Client Certificate and EP 6.0

I'm would like to know if client certificate can be implemented on EP 6.0 SP2.
If some one has already done. what is the best way of going about it. Pointer to document would be help ful.
Thanks in advance,

Hello Nixon,
have a look at the Enterprise Portal 6.0 SP2 Security Guide:
https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/com.sapportals.km.docs/documents/a1-8-4/sap enterprise portal 6.0 sp2 - security guide
Regards
Gregor

Similar Messages

What is a client certificate and how do I use it?

I am trying to pay a traffic fine on a municipal website. I keep getting a drop-down box saying the site requires a client certificate to verify my identity. I am given a choice of two certificates, both of which are listed as valid. However, when I select one and click "continue," the same box comes up again (no matter which one i select). This happens repeatedly. I have triend this on both my iMac (less than a year old) and my macBook Air (less than two years old), and the same thing happens on both I just want to pay my traffic ticket! Why won't it accept my selected certificate? Do I need to create a new one, and if so, how do I do that? And what is a cient certificate anyway?

Same here. Does my solution help you, as well? However, in you case, I double-check with the site administrator if he uses client authentication intentionally at all.

AnyConnect SSL-client Certificate AND AAA RADIUS

Hi All,
I'm trying to setup Anyconnect VPN Phone feature. I have the license, and I have been able to get the phone to authenticate / register etc with a username / password.
I want to use the cert on the phone, use the CN as the username and just verify that against my ACS server via RADIUS.... Easier said than done. The ASA is grabbing the Username, but for the life of me, i can't get it to send the username over to the RADIUS server. I have enabled all sorts of aaa and radius debugging and just get no output at all...
Here are some relevant log messages I'm getting:
Starting SSL handshake with client outside:72.91.xx.xx/42501 for TLSv1 session
Certificate was successfully validated. serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc..
Certificate chain was successfully validated with warning, revocation status was not checked.
Tunnel group search using certificate maps failed for peer certificate: serial number: 5C7DB8EB000000xxxxxx, subject name: cn=CP-7942G-SEP002155551BD7,ou=EVVBU,o=Cisco Systems Inc., issuer_name: cn=Cisco Manufacturing CA,o=Cisco Systems.
Device completed SSL handshake with client outside:72.91.xx.xx/42501
Group SSLClientProfile: Authenticating ssl-client connection from 72.91.14.42 with username, CP-7942G-SEP002155551BD7, from client certificate
Teardown TCP connection 35754 for outside:72.91.xx.xx/42501 to identity:173.227.xxx.xxx/443 duration 0:00:05 bytes 5473 TCP Reset by appliance
Relevant Config:
tunnel-group SSLClientProfile type remote-access
tunnel-group SSLClientProfile general-attributes
authentication-server-group RADIUS
default-group-policy GroupPolicy1
tunnel-group SSLClientProfile webvpn-attributes
authentication aaa certificate
radius-reject-message
pre-fill-username ssl-client
group-alias SSLClientProfile enable
group-url https://URL enable
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
wins-server none
dns-server value <ip1> <ip2>
vpn-tunnel-protocol ssl-client
default-domain value xxxxxxxx
address-pools value VPNPOOL
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host 192.168.102.242
key *****
aaa-server RADIUS (inside) host 192.168.240.242
key *****
ASA version 8.4
What am I doing wrong? It will not send the request to the AAA server, very much frustating me...

PRogress....
I changed the authentication to Certificate ONLY and set authorization to be RADIUS... now it's sending the request to my ACS server. Next question: What's the password that's being sent? Is it blank? I've tried the phone's whole username, tried the MAC and tried just the SEP part. No Dice. Thoughts?

Asking specific client certificate (not certificates trusted by authority)

As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
For example:
Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?

I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
It might not be elegantBut it is!
See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources.

Client certificate authentication with custom authorization for J2EE roles?

We have a Java application deployed on Sun Java Web Server 7.0u2 where we would like to secure it with client certificates, and a custom mapping of subject DNs onto J2EE roles (e.g., "visitor", "registered-user", "admin"). If we our web.xml includes:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>certificate</realm-name>
<login-config>that will enforce that only users with valid client certs can access our app, but I don't see any hook for mapping different roles. Is there one? Can anyone point to documentation, or an example?
On the other hand, if we wanted to create a custom realm, the only documentation I have found is the sample JDBCRealm, which includes extending IASPasswordLoginModule. In our case, we wouldn't want to prompt for a password, we would want to examine the client certificate, so we would want to extend some base class higher up the hierarchy. I'm not sure whether I can provide any class that implements javax.security.auth.spi.LoginModule, or whether the WebServer requires it to implement or extend something more specific. It would be ideal if there were an IASCertificateLoginModule that handled the certificate authentication, and allowed me to access the subject DN info from the certificate (e.g., thru a javax.security.auth.Subject) and cache group info to support a specialized IASRealm::getGroupNames(string user) method for authorization. In a case like that, I'm not sure whether the web.xml should be:
<login-config>
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>MyRealm</realm-name>
<login-config>or:
<login-config>
 <auth-method>MyRealm</auth-method>
<login-config>Anybody done anything like this before?
--Thanks

We have JDBCRealm.java and JDBCLoginModule.java in <ws-install-dir>/samples/java/webapps/security/jdbcrealm/src/samples/security/jdbcrealm. I think we need to tweak it to suite our needs :
$cat JDBCRealm.java
* JDBCRealm for supporting RDBMS authentication.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to
* implement both a login module (see JDBCLoginModule for an example)
* which performs the authentication and a realm (as shown by this
* class) which is used to manage other realm operations.
* A custom realm should implement the following methods:
* <ul>
* <li>init(props)
* <li>getAuthType()
* <li>getGroupNames(username)
* </ul>
* IASRealm and other classes and fields referenced in the sample
* code should be treated as opaque undocumented interfaces.
final public class JDBCRealm extends IASRealm
 protected void init(Properties props)
 throws BadRealmException, NoSuchRealmException
 public java.util.Enumeration getGroupNames (String username)
 throws InvalidOperationException, NoSuchUserException
 public void setGroupNames(String username, String[] groups)
}and
$cat JDBCLoginModule.java
* JDBCRealm login module.
* This login module provides a sample implementation of a custom realm.
* You may use this sample as a template for creating alternate custom
* authentication realm implementations to suit your applications needs.
* In order to plug in a realm into the server you need to implement
* both a login module (as shown by this class) which performs the
* authentication and a realm (see JDBCRealm for an example) which is used
* to manage other realm operations.
* The PasswordLoginModule class is a JAAS LoginModule and must be
* extended by this class. PasswordLoginModule provides internal
* implementations for all the LoginModule methods (such as login(),
* commit()). This class should not override these methods.
* This class is only required to implement the authenticate() method as
* shown below. The following rules need to be followed in the implementation
* of this method:
* <ul>
* <li>Your code should obtain the user and password to authenticate from
* _username and _password fields, respectively.
* <li>The authenticate method must finish with this call:
* return commitAuthentication(_username, _password, _currentRealm,
* grpList);
* <li>The grpList parameter is a String[] which can optionally be
* populated to contain the list of groups this user belongs to
* </ul>
* The PasswordLoginModule, AuthenticationStatus and other classes and
* fields referenced in the sample code should be treated as opaque
* undocumented interfaces.
* Sample setting in server.xml for JDBCLoginModule
* <pre>
* <auth-realm name="jdbc" classname="samples.security.jdbcrealm.JDBCRealm">
* <property name="dbdrivername" value="com.pointbase.jdbc.jdbcUniversalDriver"/>
* <property name="jaas-context" value="jdbcRealm"/>
* </auth-realm>
* </pre>
public class JDBCLoginModule extends PasswordLoginModule
 protected AuthenticationStatus authenticate()
 throws LoginException
 private String[] authenticate(String username,String passwd)
 private Connection getConnection() throws SQLException
}One more article [http://developers.sun.com/appserver/reference/techart/as8_authentication/]
You can try to extend "com/iplanet/ias/security/auth/realm/certificate/CertificateRealm.java"
[http://fisheye5.cenqua.com/browse/glassfish/appserv-core/src/java/com/sun/enterprise/security/auth/realm/certificate/CertificateRealm.java?r=SJSAS_9_0]
$cat CertificateRealm.java
package com.iplanet.ias.security.auth.realm.certificate;
* Realm wrapper for supporting certificate authentication.
* The certificate realm provides the security-service functionality
* needed to process a client-cert authentication. Since the SSL processing,
* and client certificate verification is done by NSS, no authentication
* is actually done by this realm. It only serves the purpose of being
* registered as the certificate handler realm and to service group
* membership requests during web container role checks.
* There is no JAAS LoginModule corresponding to the certificate
* realm. The purpose of a JAAS LoginModule is to implement the actual
* authentication processing, which for the case of this certificate
* realm is already done by the time execution gets to Java.
* The certificate realm needs the following properties in its
* configuration: None.
* The following optional attributes can also be specified:
* <ul>
* <li>assign-groups - A comma-separated list of group names which
* will be assigned to all users who present a cryptographically
* valid certificate. Since groups are otherwise not supported
* by the cert realm, this allows grouping cert users
* for convenience.
* </ul>
public class CertificateRealm extends IASRealm
 protected void init(Properties props)
 * Returns the name of all the groups that this user belongs to.
 * @param username Name of the user in this realm whose group listing
 * is needed.
 * @return Enumeration of group names (strings).
 * @exception InvalidOperationException thrown if the realm does not
 * support this operation - e.g. Certificate realm does not support
 * this operation.
 public Enumeration getGroupNames(String username)
 throws NoSuchUserException, InvalidOperationException
 * Complete authentication of certificate user.
 * As noted, the certificate realm does not do the actual
 * authentication (signature and cert chain validation) for
 * the user certificate, this is done earlier in NSS. This default
 * implementation does nothing. The call has been preserved from S1AS
 * as a placeholder for potential subclasses which may take some
 * action.
 * @param certs The array of certificates provided in the request.
 public void authenticate(X509Certificate certs[])
 throws LoginException
 // Set up SecurityContext, but that is not applicable to S1WS..
}Edited by: mv on Apr 24, 2009 7:04 AM

Client Certificate Prompting

Environment:
Windows 2003 Server
IIS 6.0
Java Applets
JVM 1.6
I currently have IIS set to "accept client certificates" and have a valid list in my Certificate Trust List of certificates I want to accept. I also have Windows Authentication set in the event the user does not have a valid client certificate type then they will be prompted for their Windows Login. My problem is that even though they authenticate via Windows they are still being prompted for certificates by the JVM and of course there are none in IEs store.
Is there a way to stop this or is this just a way of life.

I think it is related to the certificate you are using: what are the available CRL's (Certificate Revocation List) in that certificate? You can see that by opening the properties of the cert. The client might want to check the CRL of your CA and has no permission
to do it.
You might want to check if the CRL distribution point as configured in the certification is accessible by the client or generate a different certificate with a different distribution point.
Technical Specialist Microsoft OCS & UC Voice Specialisation - http://www.uwictpartner.be

Rejected client certificate by the server

Hello everyone.
I writting you because a I have a big problem using ssl and client authenticate.
I created a connector for the client connetions:
<Connector port="9443"
 maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
 keystoreFile="C:/WINDOWS/security/server.ks"
 keystorePass="*********"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="true" sslProtocol="SSL" />
As it is for educational propurses, I created my own self-signed CA using openssl and generate a certificate request for the
web server and then I signed with the self-signed CA.
Then I created a client certificate and I signed with the self-signed CA, I import the self-signed CA in firefox as a
certificate authority and the client certificate as a client certificate, but when I try to establish a connection I got this
error message: "Could not establish an encrypted connection because your certificate was rejected by agatha. Error Code -12271"
(agatha is the apache server).
I got a openssl manual and I saw I followed the right steps to create the CA and the client certificate, I also read that the
common name of the client must match an entry in tomcat-users.xml, I created an entry with this common name and
the error message still apears.
When I use Internet Explorer I get a error page with this title: The page cannot be displayed
I opened the stdout.log file and there is a exception repeted 5 times:
NotifyUtil::java.net.ConnectException: Connection refused: connect
 at java.net.PlainSocketImpl.socketConnect(Native Method)
 at java.net.PlainSocketImpl.doConnect(Unknown Source)
 at java.net.PlainSocketImpl.connectToAddress(Unknown Source)
 at java.net.PlainSocketImpl.connect(Unknown Source)
 at java.net.Socket.connect(Unknown Source)
 at java.net.Socket.connect(Unknown Source)
 at sun.net.NetworkClient.doConnect(Unknown Source)
 at sun.net.www.http.HttpClient.openServer(Unknown Source)
 at sun.net.www.http.HttpClient.openServer(Unknown Source)
 at sun.net.www.http.HttpClient.<init>(Unknown Source)
 at sun.net.www.http.HttpClient.<init>(Unknown Source)
 at sun.net.www.http.HttpClient.New(Unknown Source)
 at sun.net.www.http.HttpClient.New(Unknown Source)
 at sun.net.www.http.HttpClient.New(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection.plainConnect(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection.connect(Unknown Source)
 at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
 at org.netbeans.modules.web.monitor.server.NotifyUtil$RecordSender.run(NotifyUtil.java:237)
What is happening??? is there something wrong??

That didn't work for me - as well as a host of other things that did not work for me. I can honestly say that Netbeans is the worst piece of junk software I've ever used in the entirety of my life and my previous one thousand lives.
The best way to rid yourself of this problem is to uninstall Netcrap and run over to Eclipse. But beyond that, edit your [$TOMCAT_HOME]/conf/web.xml file and rip out the following section from the top - where Netcrap snuck it in, and didn't remove - even causing config errors after I turned it off.
=========================================
<filter>
<filter-name>HTTPMonitorFilter</filter-name>
<filter-class>org.netbeans.modules.web.monitor.server.MonitorFilter</filter-class>
<init-param>
<param-name>netbeans.monitor.ide</param-name>
<param-value>127.0.0.1:8082</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>HTTPMonitorFilter</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping>
=========================================
I'm using 4.0 on Linux. Thing has got a couple of cool features, but nothing beats dependability, and a darn config interface that actually makes sense. I mean, turn off some features and you can't even open your past projects?! WTF?! But no indication! But first the icon looks good! And then you click on it and it disappears! Un-effing-believable! And it took me hours to figure out how to set up a dang server! I just assumed it didn't have the ability to do it at all! The source-code control config is whack. Man. Total lack of useful documentation, no decent news/web boards. Totally outrageous.
Worst. Software. Ever.

How to retrieve DN from client certificate in servlet

Hello,
My servlet has to use SSL, and authenticate users based on the owner of a client certificate.
Is there a way for my servlet to obtain the session's client certificate and extract the owner's DN from it?
Thanks!

http://forum.java.sun.com/thread.jsp?forum=9&thread=509790

Obtaining client certificate in servlet using apache + tomcat

Hi,
I'm porting a webapplication from Javawebserver to Apache/1.3.6 (Win32) mod_jk mod_ssl/2.2.6 OpenSSL/0.9.2b
The application needs to get the client certificate hash code.
Using Javawebserver I used
request.getAttribute ("javax.net.ssl.cipher_suite");
request.getAttribute("javax.net.ssl.peer_certificates");
etc
How do I set up the apache webserver so that I can read the client certificate and what is the attribute called?
I've tried this in the httpd.conf:
SSLOptions +ExportCertData
And the attribute:
"SSL_CLIENT_CERT"
Like it says in the Tomcat documentation.
I'm not sure if I need to set up Tomcat as well..
Any help would be greatly appriciated!
Sincerely,
AM Hjemaas

Yup use ajp13 not ajp12 or mod_webapp
refer to http://www.galatea.com/flashguides/apache-tomcat-24-win32.xml on setting up..
THIS IS IMPORTANT!!!
use Apache mod_jk.dll diretive:
JkEnvVar Apache_Env_Var FORWARD_ALIAS
this will send a apache environment variable (http://myapache/cgi-bin/printenv.pl to see whats available) to Tomcat
JkEnvVar SSL_CLIENT_CERT SSL_CLIENT_CERT
Then in Tomcat servlet use request.getAttribute("SSL_CLIENT_CERT") to get the cert in PEM format
Hope this helps
Jay

MS-SOAP Toolkit 2, certificates and Weblogic

Hi,
I am trying to work with the Microsoft Toolkit 2 SP 2, client certificates and Weblogic
6.1.
It does not work, I know that the problem is with the Toolkit,
it doesn't agree to work with Weblogic, but maybe someone
in this forum know how to solve it.
So, if someone knows how to solve it, please let me know ASAP.
THANKS,
Tal.

To work with Microsoft MS SOAP Toolkit, you should use either RPC/encoded or document/literal.
Even if RPC/literal is WS-I compliant and is now supported by the .NET 3.0 version of the framework, it's not supported for older releases.
Best,
-Eric

Client Certificate Authentication not working in OSB 11g

Hi All,
I am currently having an issue with getting a 2 way SSL handshake to work in a production environment.
We have the set up working and fully functional in a Test environment, however when we have deployed the code and made the same config changes in the Production environment, it does nto work when calling the API (the result being as if we were not presenting the client cert to the API).
All relevant configuration on Weblogic and OSB was performed (Keystore creation / Security Realm - Service Key Provider / Service Key Providers etc) and I believe to be right.
We can test the keystore using SOAPUI and we get a valid response from the live API.
We can see the relevant aliases in OSB Service Key Provider so I know that the Security Realm / Identity settings are correct on the Weblogic Server.
The Test and Production Weblogic properties all look the same for Keystores / Secuirty Realms / SSL etc (expect with live keystores etc).
As we can see the aliases in OSB when setting up the Service Key Provider, it should just be a matter of setting the 'Authentication' of the business service making the call to 'Client Certificate' and this has also been done.
Though we always get an authentication error and code, that matched what we would get if we turn off the client cert authentication on the business service in the test environment (i.e not sending the certificate with the request).
What I really want to know is how can I find out for sure whether we are sending this certificate with our request or not? As I am struggling to find a way to log these details.
Any input appreciated.
Jamie

This is issue has now been resolved.
It was an environment specific issue rather than anything wrong with the actual code.

Optional Client Certificate

I have problems to access a web site which asks for an optional client certificate. That means if browser presents a client certificate user will be an authenticated user, if not user is handled as guest user.
iOS Safari does nothing if no client certificate is installed and does not show web site, furthermore no error is shown.
Expected behaviour: Safari should not present a client certificate and show website w/o client certificate if web site does not send an 4xx or TLS error.

Hi Alfred and Kristian,
You can't do what you would like right now.
My understanding is that you would like some functionality like this:
"WebApp A" demands 2 way SSL (mutual Auth) while
"WebApp B" is content with 1 way auth ("regular" ssl where only the server
authenticates itself to the client)
Unfortunately 2 way ssl cannot be specified on a per-web application basis at
this time. It is "all or nothing."
Hopefully you can find another solution to the problem you are faced with.
Cheers,
Joe Jerry Jerista
Alfred Hiebl wrote:
Hi,
We are having the same problem in our project. I hope that someone from BEA
can answer this question.
Alfred
"Leif Kristian Vadseth" <[email protected]> schrieb im
Newsbeitrag news:[email protected]..
I've asked for more information about this before, but not been given any
answer. However, optimistic as I am, I'll give it another try:
I would like to be able to configure the SSL protocol on the SAME WLS (v.
6.1) so that DIFFERENT web applications can be configured either to demand
mutual authentication (two-way SSL) or "server authentication" (one-waySSL,
the server is authenticating itself to the client).
Is this possible??? Is there any way that I programatically from a servlet
can demand that the client shows his/hers certificate?
Kristian Vadseth

SSL client certificate problem with exchange owa

Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
I cannot get through this dialog because it seems I do not have the required certificate.
What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
I do not understand what mobileme has to do with this exchange server at all.
What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
Can anybody point in the right direction please ?
For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

Since a week I've been having the strangest problem when trying to connect to an exchange webmail server.
When I try to log on to the server, I now get a a safari warning telling me that the website requests a client certificate and prompts me to choose one.
Safari presents me with a few .mac and mobileme certificates, none of which are valid for this site obviously.
I cannot get through this dialog because it seems I do not have the required certificate.
What baffles me though, is that when I disable my mobileme settings in system preferences, safari connects to the exchange webmail perfectly without ever prompting me for a certificate.
I do not understand what mobileme has to do with this exchange server at all.
What is even more strange is that I have been having this on 4 different mac's here at home, with two different user accounts on the exchange server, and I have a family mobileme pack... so every system is a little different, but they all behave exactly the same.
Can anybody point in the right direction please ?
For what it's worth, I could have installed a 10.7.1 update on one of the systems which may have caused this, but definatly not on all 4 at the same time....
Another strange bit, when setting up the exchange server inside mail.app, it works perfectly...

PKI SCCM Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.

Hello everyone,
I’m having issues with workgroup computers, not domain systems when I request a certificate.
It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
on windows 7 and it can’t see the certificate template.
I have the following configuration:
CA Enterprise
I have created the SCCM Client Certificate
I have created the SCCM Web Server Certificate
I have created the SCCM Distribution Point Certificate
GPO is configured
SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
Installed SCCM Client Certificate
Installed SCCM Web Server Certificate
Installed Distribution Point Certificate
Deployed to a domain computer good on PKI
Workgroup Computers:
I’m having issues with deploying certificates
Windows 7 –
(ERROR) not successful
Windows Server 2008 R2 –
(ERROR) not successful
Windows Server 2003 - successful
Windows XP – successful
How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
http://www.ithierarchy.com/ITH/node/48
I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
Error --- Template not found.
SCCMClientCertificate (this is my template)

Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS Support
working with me to resolve this issue since it was written by MSFT.
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx

PKI Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.

Hello everyone,
I’m having issues with workgroup computers, not domain systems when I request a certificate.
It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
on windows 7 and it can’t see the certificate template.
I have the following configuration:
CA Enterprise
I have created the SCCM Client Certificate
I have created the SCCM Web Server Certificate
I have created the SCCM Distribution Point Certificate
GPO is configured
SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
Installed SCCM Client Certificate
Installed SCCM Web Server Certificate
Installed Distribution Point Certificate
Deployed to a domain computer good on PKI
Workgroup Computers:
I’m having issues with deploying certificates
Windows 7 –
(ERROR) not successful
Windows Server 2008 R2 –
(ERROR) not successful
Windows Server 2003 - successful
Windows XP – successful
How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
http://www.ithierarchy.com/ITH/node/48
I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
Error --- Template not found.
SCCMClientCertificate (this is my template)

Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS
Support working with me to resolve this issue since it was written by MSFT.
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx

Client Certificate and EP 6.0

Similar Messages

Maybe you are looking for