it to the Windows and X Menu as described above and also add right click context menus like Microsoft Security Essentials had:
  4. Minor Feedback
  I'm not a great fan of the new icons, the folders are too bright and it looks like they have been drawn in Microsoft paint. The Recycle bin particularly looks terrible.

• Roll out client certificate from Windows

  Hi,
  We have recently begun using Macs in our Windows Enviroment and are having problems with our wireless. It is 802.1x with Network Policy Server as RADIUS. To connect you need correct user credentials and machine certificate that is rolled out through GPO.
  Is there a way to roll out the certificate to our Macs also? If it's necessary to connect them to our domain, that isn't a problem.
  The Macs are running Mountain Lion or Mavericks.
  //Robert

  You can use the Profile Manager feature of OS X Server, and create a profile that retrieves a certificate via SCEP or RPC from your CA.  This profile can then be downloaded or pushed to Mac clients that are enrolled in the profile manager.

• Certificate Authority Windows 2008 to 2012 R2 - Clean up and Migration

  Hello,
      I'm currently dealing with the following scenario:
  1. I've inherited the current infrastructure setup and the plan is to clean things up and setup a new certificate infrastructure using Windows 2012 R2.
  2. The current setup:
      a. Domain Controller, Windows 2008 R2, is/was a Certificate Authority.  It hasn't issued any new certificates (based on the information in Certificate Effective Date) for quite some time.  It also has an expired certificate for
  itself - issued by the domain's issuing CA - and attempts to renew it via MMC give a "Server execution failed" and STATUS: Failed when looking in Certificate enrollment for Domain Controller.  We'll call the server, DC1.
      b. Certificate Authority Server, we'll call it CERT1.  When booting up the machine and/or attempting to restart certificate services on the server, the following errors are in the event log:
  EVENT 7024: Description: The Active Directory Certificate Services service terminated with service-specific error %%-2146885613.
  EVENT 100: Active Directory Certificate Services did not start: Could not load or verify the current CA certificate.  Domainlocal Issuing CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013
  (-2146885613).
  EVENT 48: Description: Revocation status for a certificate in the chain for CA certificate 0 for Domain.local Issuing CA could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because
  the revocation server was offline. 0x80092013 (-2146885613).
  Note:  The server's computer certificate has expired and it was issued by the Domain Controller mentioned in point A.  Attempts to renew it fail.
  (The issue on CERT1 is like the one mentioned in this article: https://support.microsoft.com/kb/825061?wa=wsignin1.0  however an upgrade wasn't done and it's not old versions of Windows.)
  c. There is a certificate authority machine - part of what was created for a PKI infrastructure - that was kept shutdown.  I've powered it up and the machine is not part of the domain.
  Any thoughts or feedback on easily repairing the current situation so that I can upgrade everything to a new Windows 2012 R2 Certificate infrastructure would be appreciated.
  Thanks!

  Hi Vadims,
      Basically using certificates in the following manner:
  1. User / Computer enrollment in the AD domain.
  2. Any hardware / web services (internal) that need a certificates.  This is usually hardware that has some form of GUI that is accessed via URL, printers accessed via URL and/or that communicate via LDAP to AD, internal UC (Lync is an example), that
  sort of thing.
      A number of machines currently show certificate errors (ie.. certificate has expired) however that hasn't stopped things from working just functioning differently.  I'm going already on the assumption that if I remove the entire CA
  infrastructure and re-install a new one and have everything point to that new CA server that I should be ok but I'm not 100% certain hence why I asked on this forum.
  Also, you're correct is that there is one more CA.  That CA was the server that was turned off/offline that I powered on.  It is not part of the AD domain that the domain controller and the other CA belong to.  (It is standalone.)  I'm
  currently patching the standalone CA since it's been off for what looks like almost 1.5 years. 

• Update Windows Root Certificates in Windows 2008 R2 Disconnected Environment using WSUS

  Hi all, I need to update the root certs on all my WIndows 2008 R2 servers. They have no internet connectvity. I am aware of the issue described by
  KB931125 but I am not affected by it. My issue is that I would like the 2008R2 servers to update the roots certs form my WSUS servers. Is this possible?

  I would suggest that you identify the few individual root certificates that you need, and import them individually to those servers where they are needed.
  It is NOT possible to update root certificates from a WSUS server, except in the case of workstations that are being configured to install KB931125.
  Do NOT install KB931125 to a server operating system.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Install GoDaddy SSL Certificate to Windows Server 2012 - Access Anywhere

  I would like to activate Access Anywhere on my windows server 2012 essentials. I went through the guided steps and purchased a SSL certificate from Godaddy. Godaddy doesn't offer support regarding the correct installation process of their certificates
  using iis 8 (server 2012 essentials). I noticed that Access Anywhere requires a PFX certificate and Godaddy only provided a PKCS #7 and a cer. file. Please let me know if Godaddy's certificates are compatible with windows server 2012 essentials. Without Access
  Anywhere functioning on my server, the usefulness of the server greatly decreases. Your assistance is greatly appreciated. Thanks. 

  All you need is the standard, lowest level, single domain, no email, no bells, no whistles, no UCC.  Just a simple SSL cert.  Even SBS standard which adds email to the RWA feature, only requires that, thanks to the magic of the dev. team.
  Larry Struckmeyer[SBS-MVP] If your question is answered, please mark the response as the answer so that others can benefit.

• Move certificates from Windows CA Server to IOS CA (Router 2900).

  Hi,
  You can move the CA certificates from my server windows  server 2003 to  a Cisco router?
  I currently have a Windows 2003 server CA (SCEP)  and need to move certificates from this machine to a cisco 2900 router (ISR) ... Is it possible?

  Hi Yerko,
  Yes you can.  Please have a look at the below link:
  http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_pki/configuration/15-mt/sec-pki-15-mt-book/sec-cert-enroll-pki.html
  Please visit the below section.
  Configuring Cut-and-Paste Certificate Enrollment
  SUMMARY STEPS
  1.    enable
  2.    configure terminal
  3.    crypto pki trustpoint name
  4.    enrollment terminal pem
  5.    fingerprint ca-fingerprint
  6.    exit
  7.    crypto pki authenticate name
  8.    crypto pki enroll name
  9.    crypto pki import name certificate
  10.    exit
  11.    show crypto pki certificates
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.