Client certificate is not send
Hi
I have not much experience in Java, so thank you in advance for your help.
I have some piece of client code which setup the secure connection. Everything works fine until I use server authentication (in my certificate store I have trusted CA certificate and client certificate signed by this trusted CA). In mutual authentication handshake fails, because the cliend doesn't send any certificate (i checked it using network sniffer). I was looking for the way of enumerate the local certificates which are going to be send from client, but I can't understand how should I do it. There is my code below :
System.setProperty("-Djavax.net.ssl.trustStore","G:/Program Files/Java/jre1.5.0_07/lib/security/cacerts".replace('/', File.separatorChar));
System.setProperty("-Djavax.net.ssl.trustStorePassword","changeit");
System.setProperty("-Djavax.net.debug","all");
int port = 16993;
String hostname = "10.10.1.11";
SSLSocketFactory factory = null;
SSLSocket socket = null;
SSLSession session = null;
String[] proto = new String[1];
String[] ciphe = new String[1];
String[] all_ciphe_supp = new String[33];
System.out.println("Cipher Suite and Protocols test");
try {
factory = HttpsURLConnection.getDefaultSSLSocketFactory();
} catch (Exception e) {
System.out.println( e.toString());
if (factory != null) {
// Connect to the server
try {
socket = (SSLSocket)factory.createSocket(hostname,port);
all_ciphe_supp = socket.getSupportedCipherSuites();
System.out.println("All ciphersuites and protocol supported");
socket.startHandshake();
session = socket.getSession();
System.out.println("Connection established using " + session.getProtocol() + " and " + session.getCipherSuite());
socket.close();
} catch (SSLPeerUnverifiedException e) {
System.out.println("Connection not established : " + e.toString());
} catch (IOException e) {
System.out.println("Connection not established : " + e.toString());
}
Thanks a lot, it is a little bit better, I can see debug messages at the output :)
However the main problem still exists. In debug window I can see that client and CA certificates are added as trusted certificates, but no certificate is sent to server. Is it something wrong with certificate?
I have the certificate in following formats: .der .p12 .pem
I could only import .der using keytool (trying to import .p12 or .pem got Input not an X.509 certificate error), but using web browser I can use this certificate and mutual authentication goes ok.
Similar Messages
-
Client Certificate Authentication not working in OSB 11g
Hi All,
I am currently having an issue with getting a 2 way SSL handshake to work in a production environment.
We have the set up working and fully functional in a Test environment, however when we have deployed the code and made the same config changes in the Production environment, it does nto work when calling the API (the result being as if we were not presenting the client cert to the API).
All relevant configuration on Weblogic and OSB was performed (Keystore creation / Security Realm - Service Key Provider / Service Key Providers etc) and I believe to be right.
We can test the keystore using SOAPUI and we get a valid response from the live API.
We can see the relevant aliases in OSB Service Key Provider so I know that the Security Realm / Identity settings are correct on the Weblogic Server.
The Test and Production Weblogic properties all look the same for Keystores / Secuirty Realms / SSL etc (expect with live keystores etc).
As we can see the aliases in OSB when setting up the Service Key Provider, it should just be a matter of setting the 'Authentication' of the business service making the call to 'Client Certificate' and this has also been done.
Though we always get an authentication error and code, that matched what we would get if we turn off the client cert authentication on the business service in the test environment (i.e not sending the certificate with the request).
What I really want to know is how can I find out for sure whether we are sending this certificate with our request or not? As I am struggling to find a way to log these details.
Any input appreciated.
JamieThis is issue has now been resolved.
It was an environment specific issue rather than anything wrong with the actual code. -
PKI SCCM Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.
Hello everyone,
I’m having issues with workgroup computers, not domain systems when I request a certificate.
It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
on windows 7 and it can’t see the certificate template.
I have the following configuration:
CA Enterprise
I have created the SCCM Client Certificate
I have created the SCCM Web Server Certificate
I have created the SCCM Distribution Point Certificate
GPO is configured
SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
Installed SCCM Client Certificate
Installed SCCM Web Server Certificate
Installed Distribution Point Certificate
Deployed to a domain computer good on PKI
Workgroup Computers:
I’m having issues with deploying certificates
Windows 7 –
(ERROR) not successful
Windows Server 2008 R2 –
(ERROR) not successful
Windows Server 2003 - successful
Windows XP – successful
How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
http://www.ithierarchy.com/ITH/node/48
I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
Error --- Template not found.
SCCMClientCertificate (this is my template)Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS Support
working with me to resolve this issue since it was written by MSFT.
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx -
PKI Client Certificate Template not viewable by Windows 7 and Server 2008 workgroup machines.
Hello everyone,
I’m having issues with workgroup computers, not domain systems when I request a certificate.
It’s extremely weird. It has something to do with Windows 7 and Windows 2008 machines. In 2003 server I can request a certificate manually with certutil and it see the certificate template. I copy over the exact command
on windows 7 and it can’t see the certificate template.
I have the following configuration:
CA Enterprise
I have created the SCCM Client Certificate
I have created the SCCM Web Server Certificate
I have created the SCCM Distribution Point Certificate
GPO is configured
SCCM 2012 R2 CU2 configured to do HTTP and HTTPS
Installed SCCM Client Certificate
Installed SCCM Web Server Certificate
Installed Distribution Point Certificate
Deployed to a domain computer good on PKI
Workgroup Computers:
I’m having issues with deploying certificates
Windows 7 –
(ERROR) not successful
Windows Server 2008 R2 –
(ERROR) not successful
Windows Server 2003 - successful
Windows XP – successful
How I’m getting the certs for the clients is by utilizing the following scripts from this URL.
http://www.ithierarchy.com/ITH/node/48
I did find a couple of errors in the code, but if it’s working on my Server 2003, then it should work on the others. Windows 7 and Windows 2008 R2 seem to have the same issue. The error I’m getting is the following:
Command line requesting the cert ---- CertReq –new –f testcomputer.home.pvt.inf c:\client\testcomputer.home.pvt.req
Error --- Template not found.
SCCMClientCertificate (this is my template)Just to give an update on what’s happening with this. I found out this format is unsupported by MS with Windows Vista and newer OS’s.
Instead you must utilize two other additional roles on the CA to have this work. The caviate is, I’m down to the testing and it’s not working as in the document. I have MS
Support working with me to resolve this issue since it was written by MSFT.
http://blogs.technet.com/b/askds/archive/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates.aspx
and use this doc for similar workgroup computers for rolling out certs. This was written for RT devices, however, it should work once I get to that point.
http://blogs.technet.com/b/pki/archive/2012/12/11/certificate-for-winrt-devices-and-non-domain-member-devices.aspx -
How to retrieve client certificate information from sender mail adapter
Hi, expert:
I have a requirement to verify the validation of coming email with digital certification. The mail is with digital certification. If the coming email is valid, I 'll get the attachemt of the mail for further processing. I have a sender mail adapter and receiver file adapter configued.
I have already my own developed adapter module, which is configued in mail adapter. My question is how to retrieve the detailed certificate information in the adapter module developed by myself. Is it feasible?
Thanks a lot.The WL-Client-Proxy cert should be the cert used on the proxy side if SSL is configured between Apache and WebLogic, so I believe that is the reason why that does not work. Basically, the problem here is that SSL is end-to-end, and the two ends of this transaction are the client and apache.
That said, when you add the +ExportCertData option, this should record the client's SSL certificate in the vairable SSL_CLIENT_CERT. So you should be able to use request.getAttribute("SSL_CLIENT_CERT").
See:
http://www.modssl.org/docs/2.8/ssl_reference.html
If this doesn't work for you (which is possible if the WL_Proxy is doing something funny to the request), it is probably best just to dump out the entire contents of the session, and see what you have:
for (Enumeration e = request.getAttributeNames() ; e.hasMoreElements() ; ) {
String attr = (String)e.nextElement();
System.out.println("ATTR = " + attr);
System.out.println("VAL = " + request.getAttribute(attr));
If you can't see any SSL certificate there, you will have to work out some way to pass this on manually.
cheers,
Trevor -
Using ConfigMgr 2012 R2 (no CU). OSD was working fine prior to the recent black tuesday patch problems. Domain Contoller (and also CA) as well as all clients got all the recent August patches. Just built 2 machines, one physical (inspiron 15, other hyper
V) Both imaged computers went fine, OS added all security patches, and left me at ctrl alt delete. Logging on i noticed that software never got deployed, configmgr client was single tiered. ran ccmrepair, no affect, group policy repair, wmi reset, etc. Client
never fully installed. SCEP patches for DEFs worked but that was through WSUS. uninstalled client completely, cleaned smscfg.ini, regedit to remove entries for install and then re ran \\server\share\ccmsetup /usepkicert SMSSITECODE=XXX
same problem
opened MMC computer account logged in as local admin, and there are NO certs under personal
this is what i should have below(based on an old image that worked) There are some errors on the Domain Controller, CA (same one box)
Certificate enrollment for Local system is successfully authenticated by policy server ldap: using authentication mechanism windows integrated (Credential: credential is private). Policy Id: {6AF312CA-551D-477C-8931-C2217574F832}
Certificate enrollment for Local system successfully load policy from policy server
Certificate enrollment for Local system for the template DomainController was not performed because this template has been superseded.
The "Microsoft Platform Crypto Provider" provider was not loaded because initialization failed.
Certificate enrollment for Local system could not enroll for a Machine certificate. Read or enrollment access is not allowed for this template.
Certificate enrollment for Local system could not enroll for a MachineEnrollmentAgent certificate. Read or enrollment access is not allowed for this template.
Certificate enrollment for Local system could not enroll for a IPSECIntermediateOnline certificate. A valid certification authority cannot be found to issue this template.
Certificate enrollment for ANER\Administrator is successfully authenticated by policy server ldap: using authentication mechanism windows integrated (Credential: credential is private). Policy Id: {6AF312CA-551D-477C-8931-C2217574F832}
these repeat over and over periodically.
Certificate enrollment for ANER\Administrator successfully load policy from policy server
Not sure what could have happened here. The errors appear to go back until several months so i dont know if they are the cause of this. I know group policy is responsible for getting the certs installed. I have configured autoenrollment in the user and computer
areas of GP for both default policy and domain controller policy.
I am deeply perplexed. Any assistance greatly appreciated.SMSTS log on the client without certs: (did you want one on the configmgr box?)
<![LOG[Successfully finalized logs to SMS client log directory from C:\WINDOWS\CCM\Logs]LOG]!><time="22:43:38.652+240" date="08-27-2014" component="OSDSetupHook" context="" type="1" thread="1088" file="tslogging.cpp:1542">
older one is:
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{BD8504DF-10E1-47C9-A665-50465C05B865}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{4E0944BD-6A6C-48A7-A1D2-A44A5823CC82}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{1F1BF36C-1820-4E5C-823E-34B2E487B999}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{709E184A-A599-469E-A762-CDD8D0044767}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{CFD388C6-CD22-42CC-952B-5483FAB6167E}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{E6E6BF22-C95E-4E02-9DFF-5FF8F75FE49D}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{2125003B-3160-45CF-8AC2-68338C4ED5E3}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{E4C65A44-063E-4827-B2FD-A3518F25412A}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{FC16DBD9-DD66-4D33-AC8D-E43D7E450AEE}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{CB649F95-764C-4491-B4E2-7C068A9B8F3E}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{ED903082-D523-4FE0-BB7C-28561D2ACC5B}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{4861265B-07DE-44A8-8E8C-D6BDBD684C5A}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{52E66067-0AD4-4891-BD3C-732643F73620}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{AF4A5641-682B-4FB0-B9CF-3B4B1DF2CA05}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{159E0E6B-ED60-4590-B557-2BAB3DBFA104}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{2A739F20-7F05-49D6-81D3-0A8E1037CFE3}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{E33411BF-F0A2-4EEA-8005-45C0EE368BC2}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{192CE59E-6FC9-4040-8F05-635F8E9590C3}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{A7647304-7727-4520-A23F-348EF65875D4}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{948AD2DF-7F0E-4A77-A5FE-08C65D0EE773}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{39252788-DB6A-4174-844A-67DE576CD949}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{3A84557B-3A3D-42F7-B237-6907CE532806}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{4D9D6559-49FA-4915-BF26-EDB2578A1824}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{95388B41-5F4C-4A95-9CE6-434936222B9A}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{2641E7BE-0735-42A6-B907-1ABC47ECBA37}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{BED5199D-D876-440F-883D-CE401F48C3A5}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{B11D84B9-F4DB-45A8-9062-6070F22DE215}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{3BCD2242-E9C5-4390-BC57-F80146F6E705}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{2FC619AC-AE77-4BB6-ABCF-EAE96CA2DE6B}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{D4A05D7E-E3F4-430A-A25D-B842FA642536}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{F1076D6A-BD02-4129-87AC-AF501567E234}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{A903BC88-4107-4EB5-93ED-409D403042C9}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{60AF64AC-93CC-42E7-BDB5-B35DD3C6F8F9}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{3AAECA7C-F5C9-4554-AED8-AA2167847F3C}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/RequiredApplication_bfee10b7-e1f5-4b6a-b109-0b83206accd4/VI/VS",PolicyInstanceID="{44A0199C-7CAD-40D7-AD13-B63FBE9320DE}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/RequiredApplication_bfee10b7-e1f5-4b6a-b109-0b83206accd4/VI/VS}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{C44E24BB-B4BF-4AAE-9132-1F7B04130190}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{AE60CBAC-E351-4AE5-B1B5-B03B868C7184}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{E1221271-5D5A-4D91-8F5E-99D1D82C6276}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{A28A290A-5F48-4000-BA74-1A406DEB396E}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI",PolicyInstanceID="{0D00F671-7FFA-4793-B0EC-DCAAC083A9C8}",PolicyRuleID="{Rule_ScopeId_122C12A8-8BB6-4207-99F0-FE10D9094C9D/AuthList_991E71F0-2232-4F83-AE72-F1813BE613DF/VI}",PolicySource="CcmTaskSequence",PolicyVersion=""'.
TSManager 8/27/2014 10:43:14 PM
2140 (0x085C)
TS deleting 'CCM_CIVersionInfo.PolicyID="ScopeId_122C12A8-8BB6-4207-99F0-FE
There doesnt seem to be a smoking gun since the image is completely built and works except its missing certs and the sccm client is broken -
Getting the Client Certificate out of the HttpServletRequest object
I have an interesting issue with weblogic 5.1 SP6 and getting/obtaining Client
Certificates.
The issue is that the Client Certificate is not always in the HttpServletRequest
object depending on how the weblogic.properties are set. Here is my code to get
the Certificates.
// get the cert chain from the request
Object obj=request.getAttributs("javax.net.ssl.peer_certificates");
if (obj instanceof weblogic.security.X509[]) {
weblogic.security.X509[] wlogicCert = (weblogic.security.X509[]) obj;
try {
iaik.x509.X509Certificate iaikClientCert =
new iaik.x509.X509Certificate(wlogicCert[0].getBytes());
clientSDN = aiaikClientCert.getSubjectDN().getName();
clientCert = (Certificate)iaikClientCert;
The only time the certificate is present in the Request Object is when the following
weblogic.properties are set:
weblogic.security.enforceClientCert=true
weblogic.security.clientRootCA=CARoot.pem
If the properties are set to to this: no Certificate can be received from the
Request object.
weblogic.security.enforceClientCert=false
#weblogic.security.clientRootCA=CARoot.pem
Is there a way to have Weblogic always receive/get a Client Certificate if one
is provided by the client, but not have weblogic do any validation of the certificate?
Any help would be appreciated!
Garyok i see.
although it should be able to get the underlying
outputStream handle since i have initialized
(associated) it on the previous line.
ThanksWell, you might be able to get the underlying stream. Look at the API docs. If there's a method there to do it, then you can. If not, then you can't.
If you can do it, then you have to look at the API docs for FileOutputStream and see if it lets you get the associated File or path. If such a method exists, then you can get it. If not, then you can't.
Even if both methods exist and you can utimately get the file, do you understand why this is not the same as "getting the file associated with a PrintStream"? -
AnyConnect and client certificate
Hi,
I was looking at 'BRKSEC-3033 - Advanced AnyConnect Deployment' on Ciscovirtuallive.
On that session the presenter says that:
"Issuer of client certificate may not be the same as the issuer of the ASA certificate."
With my basic PKI understanding :-), anyone know why you cant have the same certificate issuer?
It's a good presentation, can recommend it.
BR
MickeHello Mikael,
You DO can have the same certificate issuer!!
I think he said it was an option to not have it with AnyConnect but as your PKI understanding states you do can have it like that.
Regards,
Julio
Do rate all the helpful posts -
HTTPS Client not sending the certificate chain
Hi,
I have HTTPS java programme with client authendication.
When the server request for the certificate from the client, the client is not sending the certificate chain, the server says Thread-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
In the client I an setting the keystore properties properly
Below is the ssl trace from the server and the client.
The trace clearly says that the client has loded its certificate from the key store.
One thing I noticed is the validity period of the client certificate is different in client and the server.
I am not sure why it is different. I followed the steps properly to create the certificate.
Can anyone help me to resolve this
==========================Server Trace==========================
SecureServer version 1.0
found key for : server
chain [0] = [
Version: V1
Subject: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd8e
Validity: [From: Sun Oct 08 12:36:57 GMT+04:00 2006,
To: Sat Jan 06 12:36:57 GMT+04:00 2007]
Issuer: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
SerialNumber: [ 4528b8a9]
Algorithm: [MD5withRSA]
Signature:
0000: 54 CC 61 97 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 T.a..il.KS..T.e.
0010: 15 C6 1A C0 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 ..........W.).^4
0020: 3F D3 9C 40 4E D8 0B AC 79 5B 01 64 4E DD D2 FE [email protected][.dN...
0030: 57 6A 02 1E 8F C7 00 11 77 0F C8 20 06 0E DB 78 Wj......w.. ...x
0040: E3 45 57 9B 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 .EW..... ......)
0050: 69 B5 CC DC A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 i.....2.ow....'.
0060: 96 98 E9 EB AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 .....tn9,....K..
0070: 0B B9 CD 0A 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E .......t].N.z,7.
trustStore is: d:\babu\ssltest\sscerts\jsseclient1
trustStore type is : jks
init truststore
adding as trusted cert: [
Version: V1
Subject: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@166
Validity: [From: Sun Jun 07 04:00:00 GMT+04:00 1998,
To: Tue Jun 07 03:59:59 GMT+04:00 2011]
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
SerialNumber: [ 32f057e7 153096f5 1fb86e5b 5a49104b]
Algorithm: [SHA1withRSA]
Signature:
0000: A6 96 37 75 1C FD 95 95 40 E0 C9 53 25 8D E7 12 [email protected]%...
0010: AC 44 51 10 AC F2 BA 98 4D 72 EF 0B 75 2D 51 19 .DQ.....Mr..u-Q.
0020: 11 C9 47 E2 2F 96 67 61 0F 36 1D CA E7 C7 23 48 ..G./.ga.6....#H
0030: 46 97 63 C4 32 AE FF 7B 5A 65 64 50 CA 67 F7 14 F.c.2...ZedP.g..
adding as trusted cert: [
Version: V3
Subject: CN=ebms, OU=ebg, O=emirates, L=dubai, ST=emirates, C=AE
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffff956
Validity: [From: Mon Oct 09 04:00:00 GMT+04:00 2006,
To: Tue Oct 24 03:59:59 GMT+04:00 2006]
Issuer: OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc"
SerialNumber: [ 5f2e369d 92ccf119 5d9a0371 c2f19ba4]
Certificate Extensions: 6
[1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 28 30 26 30 24 06 08 2B 06 01 05 05 07 30 01 .(0&0$..+.....0.
0010: 86 18 68 74 74 70 3A 2F 2F 6F 63 73 70 2E 76 65 ..http://ocsp.ve
0020: 72 69 73 69 67 6E 2E 63 6F 6D risign.com
[2]: ObjectId: 2.5.29.31 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 35 30 33 30 31 A0 2F A0 2D 86 2B 68 74 74 70 .50301./.-.+http
0010: 3A 2F 2F 63 72 6C 2E 76 65 72 69 73 69 67 6E 2E ://crl.verisign.
0020: 63 6F 6D 2F 52 53 41 53 65 63 75 72 65 53 65 72 com/RSASecureSer
0030: 76 65 72 2E 63 72 6C ver.crl
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
[1.3.6.1.5.5.7.3.1, 1.3.6.1.5.5.7.3.2]]
[4]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.16.840.1.113733.1.7.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 56 30 15 16 0E 56 65 72 69 53 69 67 6E 2C 20 0V0...VeriSign,
0010: 49 6E 63 2E 30 03 02 01 01 1A 3D 56 65 72 69 53 Inc.0.....=VeriS
0020: 69 67 6E 27 73 20 43 50 53 20 69 6E 63 6F 72 70 ign's CPS incorp
0030: 2E 20 62 79 20 72 65 66 65 72 65 6E 63 65 20 6C . by reference l
0040: 69 61 62 2E 20 6C 74 64 2E 20 28 63 29 39 37 20 iab. ltd. (c)97
0050: 56 65 72 69 53 69 67 6E VeriSign
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1C 68 74 74 70 73 3A 2F 2F 77 77 77 2E 76 65 ..https://www.ve
0010: 72 69 73 69 67 6E 2E 63 6F 6D 2F 43 50 53 risign.com/CPS
[5]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
[6]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
Algorithm: [SHA1withRSA]
Signature:
0000: 9D FC BF B3 A3 5D 94 B8 44 32 23 A5 B4 C2 BD 01 .....]..D2#.....
0010: 90 54 CE 0F 23 1A 08 9D F3 E2 55 9A 4B C9 FE 3E .T..#.....U.K..>
0020: F8 AD 45 DF 84 53 52 87 00 FA 66 2D 35 3F 48 53 ..E..SR...f-5?HS
0030: 4A D5 77 0F FB E4 20 1B E5 4F 19 60 F9 EC 79 FF J.w... ..O.`..y.
trigger seeding of SecureRandom
done seeding SecureRandom
SecureServer is listening on port 443.
matching alias: server
Accepted connection to ebms.uae.ebg.com (172.16.178.62) on port 3379.
----------1-1-1-----
[read] MD5 and SHA1 hashes: len = 3
0000: 01 03 01 ...
[read] MD5 and SHA1 hashes: len = 74
0000: 00 24 00 00 00 20 00 00 04 01 00 80 00 00 05 00 .$... ..........
0010: 00 0A 07 00 C0 00 00 13 00 00 09 06 00 40 00 00 .............@..
0020: 12 00 00 03 02 00 80 00 00 11 45 29 F4 B8 D5 0B ..........E)....
0030: F1 F5 52 D2 E4 FF 50 FA 04 49 E7 50 46 AA 2D A7 ..R...P..I.PF.-.
0040: 29 47 67 95 15 48 97 75 97 2C )Gg..H.u.,
Thread-1, READ: SSL v2, contentType = Handshake, translated length = 59
*** ClientHello, TLSv1
RandomCookie: GMT: 1160311736 bytes = { 213, 11, 241, 245, 82, 210, 228, 255, 80, 250, 4, 73, 231, 80, 70, 170, 45, 167, 41, 71, 103, 149, 21, 72, 151, 117, 151, 44 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
*** ServerHello, TLSv1
RandomCookie: GMT: 1160311736 bytes = { 227, 31, 215, 114, 116, 219, 59, 159, 156, 232, 234, 78, 209, 15, 134, 102, 46, 207, 102, 33, 202, 146, 164, 74, 99, 27, 76, 229 }
Session ID: {69, 41, 244, 184, 75, 140, 3, 113, 8, 43, 97, 188, 121, 254, 105, 189, 119, 89, 132, 185, 240, 133, 165, 13, 109, 244, 91, 98, 210, 139, 161, 214}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
Cipher suite: SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
chain [0] = [
Version: V1
Subject: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd8e
Validity: [From: Sun Oct 08 12:36:57 GMT+04:00 2006,
To: Sat Jan 06 12:36:57 GMT+04:00 2007]
Issuer: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
SerialNumber: [ 4528b8a9]
Algorithm: [MD5withRSA]
Signature:
0000: 54 CC 61 97 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 T.a..il.KS..T.e.
0010: 15 C6 1A C0 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 ..........W.).^4
0020: 3F D3 9C 40 4E D8 0B AC 79 5B 01 64 4E DD D2 FE [email protected][.dN...
0030: 57 6A 02 1E 8F C7 00 11 77 0F C8 20 06 0E DB 78 Wj......w.. ...x
0040: E3 45 57 9B 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 .EW..... ......)
0050: 69 B5 CC DC A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 i.....2.ow....'.
0060: 96 98 E9 EB AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 .....tn9,....K..
0070: 0B B9 CD 0A 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E .......t].N.z,7.
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=ebms, OU=ebg, O=emirates, L=dubai, ST=emirates, C=AE>
<OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc">
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 912
0000: 02 00 00 46 03 01 45 29 F4 B8 E3 1F D7 72 74 DB ...F..E).....rt.
0010: 3B 9F 9C E8 EA 4E D1 0F 86 66 2E CF 66 21 CA 92 ;....N...f..f!..
0020: A4 4A 63 1B 4C E5 20 45 29 F4 B8 4B 8C 03 71 08 .Jc.L. E)..K..q.
0030: 2B 61 BC 79 FE 69 BD 77 59 84 B9 F0 85 A5 0D 6D +a.y.i.wY......m
0040: F4 5B 62 D2 8B A1 D6 00 04 00 0B 00 02 18 00 02 .[b.............
0050: 15 00 02 12 30 82 02 0E 30 82 01 77 02 04 45 28 ....0...0..w..E(
0060: B8 A9 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 05 ..0...*.H.......
0070: 00 30 4E 31 0B 30 09 06 03 55 04 06 13 02 61 65 .0N1.0...U....ae
0080: 31 0A 30 08 06 03 55 04 08 13 01 61 31 0A 30 08 1.0...U....a1.0.
0090: 06 03 55 04 07 13 01 61 31 0A 30 08 06 03 55 04 ..U....a1.0...U.
00A0: 0A 13 01 61 31 0A 30 08 06 03 55 04 0B 13 01 61 ...a1.0...U....a
00B0: 31 0F 30 0D 06 03 55 04 03 13 06 69 74 6E 35 34 1.0...U....itn54
00C0: 37 30 1E 17 0D 30 36 31 30 30 38 30 38 33 36 35 70...06100808365
00D0: 37 5A 17 0D 30 37 30 31 30 36 30 38 33 36 35 37 7Z..070106083657
00E0: 5A 30 4E 31 0B 30 09 06 03 55 04 06 13 02 61 65 Z0N1.0...U....ae
00F0: 31 0A 30 08 06 03 55 04 08 13 01 61 31 0A 30 08 1.0...U....a1.0.
0100: 06 03 55 04 07 13 01 61 31 0A 30 08 06 03 55 04 ..U....a1.0...U.
0110: 0A 13 01 61 31 0A 30 08 06 03 55 04 0B 13 01 61 ...a1.0...U....a
0120: 31 0F 30 0D 06 03 55 04 03 13 06 69 74 6E 35 34 1.0...U....itn54
0130: 37 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 70..0...*.H.....
0140: 01 05 00 03 81 8D 00 30 81 89 02 81 81 00 9C 86 .......0........
0150: FA C2 EC 96 1B 02 01 27 08 D2 70 4D 3B AE D0 38 .......'..pM;..8
0160: 15 97 E9 1D 94 D2 BE A1 2A 54 39 F8 2E AF 71 4C ........*T9...qL
0170: FD 9A 71 BF 8A 1E 92 9F 3A 07 DA E9 5E 49 2C C6 ..q.....:...^I,.
0180: 7D FD AA 1F C6 13 39 38 BC 16 34 04 FE E8 6B 4C ......98..4...kL
0190: EA E9 BA 29 58 9E 6C 61 B8 1F B8 29 6F 83 5D 44 ...)X.la...)o.]D
01A0: 7B 47 E5 BC 8E 2E D0 C1 E0 6F 73 15 E2 03 A8 49 .G.......os....I
01B0: C9 42 39 87 0B 70 A0 80 0D 11 98 76 AE 2B B6 A3 .B9..p.....v.+..
01C0: 5A BA 5D 3B BF C0 90 86 F6 E3 AB 9B A0 49 02 03 Z.];.........I..
01D0: 01 00 01 30 0D 06 09 2A 86 48 86 F7 0D 01 01 04 ...0...*.H......
01E0: 05 00 03 81 81 00 54 CC 61 97 1A 69 6C 1F 4B 53 ......T.a..il.KS
01F0: 1B 7C 54 B3 65 A9 15 C6 1A C0 1B BD FC E5 15 ED ..T.e...........
0200: 57 F7 29 E7 5E 34 3F D3 9C 40 4E D8 0B AC 79 5B W.).^[email protected][
0210: 01 64 4E DD D2 FE 57 6A 02 1E 8F C7 00 11 77 0F .dN...Wj......w.
0220: C8 20 06 0E DB 78 E3 45 57 9B 7D A4 95 0C 20 85 . ...x.EW..... .
0230: B8 A4 87 D8 AE 29 69 B5 CC DC A1 B4 32 8C 6F 77 .....)i.....2.ow
0240: F0 9A A8 12 27 C6 96 98 E9 EB AC 74 6E 39 2C D4 ....'......tn9,.
0250: 1B 1C A1 4B 81 C8 0B B9 CD 0A 18 DC 01 74 5D 99 ...K.........t].
0260: 4E 14 7A 2C 37 1E 0D 00 01 22 02 01 02 01 1D 00 N.z,7...."......
0270: 6D 30 6B 31 0B 30 09 06 03 55 04 06 13 02 41 45 m0k1.0...U....AE
0280: 31 11 30 0F 06 03 55 04 08 13 08 65 6D 69 72 61 1.0...U....emira
0290: 74 65 73 31 0E 30 0C 06 03 55 04 07 14 05 64 75 tes1.0...U....du
02A0: 62 61 69 31 11 30 0F 06 03 55 04 0A 14 08 65 6D bai1.0...U....em
02B0: 69 72 61 74 65 73 31 15 30 13 06 03 55 04 0B 14 irates1.0...U...
02C0: 0C 65 6D 69 72 61 74 65 73 62 61 6E 6B 31 0F 30 .ebg1.0
02D0: 0D 06 03 55 04 03 14 06 69 74 6E 35 34 37 00 AC ...U....ebms..
02E0: 30 81 A9 31 16 30 14 06 03 55 04 0A 13 0D 56 65 0..1.0...U....Ve
02F0: 72 69 53 69 67 6E 2C 20 49 6E 63 31 47 30 45 06 riSign, Inc1G0E.
0300: 03 55 04 0B 13 3E 77 77 77 2E 76 65 72 69 73 69 .U...>www.verisi
0310: 67 6E 2E 63 6F 6D 2F 72 65 70 6F 73 69 74 6F 72 gn.com/repositor
0320: 79 2F 54 65 73 74 43 50 53 20 49 6E 63 6F 72 70 y/TestCPS Incorp
0330: 2E 20 42 79 20 52 65 66 2E 20 4C 69 61 62 2E 20 . By Ref. Liab.
0340: 4C 54 44 2E 31 46 30 44 06 03 55 04 0B 13 3D 46 LTD.1F0D..U...=F
0350: 6F 72 20 56 65 72 69 53 69 67 6E 20 61 75 74 68 or VeriSign auth
0360: 6F 72 69 7A 65 64 20 74 65 73 74 69 6E 67 20 6F orized testing o
0370: 6E 6C 79 2E 20 4E 6F 20 61 73 73 75 72 61 6E 63 nly. No assuranc
0380: 65 73 20 28 43 29 56 53 31 39 39 37 0E 00 00 00 es (C)VS1997....
Thread-1, WRITE: TLSv1 Handshake, length = 912
Thread-1, READ: TLSv1 Handshake, length = 141
*** Certificate chain
Thread-1, SEND TLSv1 ALERT: fatal, description = bad_certificate
Thread-1, WRITE: TLSv1 Alert, length = 2
Thread-1, called closeSocket()
Thread-1, handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
IOException occurred when processing request.
Thread-1, called close()
Thread-1, called closeInternal(true)
==========================Client Trace==========================
--->>>--------
keyStore is : d:\babu\ssltest\sscerts\clientpk1
keyStore type is : jks
init keystore
init keymanager of type SunX509
found key for : client
chain [0] = [
Version: V1
Subject: CN=ebms, OU=ebg, O=emirates, L=dubai, ST=emirates, C=AE
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffff956
Validity: [From: Mon Oct 09 09:44:01 GMT+04:00 2006,
To: Sun Jan 07 09:44:01 GMT+04:00 2007]
Issuer: CN=ebms, OU=ebg, O=emirates, L=dubai, ST=emirates, C=AE
SerialNumber: [ 4529e1a1]
Algorithm: [MD5withRSA]
Signature:
0000: 20 C7 89 9C 04 64 E8 62 AD D2 64 DD 0A E4 2A A1 ....d.b..d...*.
0010: B6 9A B5 06 DC 3E F8 AA BE B5 8A 12 B5 75 91 EC .....>.......u..
0020: 33 77 12 27 85 15 14 15 52 B3 7F 4B 03 18 B5 E0 3w.'....R..K....
0030: 31 E4 0C A7 0A E1 52 3E 9F D1 58 B7 F2 CC F2 DD 1.....R>..X.....
0040: D4 61 D6 C8 12 39 60 4D C9 FB DC 01 0C 0D FC 98 .a...9`M........
0050: C6 AD A6 56 3E 05 1B 4E 20 1B 93 77 16 67 0E D1 ...V>..N ..w.g..
0060: E0 A1 B6 7F CA 13 53 F2 53 92 14 63 9A 82 01 AE ......S.S..c....
0070: 83 B2 FD FC 2E 29 22 F9 E7 18 DB 6A 14 73 83 E3 .....)"....j.s..
trustStore is: d:\babu\ssltest\sscerts\jsseserver
trustStore type is : jks
init truststore
adding as trusted cert: [
Version: V1
Subject: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd8e
Validity: [From: Sun Oct 08 12:36:57 GMT+04:00 2006,
To: Sat Jan 06 12:36:57 GMT+04:00 2007]
Issuer: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
SerialNumber: [ 4528b8a9]
Algorithm: [MD5withRSA]
Signature:
0000: 54 CC 61 97 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 T.a..il.KS..T.e.
0010: 15 C6 1A C0 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 ..........W.).^4
0020: 3F D3 9C 40 4E D8 0B AC 79 5B 01 64 4E DD D2 FE [email protected][.dN...
0030: 57 6A 02 1E 8F C7 00 11 77 0F C8 20 06 0E DB 78 Wj......w.. ...x
0040: E3 45 57 9B 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 .EW..... ......)
0050: 69 B5 CC DC A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 i.....2.ow....'.
0060: 96 98 E9 EB AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 .....tn9,....K..
0070: 0B B9 CD 0A 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E .......t].N.z,7.
init context
trigger seeding of SecureRandom
done seeding SecureRandom
---<<<--------
THE HEADERS
---111--------
%% No cached client session
*** ClientHello, TLSv1
RandomCookie: GMT: 1160311736 bytes = { 213, 11, 241, 245, 82, 210, 228, 255, 80, 250, 4, 73, 231, 80, 70, 170, 45, 167, 41, 71, 103, 149, 21, 72, 151, 117, 151, 44 }
Session ID: {}
Cipher Suites: [SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_DES_CBC_SHA, SSL_DHE_DSS_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA]
Compression Methods: { 0 }
[write] MD5 and SHA1 hashes: len = 59
0000: 01 00 00 37 03 01 45 29 F4 B8 D5 0B F1 F5 52 D2 ...7..E)......R.
0010: E4 FF 50 FA 04 49 E7 50 46 AA 2D A7 29 47 67 95 ..P..I.PF.-.)Gg.
0020: 15 48 97 75 97 2C 00 00 10 00 04 00 05 00 0A 00 .H.u.,..........
0030: 13 00 09 00 12 00 03 00 11 01 00 ...........
main, WRITE: TLSv1 Handshake, length = 59
[write] MD5 and SHA1 hashes: len = 77
0000: 01 03 01 00 24 00 00 00 20 00 00 04 01 00 80 00 ....$... .......
0010: 00 05 00 00 0A 07 00 C0 00 00 13 00 00 09 06 00 ................
0020: 40 00 00 12 00 00 03 02 00 80 00 00 11 45 29 F4 @............E).
0030: B8 D5 0B F1 F5 52 D2 E4 FF 50 FA 04 49 E7 50 46 .....R...P..I.PF
0040: AA 2D A7 29 47 67 95 15 48 97 75 97 2C .-.)Gg..H.u.,
main, WRITE: SSLv2 client hello message, length = 77
main, READ: TLSv1 Handshake, length = 912
*** ServerHello, TLSv1
RandomCookie: GMT: 1160311736 bytes = { 227, 31, 215, 114, 116, 219, 59, 159, 156, 232, 234, 78, 209, 15, 134, 102, 46, 207, 102, 33, 202, 146, 164, 74, 99, 27, 76, 229 }
Session ID: {69, 41, 244, 184, 75, 140, 3, 113, 8, 43, 97, 188, 121, 254, 105, 189, 119, 89, 132, 185, 240, 133, 165, 13, 109, 244, 91, 98, 210, 139, 161, 214}
Cipher Suite: SSL_RSA_WITH_RC4_128_MD5
Compression Method: 0
%% Created: [Session-1, SSL_RSA_WITH_RC4_128_MD5]
** SSL_RSA_WITH_RC4_128_MD5
[read] MD5 and SHA1 hashes: len = 74
0000: 02 00 00 46 03 01 45 29 F4 B8 E3 1F D7 72 74 DB ...F..E).....rt.
0010: 3B 9F 9C E8 EA 4E D1 0F 86 66 2E CF 66 21 CA 92 ;....N...f..f!..
0020: A4 4A 63 1B 4C E5 20 45 29 F4 B8 4B 8C 03 71 08 .Jc.L. E)..K..q.
0030: 2B 61 BC 79 FE 69 BD 77 59 84 B9 F0 85 A5 0D 6D +a.y.i.wY......m
0040: F4 5B 62 D2 8B A1 D6 00 04 00 .[b.......
*** Certificate chain
chain [0] = [
Version: V1
Subject: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd8e
Validity: [From: Sun Oct 08 12:36:57 GMT+04:00 2006,
To: Sat Jan 06 12:36:57 GMT+04:00 2007]
Issuer: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
SerialNumber: [ 4528b8a9]
Algorithm: [MD5withRSA]
Signature:
0000: 54 CC 61 97 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 T.a..il.KS..T.e.
0010: 15 C6 1A C0 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 ..........W.).^4
0020: 3F D3 9C 40 4E D8 0B AC 79 5B 01 64 4E DD D2 FE [email protected][.dN...
0030: 57 6A 02 1E 8F C7 00 11 77 0F C8 20 06 0E DB 78 Wj......w.. ...x
0040: E3 45 57 9B 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 .EW..... ......)
0050: 69 B5 CC DC A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 i.....2.ow....'.
0060: 96 98 E9 EB AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 .....tn9,....K..
0070: 0B B9 CD 0A 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E .......t].N.z,7.
stop on trusted cert: [
Version: V1
Subject: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
Signature Algorithm: MD5withRSA, OID = 1.2.840.113549.1.1.4
Key: com.sun.net.ssl.internal.ssl.JSA_RSAPublicKey@fffffd8e
Validity: [From: Sun Oct 08 12:36:57 GMT+04:00 2006,
To: Sat Jan 06 12:36:57 GMT+04:00 2007]
Issuer: CN=ebms, OU=a, O=a, L=a, ST=a, C=ae
SerialNumber: [ 4528b8a9]
Algorithm: [MD5withRSA]
Signature:
0000: 54 CC 61 97 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 T.a..il.KS..T.e.
0010: 15 C6 1A C0 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 ..........W.).^4
0020: 3F D3 9C 40 4E D8 0B AC 79 5B 01 64 4E DD D2 FE [email protected][.dN...
0030: 57 6A 02 1E 8F C7 00 11 77 0F C8 20 06 0E DB 78 Wj......w.. ...x
0040: E3 45 57 9B 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 .EW..... ......)
0050: 69 B5 CC DC A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 i.....2.ow....'.
0060: 96 98 E9 EB AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 .....tn9,....K..
0070: 0B B9 CD 0A 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E .......t].N.z,7.
[read] MD5 and SHA1 hashes: len = 540
0000: 0B 00 02 18 00 02 15 00 02 12 30 82 02 0E 30 82 ..........0...0.
0010: 01 77 02 04 45 28 B8 A9 30 0D 06 09 2A 86 48 86 .w..E(..0...*.H.
0020: F7 0D 01 01 04 05 00 30 4E 31 0B 30 09 06 03 55 .......0N1.0...U
0030: 04 06 13 02 61 65 31 0A 30 08 06 03 55 04 08 13 ....ae1.0...U...
0040: 01 61 31 0A 30 08 06 03 55 04 07 13 01 61 31 0A .a1.0...U....a1.
0050: 30 08 06 03 55 04 0A 13 01 61 31 0A 30 08 06 03 0...U....a1.0...
0060: 55 04 0B 13 01 61 31 0F 30 0D 06 03 55 04 03 13 U....a1.0...U...
0070: 06 69 74 6E 35 34 37 30 1E 17 0D 30 36 31 30 30 .ebms0...06100
0080: 38 30 38 33 36 35 37 5A 17 0D 30 37 30 31 30 36 8083657Z..070106
0090: 30 38 33 36 35 37 5A 30 4E 31 0B 30 09 06 03 55 083657Z0N1.0...U
00A0: 04 06 13 02 61 65 31 0A 30 08 06 03 55 04 08 13 ....ae1.0...U...
00B0: 01 61 31 0A 30 08 06 03 55 04 07 13 01 61 31 0A .a1.0...U....a1.
00C0: 30 08 06 03 55 04 0A 13 01 61 31 0A 30 08 06 03 0...U....a1.0...
00D0: 55 04 0B 13 01 61 31 0F 30 0D 06 03 55 04 03 13 U....a1.0...U...
00E0: 06 69 74 6E 35 34 37 30 81 9F 30 0D 06 09 2A 86 .ebms0..0...*.
00F0: 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 H............0..
0100: 02 81 81 00 9C 86 FA C2 EC 96 1B 02 01 27 08 D2 .............'..
0110: 70 4D 3B AE D0 38 15 97 E9 1D 94 D2 BE A1 2A 54 pM;..8........*T
0120: 39 F8 2E AF 71 4C FD 9A 71 BF 8A 1E 92 9F 3A 07 9...qL..q.....:.
0130: DA E9 5E 49 2C C6 7D FD AA 1F C6 13 39 38 BC 16 ..^I,.......98..
0140: 34 04 FE E8 6B 4C EA E9 BA 29 58 9E 6C 61 B8 1F 4...kL...)X.la..
0150: B8 29 6F 83 5D 44 7B 47 E5 BC 8E 2E D0 C1 E0 6F .)o.]D.G.......o
0160: 73 15 E2 03 A8 49 C9 42 39 87 0B 70 A0 80 0D 11 s....I.B9..p....
0170: 98 76 AE 2B B6 A3 5A BA 5D 3B BF C0 90 86 F6 E3 .v.+..Z.];......
0180: AB 9B A0 49 02 03 01 00 01 30 0D 06 09 2A 86 48 ...I.....0...*.H
0190: 86 F7 0D 01 01 04 05 00 03 81 81 00 54 CC 61 97 ............T.a.
01A0: 1A 69 6C 1F 4B 53 1B 7C 54 B3 65 A9 15 C6 1A C0 .il.KS..T.e.....
01B0: 1B BD FC E5 15 ED 57 F7 29 E7 5E 34 3F D3 9C 40 ......W.).^4?..@
01C0: 4E D8 0B AC 79 5B 01 64 4E DD D2 FE 57 6A 02 1E N...y[.dN...Wj..
01D0: 8F C7 00 11 77 0F C8 20 06 0E DB 78 E3 45 57 9B ....w.. ...x.EW.
01E0: 7D A4 95 0C 20 85 B8 A4 87 D8 AE 29 69 B5 CC DC .... ......)i...
01F0: A1 B4 32 8C 6F 77 F0 9A A8 12 27 C6 96 98 E9 EB ..2.ow....'.....
0200: AC 74 6E 39 2C D4 1B 1C A1 4B 81 C8 0B B9 CD 0A .tn9,....K......
0210: 18 DC 01 74 5D 99 4E 14 7A 2C 37 1E ...t].N.z,7.
*** CertificateRequest
Cert Types: RSA, DSS,
Cert Authorities:
<CN=ebms, OU=ebg, O=emirates, L=dubai, ST=emirates, C=AE>
<OU=For VeriSign authorized testing only. No assurances (C)VS1997, OU=www.verisign.com/repository/TestCPS Incorp. By Ref. Liab. LTD., O="VeriSign, Inc">
[read] MD5 and SHA1 hashes: len = 294
0000: 0D 00 01 22 02 01 02 01 1D 00 6D 30 6B 31 0B 30 ..."......m0k1.0
0010: 09 06 03 55 04 06 13 02 41 45 31 11 30 0F 06 03 ...U....AE1.0...
0020: 55 04 08 13 08 65 6D 69 72 61 74 65 73 31 0E 30 U....emirates1.0
0030: 0C 06 03 55 04 07 14 05 64 75 62 61 69 31 11 30 ...U....dubai1.0
0040: 0F 06 03 55 04 0A 14 08 65 6D 69 72 61 74 65 73 ...U....emirates
0050: 31 15 30 13 06 03 55 04 0B 14 0C 65 6D 69 72 61 1.0...U....emira
0060: 74 65 73 62 61 6E 6B 31 0F 30 0D 06 03 55 04 03 tesbank1.0...U..
0070: 14 06 69 74 6E 35 34 37 00 AC 30 81 A9 31 16 30 ..ebms..0..1.0
0080: 14 06 03 55 04 0A 13 0D 56 65 72 69 53 69 67 6E ...U....VeriSign
0090: 2C 20 49 6E 63 31 47 30 45 06 03 55 04 0B 13 3E , Inc1G0E..U...>
00A0: 77 77 77 2E 76 65 72 69 73 69 67 6E 2E 63 6F 6D www.verisign.com
00B0: 2F 72 65 70 6F 73 69 74 6F 72 79 2F 54 65 73 74 /repository/Test
00C0: 43 50 53 20 49 6E 63 6F 72 70 2E 20 42 79 20 52 CPS Incorp. By R
00D0: 65 66 2E 20 4C 69 61 62 2E 20 4C 54 44 2E 31 46 ef. Liab. LTD.1F
00E0: 30 44 06 03 55 04 0B 13 3D 46 6F 72 20 56 65 72 0D..U...=For Ver
00F0: 69 53 69 67 6E 20 61 75 74 68 6F 72 69 7A 65 64 iSign authorized
0100: 20 74 65 73 74 69 6E 67 20 6F 6E 6C 79 2E 20 4E testing only. N
0110: 6F 20 61 73 73 75 72 61 6E 63 65 73 20 28 43 29 o assurances (C)
0120: 56 53 31 39 39 37 VS1997
*** ServerHelloDone
[read] MD5 and SHA1 hashes: len = 4
0000: 0E 00 00 00 ....
*** Certificate chain
JsseJCE: Using JSSE internal implementation for cipher RSA/ECB/PKCS1Padding
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1
Random Secret: { 3, 1, 145, 198, 68, 101, 78, 79, 139, 241, 6, 243, 13, 208, 161, 242, 0, 185, 46, 87, 212, 79, 239, 132, 145, 14, 13, 134, 115, 250, 44, 44, 112, 33, 173, 105, 52, 186, 160, 119, 55, 202, 205, 212, 136, 92, 7, 120 }
[write] MD5 and SHA1 hashes: len = 141
0000: 0B 00 00 03 00 00 00 10 00 00 82 00 80 3A 83 FA .............:..
0010: 1E B3 43 52 3B B5 B9 A5 9D 2D 30 5E 71 34 DF 45 ..CR;....-0^q4.E
0020: 99 99 2D 9A 4A 42 54 3D 47 D8 94 22 BC F3 92 0D ..-.JBT=G.."....
0030: 23 AA 95 B5 75 EA B2 2B 8B DD DA 91 AA 94 24 4B #...u..+......$K
0040: 56 34 C8 3C 1D 2D 15 63 CF 03 FF 65 6C DF B9 00 V4.<.-.c...el...
0050: C3 5E BF 72 F4 70 64 45 D8 5B 58 E2 DF D6 12 1B .^.r.pdE.[X.....
0060: BE A3 71 E9 1C 49 BB 7E C0 4A 1F CA 1F F5 63 23 ..q..I...J....c#
0070: 0D 40 0D C6 3B FE 03 E9 DE 2E E5 09 1F 72 D7 6B .@..;........r.k
0080: D6 ED 5E 99 B0 A8 A0 D3 D2 73 F0 A0 8E ..^......s...
main, WRITE: TLSv1 Handshake, length = 141
SESSION KEYGEN:
PreMaster Secret:
0000: 03 01 91 C6 44 65 4E 4F 8B F1 06 F3 0D D0 A1 F2 ....DeNO........
0010: 00 B9 2E 57 D4 4F EF 84 91 0E 0D 86 73 FA 2C 2C ...W.O......s.,,
0020: 70 21 AD 69 34 BA A0 77 37 CA CD D4 88 5C 07 78 p!.i4..w7....\.x
CONNECTION KEYGEN:
Client Nonce:
0000: 45 29 F4 B8 D5 0B F1 F5 52 D2 E4 FF 50 FA 04 49 E)......R...P..I
0010: E7 50 46 AA 2D A7 29 47 67 95 15 48 97 75 97 2C .PF.-.)Gg..H.u.,
Server Nonce:
0000: 45 29 F4 B8 E3 1F D7 72 74 DB 3B 9F 9C E8 EA 4E E).....rt.;....N
0010: D1 0F 86 66 2E CF 66 21 CA 92 A4 4A 63 1B 4C E5 ...f..f!...Jc.L.
Master Secret:
0000: 3A 36 9A CA 6F 82 0B 32 17 28 04 CD 33 B4 5D BF :6..o..2.(..3.].
0010: 5F 87 23 71 6B 49 2D 0E 59 DE 2C EA 8E B3 43 C8 _.#qkI-.Y.,...C.
0020: 5D 3B 3B 4C B7 B9 AB 4E EA A3 E6 CE 54 40 FB 2D ];;[email protected]
Client MAC write Secret:
0000: C3 72 45 7B 93 DE 55 FF 0A 8C 9E 91 43 48 6E E4 .rE...U.....CHn.
Server MAC write Secret:
0000: E2 05 07 CB 3F 2D 95 41 EF 69 3F 09 6D CB 81 EE ....?-.A.i?.m...
Client write key:
0000: EE 7E EE 7D D8 5F 46 CD 88 15 9E F6 C7 EC 05 5F ....._F........_
Server write key:
0000: 43 DE B1 D2 FA 54 F0 E6 CA EC E8 1E 6C AD 77 EC C....T......l.w.
... no IV for cipher
main, WRITE: TLSv1 Change Cipher Spec, length = 1
JsseJCE: Using JSSE internal implementation for cipher RC4
*** Finished
verify_data: { 196, 3, 24, 202, 107, 99, 158, 203, 62, 203, 204, 35 }
[write] MD5 and SHA1 hashes: len = 16
0000: 14 00 00 0C C4 03 18 CA 6B 63 9E CB 3E CB CC 23 ........kc..>..#
Plaintext before ENCRYPTION: len = 32
0000: 14 00 00 0C C4 03 18 CA 6B 63 9E CB 3E CB CC 23 ........kc..>..#
0010: 22 2A 55 36 5F 75 DB D4 CF 19 6F 40 93 AF B8 3B "*U6_u....o@...;
main, WRITE: TLSv1 Handshake, length = 32
waiting for close_notify or alert: state 1
Exception while waiting for close java.net.SocketException: Software caused connection abort: recv failed
main, handling exception: java.net.SocketException: Software caused connection abort: recv failed
main, SEND TLSv1 ALERT: fatal, description = unexpected_message
Plaintext before ENCRYPTION: len = 18
0000: 02 0A 3E CA 24 9F 8F 40 B8 65 A6 44 5D 7E 0B B5 ..>[email protected]]...
0010: A9 C7 ..
main, WRITE: TLSv1 Alert, length = 18
Exception sending alert: java.net.SocketException: Software caused connection abort: socket write error
main, called closeSocket()
---000--------Here are the steps I am perfoming to create the certificates. Can anyone please validate the steps...
//Create private key
keytool -genkey -keystore clientpk1 -keyalg rsa -alias client -storepass password -keypass password
//Create CSR
keytool -certreq -alias client -file client.csr -keypass password -keystore clientpk1 -storepass password
//Received client-ca.cer and root certificate from verisign
//Import signed certificate to client keystore
keytool -import -keystore clientpk1 -keyalg RSA -import -trustcacerts -file client-ca.cer
//Import signed certificate and the root certificate to keystore(server thruststore)
keytool -import -keystore jsseclient1 -alias client -file getcacert.cer
keytool -import -keystore jsseclient1 -alias client -file client-ca.cer
Thanks in advance,
Babu -
Asking specific client certificate (not certificates trusted by authority)
As I understand from what I read so far, during the handshake negotiation for two way ssl, the server sends the client a list of trusted certificate authorities and say to the client: "hey, those are the authorities I trust. send me a certificate that can be verified by one of them".
I also read how you can customize SSLSocketFactory to, on the client side, look for a specific certificate alias (http://www.ibm.com/developerworks/java/library/j-customssl/). I would like to move this idea further and ask for specific certificates depending on what resources the user is trying to access.
For example:
Let's suppose I have two resources on my server called "bobPrivateStuff" and "alicePrivateStuff". I also have a certificate authority who can validate both Bob and Alice certificates on a custom trust keystore. In a regular scenario, the server will ask for a client certificate and will accept either Alice or Bob certificate, as both can be verified by the custom trust.
But what if Alice can't access "bobPrivateStuff"? What if when trying to open a connection, to say http://myserver.com/services/bobPrivateStuff, the server asks specifically for Bob's certificate? Can I setup the handshake in a way it will actually ask for Bob's certificate instead of only just "any certificated trusted by this CA"?
And what piece of information could be used to distinguish one certificate from another? Is the serial number unique between multiple certificates? Is this pushing the envelop too much and trying to use SSL for more than what it is intended for?I agree 100%. It's just that we want to use certificates to validate the client's identity (instead of relying on username/password).Fine, that's exactly what SSL & PKI will do for you.
It might not be elegantBut it is!
See my point?Of course I see your point. SSL already does that. I said that. You agreed. I agree. What it doesn't do is the authorization part. Because it can't. It isn't meant to. You are supposed to do that.
Instead of the server asking for a specific certificate, it justs checks if the certificate sent by the client has access to the resource.Not quite. It should check if the identity represented by the client certificate (Certificate.getSubjectX500Principal(), or SSLSocket.getSession().getPeerPrincipal()) has access to the resource.
This way, we can leave the server untouchedNo you can't. The server has to get hold of the client principal after the handshake and authorize it against the resource.
if Bob wants to access some resources, Bob has to prove he is who he says he is.You're still confused. That's authentication, and SSL already does that for you. SSLSocket.getSession().getPeerPrincipal() returns you the authenticated identity of the peer. The server then has to check that that identity can access that resource. This is 'authorization'. You can't automate it via keystores and truststores. That's not what they do and it's not what they're for.
So I think it is perfectly plausible to do this kind of verification on the server side (i.e. "hijack" a certificate sent to validate the ssl handshake to also verify if the user has the correct privileges).There's no 'hijacking' about it, but you're concentrating on the certificate instead of the identity it represents. A client could have a large number of certificates that all authenticate the same identity. You need to think in terms of authorizing Principals to access resources. -
Applet does not get client certificate from browser (Firefox, IE7)
I'm writing a web service which runs Tomcat through Apache. One critical requirement is that the service be able to invoke certain device drivers on the end user's machine. Fortunately, there is a Java API for this, so this requirement can be fulfilled using an applet.
Here's the problem. This is a B2B application, so we're using SSL and requiring client authentication. I'm no web security guru, but I managed to get SSL set up through Apache (with a self-signed certificate for now; we'll get a real one from a real CA when we're ready to go to production). I also managed to set up client authentication by creating my own CA and generating a client certificate, which I then copied to my test client (Win XPSP2) and imported into both Firefox (2.0.0.15) and IE (6.0.2900). The applet is signed with a real certificate, and that causes no problems. And all of the pages for my web service work as expected.
All except one. The page which is supposed to load the applet pops a dialog stating 'Identification required. Please select certificate to be used for authentication', and presents a list of zero certificates.
Actually, I get this dialog in Firefox on my XPSP2 box, and also when I test on a Vista Home Premium box running IE 7.0.6000. Puzzlingly, this behavior does NOT occur on my XPSP2 box when running through IE 6.0. It seems that with XPSP2 and IE 6.0, the JVM can manage to obtain the required client certificate from the browser and pass it along to Apache, but the JVM can't do this when running in Firefox or in IE 7.0 on Vista.
I have gone to the Java Control Panel and verified that the 'Use certificates and keys in browser keystore' option is selected on both boxes.
I've done a fair amount of research for this (including in this forum) and see that this appears to be a chronic difficulty with applets. What makes it worse is that I don't think I can use the standard workaround, which is to download the applet from a different host/virtual host, because the applet needs to communicate with the web service. Since we have the additional layer of Tomcat container-managed user authentication, the applet needs to be communicating with the server using the same session token as everything else.
So at this point, I'm stuck. Does anyone know a solution to this problem? Two thoughts (I'm reaching at straws here):
1) I have the certificate imported in both Firefox and IE as a 'personal' certificate. Is there someplace else I can put it so the JVM will know how to find it? A rather old thread in this forum mentioned something about setting properties in the Java Control Panel, but I see no place in the JCP to specify such properties, so I'm guessing that solution is no longer operative.
2) I'm using a trick I found on the internet to make the applet load cleanly with both Firefox and IE, namely, I'm using the <OBJECT> tag to specify the applet class and codebase for IE, and then using <COMMENT><EMBED ... /></COMMENT> within the <OBJECT> declaration to specify the information for Firefox. Is there some other way of doing the markup that will give the JVM a hint that it should get a certificate from the browser?
BTW . . . I would hate to drop support for Firefox, but if someone has an IE-only solution, I'll take it. Unfortunately, I reckon a Firefox-only solution would not fly.
Thanks all.My applet is also signed by a valid certificate. The question of whether the applet is signed/self-signed/unsigned >isn't an issue --- I just wanted you to make sure the Applet runs because it is a know valid Java2 Applet that is 100% signed properly and verified to run.
This eliminates the possibility that it is a JVM issue. However after reading your message further I am afraid
it is not relevant to your issue.
due to the client authentication, my browser (Firefox, IE7) refuses to even download the applet.
I went to your site, and I can see your applet in both Firefox and IE6. However, I don't believe your site is set up >quite like mine, because it appears I can run your applet whether I have imported your X509 certificate or not. What I >did was:If that is true we are all dead :) No I think you just missed the cert in the IE databse. It doesn't have to be in the
Applet database to function. Surprise!
Check your IE/tools/internet options/content tab/certificates/trusted root certification authorities.
I then opened the Java control panel and verified that the certificate isn't listed there, either. So unless the certificate >is being cached/read from some other location (which could be, this certificate stuff is largely black magic to me), >then your server isn't requiring client authentication, either accidentally or by design.No HyperView is a valid java2 Applet and actually writes to a file "hyperview.dat" though it is probably empty.
If you click on a component in the view and then on the view and type "dumpgobs" it shoud write out some data about the current graphics objects so you can see it has complete read/write access..
Further it opens up a complete NIO server ands starts listening for connections on a random port
(Echoed in your java console) You can connect to it with telnet and watch impressive ping messages all day :)
This all goes back to a few years BTW back before there was a plugin and there was only Netscape & IE.
There are actually 2 certificate databases and what loads where depends on which type of cert you are using. Now self signed or not doesn't matter but what does matter is the type of certificate. IE: is it RSA/DSA/Sha1
etc. The Netscape DB was a Berkley DB and MS used whatever they use. The Cert is a DSA/Sha1 cert
which I like the best ATM as it (X fingers it stays so) always has worked.
Sadly that tidbit doesn't help you either I am afraid.
What I'm trying to do is require client authentication through Apache by including the following markup in a virtual >host definition:
SSLCACertificateFile D:/Certificates/ca.crt
SSLVerifyClient require
SSLVerifyDepth 1You got me there I avoid markup at all costs and only code in C java and assembler :)
Now unless I am wrong I think you are saying that you want the Applet to push the certificate to the server
automatically and I don't think this happens. Least I have never heard of this happening from an Applet automatically.
On my client machine, I have a certificate which was generated using OpenSSL and the ca.crt file listed. Testing >shows that the server is requiring a certificate from the client, and the web browser is always providing it.
The problem is that when the browser fires up the Java plugin to run an applet, there is not sufficient communication >between the browser and the plugin so that the plugin can obtain the certificate from the browser and provide it to >the server.
So the server refuses to send the applet bytecode to the JVM, and we're stuck.In terms of implementation ease I think you may have the cart before the horse because I think it would be far easier to run an Applet in the first place to do the authentication, and then send, for example, a jar file to bootstrap and run
(or some classes) in the event the connection is valid. Then again one never knows it all and there may be some classes which enables the plugin as you wish. I have never heard of this being done with the plugin the way you suggest.
I am thinking maybe there is another method of doing this I do not know.
Did you try pushing the cert via JavaScript/LIveConnect?? That way it could run before the Applet and do the authentication.
Maybe someone else has other ideas; did you try the security forum??
Sorry but I am afraid that is not much help.
I did snarf this tidbit which may have some relevance
The current fix for this bug in Mantis and 1.4.1_02 is using JSSE API, Here are the step:
In Java control panel, Advanced tab -> Java Runtime Parameters, specify:
-Djavax.net.ssl.keyStore=<name and path to client keystore file>
-Djavax.net.ssl.keyStorePassword=<password to access this client keystore file>
If it is a PKCS12 format keystore, specify:
-Djavax.net.ssl.keyStoreType=PKCS12
In our future JRE release 1.5, we will create our own client authentication keystore file for JPI and use that for client authentication, for detail info, please see RFE 4797512.
Dennis
Posted Date : 2005-07-28 19:55:50.0Good Luck!
Sincerely:
(T)
Edited by: tswain on 23-Jul-2008 10:07 AM -
No client certificate available, sending empty certificate message
Dear Experts,
I am trying to establish SSL client certificate connection to external partner. What puzzles me is that the certificate is not picked up by SAP PI. The intermediate and root CA for the partner are OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network and OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US, respectively. You will be able to spot them in the Accepted Certificate Authority list, yet PI insists on sending empty certificate.
Below is trace gathered from J2EE default trace. Please help shed some light
Date : 11/16/2011
Time : 8:49:11:423
Message : additional info ssl_debug(9): Starting handshake (iSaSiLk 4.3)...
ssl_debug(9): Sending v3 client_hello message to preprod.connect.elemica.com:443, requesting version 3.2...
ssl_debug(9): Received v3 server_hello handshake message.
ssl_debug(9): Server selected SSL version 3.1.
ssl_debug(9): Server created new session 22:E7:C0:9E:C1:D2:78:83...
ssl_debug(9): CipherSuite selected by server: TLS_RSA_WITH_AES_256_CBC_SHA
ssl_debug(9): CompressionMethod selected by server: NULL
ssl_debug(9): Received certificate handshake message with server certificate.
ssl_debug(9): Server sent a 1024 bit RSA certificate, chain has 2 elements.
ssl_debug(9): ChainVerifier: No trusted certificate found, OK anyway.
ssl_debug(9): Received certificate_request handshake message.
ssl_debug(9): Accepted certificate types: RSA, DSA
ssl_debug(9): Accepted certificate authorities:
ssl_debug(9): CN=QuoVadis Global SSL ICA,OU=www.quovadisglobal.com,O=QuoVadis Limited,C=BM
ssl_debug(9): CN=AAA Certificate Services,O=Comodo CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9): CN=CSF - Classe III - Sign et Crypt,OU=Certification Professionnelle,O=Autorite Consulaire
ssl_debug(9): CN=GTE CyberTrust Global Root,OU=GTE CyberTrust Solutions, Inc.,O=GTE Corporation,C=US
ssl_debug(9): CN=Entrust.net Certification Authority (2048),OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),O=Entrust.net
ssl_debug(9): CN=DPWN SSL CA I2 PS,OU=I2 PS,O=Deutsche Post World Net
ssl_debug(9): CN=CSF,O=Autorite Consulaire
ssl_debug(9): C=BE,O=GlobalSign nv-sa,OU=RootSign Partners CA,CN=GlobalSign RootSign Partners CA
ssl_debug(9): CN=Dell Inc. Enterprise Utility CA1,O=Dell Inc.
ssl_debug(9): EMAIL=premium-server(a)thawte.com,CN=Thawte Premium Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
ssl_debug(9): CN=TC TrustCenter Class 2 L1 CA XI,OU=TC TrustCenter Class 2 L1 CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9): CN=VeriSign Class 3 Extended Validation SSL SGC CA,OU=Terms of use at https://www.verisign.com/rpa (c)06,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): OU=VeriSign Trust Network,OU=(c) 1998 VeriSign, Inc. - For authorized use only,OU=Class 3 Public Primary Certification Authority - G2,O=VeriSign, Inc.,C=US
ssl_debug(9): CN=TC TrustCenter SSL CA I,OU=TC TrustCenter SSL CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9): CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9): CN=VeriSign Class 3 International Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): CN=Meijer ipprod,OU=IT,OU=Merch,O=Meijer Stores Limited,L=Walker,ST=MI,C=US
ssl_debug(9): CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9): OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network
ssl_debug(9): CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
ssl_debug(9): CN=Deutsche Telekom CA 5,OU=Trust Center Deutsche Telekom,O=T-Systems Enterprise Services GmbH,C=DE
ssl_debug(9): CN=TC TrustCenter Class 2 CA II,OU=TC TrustCenter Class 2 CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9): CN=VeriSign Class 3 Secure Server CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU=VeriSign, Inc.,O=VeriSign Trust Network
ssl_debug(9): CN=Thawte SGC CA,O=Thawte Consulting (Pty) Ltd.,C=ZA
ssl_debug(9): CN=Bertschi CA,O=Bertschi AG (Schweiz),L=Duerrenaesch,ST=Switzerland,C=CH
ssl_debug(9): CN=Cybertrust SureServer CA,O=GlobalSign Inc
ssl_debug(9): CN=VeriSign Class 3 Secure Server CA,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): EMAIL=server-certs(a)thawte.com,CN=Thawte Server CA,OU=Certification Services Division,O=Thawte Consulting cc,L=Cape Town,ST=Western Cape,C=ZA
ssl_debug(9): CN=Mark Van Hamme,O=Brain2 BVBA,L=Brussels,ST=Brabant,C=BE
ssl_debug(9): CN=DigiCert High Assurance EV Root CA,OU=www.digicert.com,O=DigiCert Inc,C=US
ssl_debug(9): EMAIL=bis.at(a)siemens.com,CN=bis.siemens.at,OU=SBS ORS EDO,O=Siemens Business Services,L=Vienna,ST=Vienna,C=AT
ssl_debug(9): CN=VeriSign Class 1 Public Primary Certification Authority - G3,OU=(c) 1999 VeriSign, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): CN=mail2.adr-logistics.hu,O=ADR Logistics Kft.,L=Gyu00E1l,ST=Pest,C=HU
ssl_debug(9): EMAIL=brent.kemp(a)sscoop.com,CN=bacchusdevp.sscoop.com,OU=IS,O=Southern States Cooperative Inc,L=Richmond,ST=VA,C=US
ssl_debug(9): CN=Cybertrust SureServer Standard Validation CA,O=Cybertrust Inc
ssl_debug(9): OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group, Inc.,C=US
ssl_debug(9): CN=Certipost E-Trust Secondary Normalised CA for Legal Persons,O=Certipost s.a./n.v.,C=BE
ssl_debug(9): EMAIL=cert(a)bit-serv.de,CN=BIT-SERV GmbH Root CA,O=BIT-SERV GmbH,C=DE
ssl_debug(9): CN=SAP_elemica_tester
ssl_debug(9): CN=GeoTrust Global CA,O=GeoTrust Inc.,C=US
ssl_debug(9): OU=Class 1 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
ssl_debug(9): CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE
ssl_debug(9): CN=Montova Root CA,OU=Root CA,O=Montova,C=BE
ssl_debug(9): CN=Baltimore CyberTrust Root,OU=CyberTrust,O=Baltimore,C=IE
ssl_debug(9): CN=Dell Inc. Enterprise CA,O=Dell Inc.
ssl_debug(9): CN=COMODO High-Assurance Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9): EMAIL=support(a)tamgroup.com,OU=Engineering,O=Tamgroup,ST=California,L=San Anselmo,C=US,CN=Tamgroup
ssl_debug(9): CN=GlobalSign Organization Validation CA,O=GlobalSign,OU=Organization Validation CA
ssl_debug(9): CN=Certinomis AC 1 u00E9toile,OU=0002 433998903,O=Certinomis,C=FR
ssl_debug(9): CN=GlobalSign ServerSign CA,OU=ServerSign CA,O=GlobalSign nv-sa,C=BE
ssl_debug(9): CN=QuoVadis Root CA 2,O=QuoVadis Limited,C=BM
ssl_debug(9): CN=AddTrust Class 1 CA Root,OU=AddTrust TTP Network,O=AddTrust AB,C=SE
ssl_debug(9): CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
ssl_debug(9): CN=GlobalSign Organization Validation CA,O=GlobalSign,OU=Organization Validation CA
ssl_debug(9): CN=thawte Primary Root CA,OU=(c) 2006 thawte, Inc. - For authorized use only,OU=Certification Services Division,O=thawte, Inc.,C=US
ssl_debug(9): CN=Certipost E-Trust Primary Normalised CA,O=Certipost s.a./n.v.,C=BE
ssl_debug(9): CN=Thawte DV SSL CA,OU=Domain Validated SSL,O=Thawte, Inc.,C=US
ssl_debug(9): OU=Equifax Secure Certificate Authority,O=Equifax,C=US
ssl_debug(9): CN=preprod.connect.elemica.com,OU=CONNECTED SOLUTIONS,O=Elemica,L=Wayne,ST=Pennsylvania,C=US
ssl_debug(9): CN=Certinomis - Autoritu00E9 Racine,OU=0002 433998903,O=Certinomis,C=FR
ssl_debug(9): CN=DPWN Root CA R2 PS,OU=IT Services,O=Deutsche Post World Net,DC=com
ssl_debug(9): CN=Thawte Test CA Root,OU=TEST TEST TEST,O=Thawte Certification,ST=FOR TESTING PURPOSES ONLY,C=ZA
ssl_debug(9): OU=Class 3 Public Primary Certification Authority,O=VeriSign, Inc.,C=US
ssl_debug(9): EMAIL=santiago.tolosa(a)eu.rhodia.com,CN=Rhodia Development CA,OU=ISF - WARTE,O=Rhodia,L=La Villette,ST=France,C=FR
ssl_debug(9): CN=Entrust.net Secure Server Certification Authority,OU=(c) 1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),O=Entrust.net,C=US
ssl_debug(9): CN=DigiCert High Assurance CA-3,OU=www.digicert.com,O=DigiCert Inc,C=US
ssl_debug(9): CN=Groep H. Essers TEST (99805D6DA33FCC1700010002),O=Montova,C=BE
ssl_debug(9): serialNumber=07969287,CN=Go Daddy Secure Certification Authority,OU=http://certificates.godaddy.com/repository,O=GoDaddy.com, Inc.,L=Scottsdale,ST=Arizona,C=US
ssl_debug(9): CN=VeriSign Class 3 Secure Server 1024-bit CA - G2,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): serialNumber=10688435,CN=Starfield Secure Certification Authority,OU=http://certificates.starfieldtech.com/repository,O=Starfield Technologies, Inc.,L=Scottsdale,ST=Arizona,C=US
ssl_debug(9): CN=Conextrade,OU=Swisscom IT,O=Swisscom AG,L=Zurich,ST=Zurich,C=CH,EMAIL=ccc.eTrade(a)swisscom.com
ssl_debug(9): CN=b2bproto.basf-corp.com,OU=Corporate IS,O=BASF Corporation,L=Mount Olive,ST=New Jersey,C=US
ssl_debug(9): CN=GlobalSign Domain Validation CA - G2,O=GlobalSign nv-sa,C=BE
ssl_debug(9): CN=Swisscom Root CA 1,OU=Digital Certificate Services,O=Swisscom,C=ch
ssl_debug(9): CN=GeoTrust DV SSL CA,OU=Domain Validated SSL,O=GeoTrust Inc.,C=US
ssl_debug(9): EMAIL=!sysadmin(a)elemica.com,CN=www.elemica.com,OU=Connected Solutions,O=Elemica, Inc,L=Wayne,ST=Pennsylvania,C=US
ssl_debug(9): CN=GeoTrust SSL CA,O=GeoTrust, Inc.,C=US
ssl_debug(9): CN=RapidSSL CA,O=GeoTrust, Inc.,C=US
ssl_debug(9): CN=Entrust Certification Authority - L1E,OU=(c) 2009 Entrust, Inc.,OU=www.entrust.net/rpa is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9): CN=EAS,O=COMPUDATA EDI Dienstleister,C=CH,EMAIL=helpdesk.dl(a)compudata.ch
ssl_debug(9): CN=GlobalSign Domain Validation CA,O=GlobalSign nv-sa,OU=Domain Validation CA,C=BE
ssl_debug(9): CN=GlobalSign Primary Secure Server CA,OU=Primary Secure Server CA,O=GlobalSign nv-sa,C=BE
ssl_debug(9): CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE
ssl_debug(9): CN=Entrust Root Certification Authority,OU=(c) 2006 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9): CN=Thawte SSL CA,O=Thawte, Inc.,C=US
ssl_debug(9): CN=Entrust Certification Authority - L1C,OU=(c) 2009 Entrust, Inc.,OU=www.entrust.net/rpa is incorporated by reference,O=Entrust, Inc.,C=US
ssl_debug(9): CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
ssl_debug(9): EMAIL=vladimir.polak(a)esa.ch,CN=Vladimir Polak,O=Einkaufsorganisation des Schweizerischen Auto- und Motorfahrzeuggewerbes,C=CH
ssl_debug(9): CN=IT Directions and Strategies,OU=ITDS EDI,ST=WI,C=US,L=Hartland,EMAIL=aklumpp(a)itdsllc.com,O=ITDS EDI
ssl_debug(9): CN=Entrust Certification Authority - L1B,OU=(c) 2008 Entrust, Inc.,OU=www.entrust.net/CPS is incorporated by reference,OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY,OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE,O=Entrust, Inc.,C=US
ssl_debug(9): CN=GlobalSign Organization Validation CA - G2,O=GlobalSign nv-sa,C=BE
ssl_debug(9): CN=VeriSign Class 1 Individual Subscriber CA - G3,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)09,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): CN=VeriSign Class 1 Individual Subscriber CA - G2,OU=Persona Not Validated,OU=Terms of use at https://www.verisign.com/rpa (c)05,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): CN=TeleSec ServerPass CA 1,OU=Trust Center Services,O=T-Systems International GmbH,C=DE
ssl_debug(9): CN=TC TrustCenter Class 3 L1 CA V,OU=TC TrustCenter Class 3 L1 CA,O=TC TrustCenter GmbH,C=DE
ssl_debug(9): C=NL,ST=Zuid-Holland,L=Spijkenisse,O=De Rijke Transport,OU=ICT,CN=smtphost.derijke.com
ssl_debug(9): CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at https://www.verisign.com/rpa (c)10,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): CN=Comodo Class 3 Security Services CA,OU=(c)2002 Comodo Limited,OU=Terms and Conditions of use: http://www.comodo.net/repository,OU=Comodo Trust Network,O=Comodo Limited,C=GB
ssl_debug(9): CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US
ssl_debug(9): OU=Starfield Class 2 Certification Authority,O=Starfield Technologies, Inc.,C=US
ssl_debug(9): EMAIL=ftp(a)csx.com,C=US,O=CSX Corporation Inc,CN=CSX_CORPORATION_AS2_02062009
ssl_debug(9): CN=EssentialSSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB
ssl_debug(9): CN=Network Solutions Certificate Authority,O=Network Solutions L.L.C.,C=US
ssl_debug(9): CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU=(c) 2006 VeriSign, Inc. - For authorized use only,OU=VeriSign Trust Network,O=VeriSign, Inc.,C=US
ssl_debug(9): Received server_hello_done handshake message.
ssl_debug(9): No client certificate available, sending empty certificate message...
ssl_debug(9): Sending client_key_exchange handshake...
ssl_debug(9): Sending change_cipher_spec message...
ssl_debug(9): Sending finished message...
ssl_debug(9): Received alert message: Alert Fatal: bad certificate
ssl_debug(9): SSLException while handshaking: Peer sent alert: Alert Fatal: bad certificate
ssl_debug(9): Shutting down SSL layer...
Severity : Error
Category : /Applications/ExchangeInfrastructure/AdapterFramework/SAPLibraries/SAPXDK
Location : com.sap.aii.messaging.net.HTTPClientConnection.call(Object)
Application : sap.com/com.sap.xi.rwb
Thread : SAPEngine_Application_Thread[impl:3]_0
Datasource : 7662250:E:\usr\sap\T37\DVEBMGS00\j2ee\cluster\server0\log\defaultTrace.trc
Message ID : 00505688007A006A0000005100001B8C0004B1CF78E9602A
Source Name : com.sap.aii.messaging.net.HTTPClientConnection
Argument Objs :
Arguments :
Dsr Component :
Dsr Transaction : cc6d1cee0fec11e1c90200000074eaaa
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives : /Applications/ExchangeInfrastructure/AdapterFramework/SAPLibraries/SAPXDK
Resource Bundlename :
Session : 365
Source : com.sap.aii.messaging.net.HTTPClientConnection
ThreadObject : SAPEngine_Application_Thread[impl:3]_0
Transaction :
User : CPWONG
Dsr Root Context ID :
Dsr Connection :
Dsr Counter : -1Hi ,
Is the above problem solved , can you share the solution.
Thanks -
BizTalk 2010 Send FTPS - when is my client certificate needed?
Based on this
post, it's very unclear if a certificate is needed or not (in the Client Certificate Hash). The most important quote I got out of that post is this:
"I reached out to MS BizTalk support and they asked me not to use the certificate and just use FTP over SSL without certificate. We also changed the ftp firewall mode to passive and allocate storage to no."
If FileZillaClient can connect and send a file to a customer/vendor without a local certificate, then why would BizTalk need one in an FTP SendPort?
And secondly, if it is not needed, in what circumstances would you use it on an FTP SendPort.
It's my understanding that the certificate is some certificate related to the BizTalk host account's personal store on the BizTalk machine, and not the thumbprint of the customer/vendor we are communicating with.
For BT2013 this is
MSDN's mysterious definition:
> Specify the SHA1 hash of the client certificate that must be used in
> the Secure Sockets Layer (SSL) negotiation.
>
> Based on this hash, the client certificate is picked up from the
> personal store of the user account under which the BizTalk host
> instance is running.
This statement gives no guidance as to when it is needed or desired.
This is the
other good blog on the subject, but also implied cert is needed, in contradiction to Microsoft support in early link.
Thanks,
Neal Walters
http://MyLifeIsMyMessage.netHi,
#How to use the new “FTPS adapter” with BizTalk 2010
http://blogical.se/blogs/mikael/archive/2010/09/26/how-to-use-the-new-ftps-adapter-with-biztalk-2010.aspx
And it should work with self-signed cert.Please refer to the demo:
http://blogs.msdn.com/b/biztalknotes/archive/2014/10/10/using-ftps-adapter-in-biztalk-ftp-ssl.aspx
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Hi! I have posted some of this in the ConfigMgr 2012 forum. As indicated above, I seem to have either a group policy/autoenrollment problem getting my Configmgr 2012 OSD images of windows 8.1 to enroll for a client cert.
The imaged machines function fine when they are finished imaging, and the Configmgr 2012 client is fully functional. However the MMC-->Certs-->computer account-->personal. Shows no certs.
Physical machines have the client cert. They are both created in the same OU. If I try to manually import the cert it works just fine, however I want autoenrollment to do this.
the Autoenrollment GP's are setup and functional on the Default domain policy
I recently created a new client cert from a duplicate of the workstation cert and it installed just fine doing a GPUpdate /force on my domain joined computers.
I do not see any negative events in the eventvwr on the hyper v machines. I have built a few.
suggestions? thxFrank
Here is the result of the policies on the computer called "nooffice" a hyper- V machine created on Win 8.1 pro running hyper v as admin of the local machine.
ANDOVER\Administrator on ANDOVER\NOOFFICE Data collected on: 9/16/2014 7:56:58 PM Summary During last computer policy refresh on 9/16/2014 4:42:11 AM No Errors Detected A fast link was detected More information... During last user policy refresh on 9/16/2014
7:52:10 PM No Errors Detected A fast link was detected More information... Computer Details General Computer name ANDOVER\NOOFFICE Domain andover.com Site Default-First-Site-Name Organizational Unit andover.com/Windows 8.1 Computers Security Group Membership
show BUILTIN\Administrators Everyone BUILTIN\Users NT AUTHORITY\NETWORK NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization ANDOVER\NOOFFICE$ ANDOVER\Domain Computers Authentication authority asserted identity Mandatory Label\System Mandatory Level
Component Status Component Name Status Time Taken Last Process Time Event Log Group Policy Infrastructure Success 2 Second(s) 890 Millisecond(s) 9/16/2014 4:42:11 AM View Log Deployed Printer Connections Success 31 Millisecond(s) 9/16/2014 4:42:11 AM View
Log Group Policy Files Success 532 Millisecond(s) 9/16/2014 4:42:11 AM View Log Internet Explorer Zonemapping Success (no data) 62 Millisecond(s) 9/15/2014 9:50:28 PM View Log Registry Success 2 Second(s) 78 Millisecond(s) 9/16/2014 4:42:10 AM View Log Security
Success 1 Second(s) 187 Millisecond(s) 9/15/2014 9:50:29 PM View Log Software Installation Success 156 Millisecond(s) 9/15/2014 9:50:29 PM View Log Settings Policies Windows Settings Security Settings Account Policies/Password Policy Policy Setting Winning
GPO Enforce password history 24 passwords remembered Default Domain Policy Maximum password age 42 days Default Domain Policy Minimum password age 1 days Default Domain Policy Minimum password length 7 characters Default Domain Policy Password must meet complexity
requirements Enabled Default Domain Policy Store passwords using reversible encryption Disabled Default Domain Policy Account Policies/Account Lockout Policy Policy Setting Winning GPO Account lockout threshold 0 invalid logon attempts Default Domain Policy
Local Policies/User Rights Assignment Policy Setting Winning GPO Allow log on locally Administrators, ANDOVER\Domain Users, ANDOVER\scomadmin, ANDOVER\SQL MP Monitoring Ac, ANDOVER\sqlmon, NETWORK, NETWORK SERVICE, SERVICE, SYSTEM Default Domain Policy Local
Policies/Security Options Network Access Policy Setting Winning GPO Network access: Allow anonymous SID/Name translation Disabled Default Domain Policy Network Security Policy Setting Winning GPO Network security: Do not store LAN Manager hash value on next
password change Enabled Default Domain Policy Network security: Force logoff when logon hours expire Disabled Default Domain Policy Restricted Groups Group Members Member of Winning GPO ANDOVER\ConfigMgr12 Service Accts Administrators Default Domain Policy
System Services AdobeARMservice (Startup Mode: Disabled) Winning GPO Default Domain Policy Permissions No permissions specifiedAuditing No auditing specified Public Key Policies/Certificate Services Client - Auto-Enrollment Settings Policy Setting Winning
GPO Automatic certificate management Enabled Default Domain Policy Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates Enabled Update and manage certificates that use certificate
templates from Active Directory Enabled Public Key Policies/Automatic Certificate Request Settings Automatic Certificate Request Winning GPO Computer Default Domain Policy Domain Controller Default Domain Policy Enrollment Agent (Computer) Default Domain Policy
IPSec Default Domain Policy For additional information about individual settings, launch the Local Group Policy Object Editor. Public Key Policies/Trusted Root Certification Authorities Certificates Issued To Issued By Expiration Date Intended Purposes Winning
GPO configmgr2012r2.andover.com andover-SERVER2012A-CA 11/1/2015 5:24:38 PM Server Authentication Default Domain Policy ConfigMgr2012R2.andover.com ConfigMgr2012R2.andover.com 5/2/2014 10:37:15 PM Server Authentication Default Domain Policy dejuliaw andover-SERVER2012A-CA
7/25/2016 8:21:54 PM Code Signing SCUP Signing Certificate HYPERVDI.andover.com HYPERVDI.andover.com 4/20/2014 1:07:42 PM Server Authentication Default Domain Policy For additional information about individual settings, launch the Local Group Policy Object
Editor. Public Key Policies/Trusted Publishers Certificates Issued To Issued By Expiration Date Intended Purposes Winning GPO dejuliaw andover-SERVER2012A-CA 7/25/2016 8:21:54 PM Code Signing SCUP Signing Certificate For additional information about individual
settings, launch the Local Group Policy Object Editor. Printer Connections Path Winning GPO \\Brother\binary_p1 Default Domain Policy Administrative Templates Policy definitions (ADMX files) retrieved from the central store.Adobe Acrobat XI/Preferences/General
Policy Setting Winning GPO Disable automatic updates Enabled Default Domain Policy Display PDFs in browser Disabled Default Domain Policy Adobe Acrobat XI/Preferences/Startup Policy Setting Winning GPO Protected View (Acrobat) Enabled Default Domain Policy
ProtectedView Enable Protected View for all files Configuration Manager 2012/Configuration Manager 2012 Client Policy Setting Winning GPO Configure Configuration Manager 2012 Client Deployment Settings Enabled Default Domain Policy CCMSetup Policy Setting
Winning GPO Configure Configuration Manager 2012 Site Assignment Enabled Windows 8.1 Policy Preferences Assigned Site AND Site Assignment Retry Interval (Mins) 30 Site Assignment Retry Duration (Hours) Diskeeper 12 Policy Setting Winning GPO Event Logging
Enabled Default Domain Policy Service start and stop Enabled Defragmentation start and stop Enabled Volume information Enabled File information Enabled Directory information Enabled Paging file information Enabled MFT information Enabled Operations manager
information Enabled Policy Setting Winning GPO Volume Shadow Copy Service (VSS) Options Enabled Default Domain Policy Automatic Defragmentation VSS Options VSS defragmentation method Manual Defragmentation VSS Options VSS defragmentation method Microsoft Applications/System
Center Operations Manager (SCOM)/SCOM Client Monitoring Policy Setting Winning GPO Configure Error Notification Enabled Default Domain Policy ShowUI Enabled DoNotDebugErrors Enabled Policy Setting Winning GPO Configure Error Reporting for Windows Vista and
later operating systems Enabled Default Domain Policy Error_Listener UseSSLCertificates Error_ListenerPort UseIntegratedAuthentication Enabled Microsoft Applications/System Center Operations Manager (SCOM)/SCOM Client Monitoring for Office 10.0 Applications
Policy Setting Winning GPO Configure Error Notification Enabled Default Domain Policy ShowUI Enabled Microsoft Applications/System Center Operations Manager (SCOM)/SCOM Client Monitoring for Windows Media Player Policy Setting Winning GPO Configure Error Notification
Enabled Default Domain Policy ShowUI Enabled Microsoft Applications/System Center Operations Manager (SCOM)/SCOM Client Monitoring/Advanced Error Reporting settings Policy Setting Winning GPO Application reporting settings (all or none) Enabled Default Domain
Policy Report all application errors Enabled Report all errors in Microsoft applications. Enabled Report all errors in Windows components. Enabled Policy Setting Winning GPO Report operating system errors Enabled Default Domain Policy Report operating system
errors Enabled Policy Setting Winning GPO Report unplanned shutdown events Enabled Default Domain Policy Report unplanned shutdown events Enabled Network/Background Intelligent Transfer Service (BITS) Policy Setting Winning GPO Limit the maximum network bandwidth
for BITS background transfers Disabled Default Domain Policy Printers Policy Setting Winning GPO Isolate print drivers from applications Enabled Default Domain Policy System Policy Setting Winning GPO Specify settings for optional component installation and
component repair Enabled Default Domain Policy Alternate source file path Never attempt to download payload from Windows Update Disabled Contact Windows Update directly to download repair content instead of Windows Server Update Services (WSUS) Enabled System/Internet
Communication Management/Internet Communication settings Policy Setting Winning GPO Turn off Windows Error Reporting Disabled Default Domain Policy System/Remote Assistance Policy Setting Winning GPO Configure Offer Remote Assistance Enabled Local Group Policy
Permit remote control of this computer: Allow helpers to remotely control the computer Helpers: ANDOVER\Administrator ANDOVER\dejuliaw System/Windows Time Service/Time Providers Policy Setting Winning GPO Enable Windows NTP Server Enabled Default Domain Policy
Windows Components/EMET Policy Setting Winning GPO Default Protections for Internet Explorer Enabled EMET 5 Included products and mitigations: - Microsoft Internet Explorer - all mitigations Policy Setting Winning GPO Default Protections for Recommended Software
Enabled EMET 5 Included products and mitigations: - WordPad - all mitigations - Microsoft Office - all mitigations - Adobe Acrobat - all mitigations except MemProt - Adobe Acrobat Reader - all mitigations except MemProt - Oracle Java - all mitigations except
HeapSpray Policy Setting Winning GPO EMET Agent Visibility Enabled EMET 5 Start Agent Hidden: Enabled Policy Setting Winning GPO Reporting Enabled EMET 5 Event Log: Enabled Tray Icon: Enabled Early Warning: Enabled Windows Components/Internet Explorer Policy
Setting Winning GPO Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar Enabled Default Domain Policy Install new versions of Internet Explorer automatically Enabled Default Domain Policy Let users turn on and use
Enterprise Mode from the Tools menu Enabled Default Domain Policy Type the location (URL) of where to receive reports about the websites for which users turn on and use Enterprise Mode http://server2012a:8000/reportieem.asp Policy Setting Winning GPO Turn
on menu bar by default Enabled Default Domain Policy Turn on Suggested Sites Enabled Default Domain Policy Use the Enterprise Mode IE website list Enabled Default Domain Policy Type the location (URL) of your Enterprise Mode IE website list http://server2012a:8000/ieem.xml
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page Policy Setting Winning GPO Allow Internet Explorer to use the SPDY/3 network protocol Enabled Default Domain Policy Empty Temporary Internet Files folder when browser is closed Enabled
Default Domain Policy Turn off loading websites and content in the background to optimize performance Disabled Default Domain Policy Windows Components/Internet Explorer/Internet Control Panel/Security Page Policy Setting Winning GPO Site to Zone Assignment
List Enabled Default Domain Policy Enter the zone assignments here. Source GPO https://configmgr2012r2.andover.com 1 Default Domain Policy https://hypervdi.andover.com 1 Default Domain Policy http://webaccess.sullcrom.com 2 Default Domain Policy Windows Components/Internet
Explorer/Internet Settings/Advanced settings/Browsing Policy Setting Winning GPO Turn off phone number detection Disabled Default Domain Policy Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections Policy Setting Winning GPO Allow
users to connect remotely by using Remote Desktop Services Enabled Local Group Policy Windows Components/Remote Desktop Services/Remote Desktop Session Host/Licensing Policy Setting Winning GPO Set the Remote Desktop licensing mode Enabled Default Domain Policy
Specify the licensing mode for the RD Session Host server. Per User Policy Setting Winning GPO Use the specified Remote Desktop license servers Enabled Default Domain Policy License servers to use: hypervdi.andover.com Separate license server names with commas.
Example: Server1,Server2.example.com,192.168.1.1 Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security Policy Setting Winning GPO Require user authentication for remote connections by using Network Level Authentication Disabled Local
Group Policy Windows Components/Windows Customer Experience Improvement Program Policy Setting Winning GPO Allow Corporate redirection of Customer Experience Improvement uploads Enabled Default Domain Policy Corporate SQM URL: http://SCOM2012.andover.com:51907/
Windows Components/Windows Error Reporting Policy Setting Winning GPO Automatically send memory dumps for OS-generated error reports Enabled Default Domain Policy Configure Error Reporting Enabled Default Domain Policy Do not display links to any Microsoft
provided 'more information' web sites. Disabled Do not collect additional files Disabled Do not collect additional machine data Disabled Force queue mode for application errors Disabled Corporate upload file path: Replace instances of the word 'Microsoft'
with: Policy Setting Winning GPO Disable Windows Error Reporting Disabled Default Domain Policy Display Error Notification Enabled Default Domain Policy Windows Components/Windows Error Reporting/Advanced Error Reporting Settings Policy Setting Winning GPO
Default application reporting settings Enabled Default Domain Policy Default: Report all application errors Report all errors in Microsoft applications. Enabled Report all errors in Windows components. Enabled Policy Setting Winning GPO Report operating system
errors Enabled Default Domain Policy Report unplanned shutdown events Enabled Default Domain Policy Windows Components/Windows PowerShell Policy Setting Winning GPO Turn on Script Execution Enabled Default Domain Policy Execution Policy Allow local scripts
and remote signed scripts Windows Components/Windows Update Policy Setting Winning GPO Allow signed updates from an intranet Microsoft update service location Enabled WSUS Specify intranet Microsoft update service location Enabled Local Group Policy Set the
intranet update service for detecting updates: http://ConfigMgr2012R2.andover.com:8530 Set the intranet statistics server: http://ConfigMgr2012R2.andover.com:8530 (example: http://IntranetUpd01) Extra Registry Settings Display names for some settings cannot
be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management. Setting State Winning GPO Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\AuthFlags 2 Default Domain
Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Cost 2147483645 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Flags 20 Default Domain
Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\FriendlyName Active Directory Enrollment Policy Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\PolicyID
{6AF312CA-551D-477C-8931-C2217574F832} Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\URL LDAP: Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\Flags 0 Default
Domain Policy Software\Policies\Microsoft\Microsoft Antimalware\DisableLocalAdminMerge 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.000 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.001
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.002 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.cab 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.cfg
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.chk 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.ci 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.config
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.dia 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.dsc 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.edb
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.grxml 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.iso 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Extensions\.jrs 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.jsl 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.ldf 0 Local Group Policy
Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.log 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.lzx 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.mdf
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.ost 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.pst 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.que
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.txt 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.wid 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.wim
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Extensions\.wsb 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%ALLUSERSPROFILE%\NTuser.pol 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Paths\%appdata%\NirSoft Utilities 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%APPDATA%\Sysinternals Suite\ 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%SystemRoot%\System32\GroupPolicy\Machine\registry.pol
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%SystemRoot%\System32\GroupPolicy\User\registry.pol 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\ccmcache 0 Local Group
Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.chk 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.edb 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Paths\%windir%\Security\Database\*.jrs 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.log 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\Security\Database\*.sdb
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Datastore.edb 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Edb.chk
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Res*.jrs 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Res*.log
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\%windir%\SoftwareDistribution\Datastore\Logs\Tmp.edb 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Paths\C:\Users\administrator.ANDOVER\AppData\Roaming\NirSoft
Utilities 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Cdb.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Cidaemon.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\Clussvc.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Dsamain.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\EdgeCredentialSvc.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\EdgeTransport.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\ExFBA.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\hostcontrollerservice.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Inetinfo.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.AntispamUpdateSvc.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.ContentFilter.Wrapper.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Diagnostics.Service.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Directory.TopologyService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.EdgeSyncSvc.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Imap4.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Imap4service.exe 0 Local
Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Monitoring.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Pop3.exe 0 Local Group Policy
Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Pop3service.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.ProtectedServiceHost.exe 0 Local Group
Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.RPCClientAccess.Service.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Search.Service.exe 0
Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Servicehost.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Store.Service.exe 0
Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.Store.Worker.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.TransportSyncManagerSvc.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Microsoft.Exchange.UM.CallRouter.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeDagMgmt.exe 0 Local Group
Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeDelivery.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeFrontendTransport.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\MSExchangeHMHost.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeHMWorker.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeLESearchWorker.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeMailboxAssistants.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeMailboxReplication.exe 0 Local
Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeMigrationWorkflow.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeRepl.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\MSExchangeSubmission.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeThrottling.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeTransport.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\MSExchangeTransportLogSearch.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Msftefd.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\Msftesql.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\OleConverter.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\Powershell.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\ScanEngineTest.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\ScanningProcess.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Exclusions\Processes\TranscodingService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\UmService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\UmWorkerProcess.exe
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\UpdateService.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Exclusions\Processes\W3wp.exe 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Quarantine\LocalSettingOverridePurgeItemsAfterDelay 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Quarantine\PurgeItemsAfterDelay 30 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\RandomizeScheduleTaskTimes
1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableBehaviorMonitoring 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIntrusionPreventionSystem 0 Local Group
Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableIOAVProtection 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableOnAccessProtection 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Real-Time Protection\DisableRealtimeMonitoring 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\DisableScriptScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableBehaviorMonitoring
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableIntrusionPreventionSystem 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableIOAVProtection
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableOnAccessProtection 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableRealTimeMonitoring
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideDisableScriptScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\LocalSettingOverrideRealTimeScanDirection
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Real-Time Protection\RealTimeScanDirection 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\AvgCPULoadFactor 50 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Scan\CheckForSignaturesBeforeRunningScan 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableArchiveScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableCatchupFullScan 0 Local
Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableCatchupQuickScan 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableEmailScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableHeuristics
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableRemovableDriveScanning 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableReparsePointScanning 1 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Scan\DisableRestorePoint 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableScanningMappedNetworkDrivesForFullScan 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\DisableScanningNetworkFiles
1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideAvgCPULoadFactor 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideScanParameters 0 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Scan\LocalSettingOverrideScheduleDay 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideScheduleQuickScanTime 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\LocalSettingOverrideScheduleTime
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScanOnlyIfIdle 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScanParameters 2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScheduleDay
2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScheduleQuickScanTime 421 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Scan\ScheduleTime 240 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature
Updates\AuGracePeriod 480 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\DefinitionUpdateFileSharesSources Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\FallbackOrder InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC
Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\ScheduleDay 8 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\ScheduleTime 120 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Signature Updates\SignatureUpdateCatchupInterval 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Signature Updates\SignatureUpdateInterval 4 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\SpyNet\LocalSettingOverrideSpyNetReporting
0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\SpyNet\SpyNetReporting 1 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\1 6 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\Threats\ThreatSeverityDefaultAction\2 2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\4 2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\Threats\ThreatSeverityDefaultAction\5
2 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\UX Configuration\DisablePrivacyMode 0 Local Group Policy Software\Policies\Microsoft\Microsoft Antimalware\UX Configuration\Notification_Suppress 1 Local Group Policy Software\Policies\Microsoft\Microsoft
Antimalware\UX Configuration\UILockdown 0 Local Group Policy Software\Policies\Microsoft\System Center\Health Service\Runtime CLR Version v4.0.30319 Default Domain Policy Software\Policies\Microsoft\System Center\Health Service\Runtime Use Concurrent GC 0
Default Domain Policy Software\Policies\Microsoft\System Center\Health Service\Runtime Use Workstation GC 1 Default Domain Policy Software\Policies\Microsoft\System Center\Health Service\Worker Process Logon Type 2 Default Domain Policy Preferences Windows
Settings Files File (Target Path: c:\windows\safesenders.txt) The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.safesenders.txt Winning GPO
Office 2013 Result: SuccessGeneral Action Update PropertiesSource file(s) \\SERVER2012A\safesender\safesenders.txt Destination file c:\windows\safesenders.txt Suppress errors on individual file actions Disabled AttributesRead-only Disabled Hidden Disabled
Archive Enabled Group Policy Objects Applied GPOs Default Domain Policy [{31B2F340-016D-11D2-945F-00C04FB984F9}] Link Location andover.com Extensions Configured Software Installation {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} Deployed Printer Connections Security
Internet Explorer Zonemapping Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision AD (154), SYSVOL (154) WMI Filter EMET 5 [{2C4287A2-7E57-4CEE-AEAC-436E25628F31}] Link Location andover.com Extensions Configured Registry
Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision AD (4), SYSVOL (4) WMI Filter Local Group Policy [LocalGPO] Link Location Local Extensions Configured Registry Enforced No Disabled None Security Filters Revision AD (14),
SYSVOL (14) WMI Filter Office 2013 [{4E3C0D91-646B-4DF7-A9F1-B15B45B3334A}] Link Location andover.com Extensions Configured Group Policy Files Group Policy Infrastructure Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision
AD (54), SYSVOL (54) WMI Filter SCUP Signing Certificate [{B8EC6602-BC25-4A62-8F13-D225E5AAB46D}] Link Location andover.com Extensions Configured {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated
Users Revision AD (4), SYSVOL (4) WMI Filter Windows 8.1 Policy Preferences [{3F103DE1-A223-48FA-84B2-5584A129CC7E}] Link Location andover.com/Windows 8.1 Computers Extensions Configured Software Installation Registry Enforced No Disabled None Security Filters
NT AUTHORITY\Authenticated Users Revision AD (41), SYSVOL (41) WMI Filter Windows 8.1 WMI Filter WSUS [{90680992-AACB-487B-B5CD-6E936F4A3C6F}] Link Location andover.com Extensions Configured Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated
Users Revision AD (2), SYSVOL (2) WMI Filter Denied GPOs WMI Filters Name Value Reference GPO(s) Windows 8.1 WMI Filter True Windows 8.1 Policy Preferences User Details General User name ANDOVER\Administrator Domain andover.com Security Group Membership show
ANDOVER\Domain Users Everyone NOOFFICE\ConfigMgr Remote Control Users BUILTIN\Users BUILTIN\Administrators NT AUTHORITY\INTERACTIVE CONSOLE LOGON NT AUTHORITY\Authenticated Users NT AUTHORITY\This Organization LOCAL ANDOVER\Group Policy Creator Owners ANDOVER\Mobile
Enrollment ANDOVER\Mac Enrollment ANDOVER\Domain Admins ANDOVER\SCVMMAdmins ANDOVER\CSAdministrator ANDOVER\RTCUniversalServerAdmins ANDOVER\RTCUniversalGlobalReadOnlyGroup ANDOVER\Enterprise Admins ANDOVER\RTCUniversalGlobalWriteGroup ANDOVER\Organization
Management ANDOVER\Schema Admins ANDOVER\RTCUniversalServerReadOnlyGroup ANDOVER\RTCUniversalUserReadOnlyGroup ANDOVER\CSServerAdministrator Authentication authority asserted identity ANDOVER\ConfigMgr Remote Control Users ANDOVER\Denied RODC Password Replication
Group Mandatory Label\High Mandatory Level Component Status Component Name Status Time Taken Last Process Time Event Log Group Policy Infrastructure Success 16 Second(s) 892 Millisecond(s) 9/16/2014 7:52:10 PM View Log Group Policy Registry Success 140 Millisecond(s)
9/15/2014 9:50:32 PM View Log Group Policy Shortcuts Success 500 Millisecond(s) 9/15/2014 9:50:32 PM View Log Registry Success 281 Millisecond(s) 9/15/2014 9:50:31 PM View Log Settings Policies Windows Settings Security Settings Public Key Policies/Certificate
Services Client - Auto-Enrollment Settings Policy Setting Winning GPO Automatic certificate management Enabled Default Domain Policy Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked
certificates Enabled Update and manage certificates that use certificate templates from Active Directory Enabled Log expiry events, and, for user policy, only show expiry notifications when the percentage of remaining certificate lifetime is 10% Default Domain
Policy Additional stores to log expiry events Default Domain Policy Display user notifications for expiring certificates in user and computer MY store Disabled Default Domain Policy Administrative Templates Policy definitions (ADMX files) retrieved from the
central store.Microsoft Outlook 2013/Outlook Options/Preferences/Junk E-mail Policy Setting Winning GPO Specify path to Blocked Senders list Enabled Office 2013 Specify full path and filename to Blocked Senders list \\SERVER2012A\safesender\blockedsender.txt
Policy Setting Winning GPO Specify path to Safe Recipients list Enabled Office 2013 Specify full path and filename to Safe Recipients list \\server2012a\safesender\safesenders.txt Policy Setting Winning GPO Specify path to Safe Senders list Enabled Office
2013 Specify full path and filename to Safe Senders list \\server2012a\safesender\safesenders.txt Policy Setting Winning GPO Trigger to apply junk email list settings Enabled Office 2013 Microsoft Word 2013/Word Options/Customize Ribbon Policy Setting Winning
GPO Display Developer tab in the Ribbon Enabled Office 2013 Microsoft Word 2013/Word Options/Save Policy Setting Winning GPO Save AutoRecover info Enabled Office 2013 Save AutoRecover info every (minutes) 3 Start Menu and Taskbar Policy Setting Winning GPO
Go to the desktop instead of Start when signing in or when all the apps on a screen are closed Enabled Default Domain Policy Windows Components/EMET Policy Setting Winning GPO Default Protections for Internet Explorer Enabled EMET 5 Included products and mitigations:
- Microsoft Internet Explorer - all mitigations Policy Setting Winning GPO Default Protections for Recommended Software Enabled EMET 5 Included products and mitigations: - WordPad - all mitigations - Microsoft Office - all mitigations - Adobe Acrobat - all
mitigations except MemProt - Adobe Acrobat Reader - all mitigations except MemProt - Oracle Java - all mitigations except HeapSpray Windows Components/Windows Error Reporting Policy Setting Winning GPO Automatically send memory dumps for OS-generated error
reports Enabled Default Domain Policy Disable Windows Error Reporting Disabled Default Domain Policy Do not send additional data Disabled Default Domain Policy Windows Components/Windows Error Reporting/Advanced Error Reporting Settings Policy Setting Winning
GPO Configure Report Archive Enabled Default Domain Policy Archive behavior: Store parameters only Maximum number of reports to store: 500 Windows Components/Windows Error Reporting/Consent Policy Setting Winning GPO Configure Default consent Enabled Default
Domain Policy Consent level Send all data Windows Components/Windows PowerShell Policy Setting Winning GPO Turn on Script Execution Enabled Default Domain Policy Execution Policy Allow local scripts and remote signed scripts Extra Registry Settings Display
names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management. Setting State Winning GPO Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\AuthFlags
2 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Cost 2147483645 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Flags
20 Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\FriendlyName Active Directory Enrollment Policy Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\PolicyID
{6AF312CA-551D-477C-8931-C2217574F832} Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\URL LDAP: Default Domain Policy Software\Policies\Microsoft\Cryptography\PolicyServers\Flags 0 Default
Domain Policy Preferences Windows Settings Shortcuts Shortcut (Path: C:\Users\administrator\Desktop\Remote Desktop.url) The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings
when resolving conflicts.Remote Desktop Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget type URL Shortcut path C:\Users\administrator\Desktop\Remote Desktop.url Target URL https://hypervdi.andover.com/RDWeb/Pages/en-US/Default.aspx
Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 150 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\Application Catalog.url) The following settings have applied to this object. Within this category, settings nearest
the top of the report are the prevailing settings when resolving conflicts.Application Catalog Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget type URL Shortcut path C:\Users\administrator\Desktop\Application Catalog.url
Target URL https://configmgr2012r2.andover.com/cmapplicationcatalog/ Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 135 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\Report Server.url) The following settings have
applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.Report Server Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget type URL Shortcut
path C:\Users\administrator\Desktop\Report Server.url Target URL http://configmgr2012r2/Reportserver Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 165 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\SCOM Reports.url)
The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.SCOM Reports Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget
type URL Shortcut path C:\Users\administrator\Desktop\SCOM Reports.url Target URL http://scom2012/reportserver Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 44 Shortcut key None Run Normal window Shortcut (Path: C:\Users\administrator\Desktop\Reporting.url)
The following settings have applied to this object. Within this category, settings nearest the top of the report are the prevailing settings when resolving conflicts.Reporting Winning GPO Default Domain Policy Result: SuccessGeneral Action Replace AttributesTarget
type URL Shortcut path C:\Users\administrator\Desktop\Reporting.url Target URL http://configmgr2012r2/Reports/Pages/Folder.aspx Icon path C:\WINDOWS\system32\SHELL32.dll Icon index 165 Shortcut key None Run Normal window Group Policy Objects Applied GPOs Default
Domain Policy [{31B2F340-016D-11D2-945F-00C04FB984F9}] Link Location andover.com Extensions Configured Group Policy Shortcuts {B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A} Registry Group Policy Infrastructure Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated
Users Revision AD (102), SYSVOL (102) WMI Filter EMET 5 [{2C4287A2-7E57-4CEE-AEAC-436E25628F31}] Link Location andover.com Extensions Configured Registry Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision AD (2), SYSVOL (2)
WMI Filter Office 2013 [{4E3C0D91-646B-4DF7-A9F1-B15B45B3334A}] Link Location andover.com Extensions Configured Group Policy Registry Registry Group Policy Infrastructure Enforced No Disabled None Security Filters NT AUTHORITY\Authenticated Users Revision
AD (55), SYSVOL (55) WMI Filter Denied GPOs Java Files [{906C2069-E35E-4DAD-8A06-E234C1F5072E}] Link Location andover.com Extensions Configured {7150F9BF-48AD-4DA4-A49C-29EF4A8369BA} Group Policy Infrastructure Enforced No Disabled None Security Filters NT
AUTHORITY\Authenticated Users Revision AD (98), SYSVOL (98) WMI Filter Windows 7 WMI Filter Reason Denied False WMI Filter Local Group Policy [LocalGPO] Link Location Local Extensions Configured Enforced No Disabled None Security Filters Revision AD (0), SYSVOL
(0) WMI Filter Reason Denied Empty WMI Filters Name Value Reference GPO(s) Windows 7 WMI Filter False Java Files -
Mac Client Certificate not found
Hey all, i'm trying to install the ConfigMgr client on a mac system. The site is 2012 SP1 RTM however since there is no release yet of the mac client i'm using the mac client install from the SP1 beta install folder (Suggested by Microsoft)
I followed the instructions on how to install clients on mac computer from technet. Everything from the install and the enrollment seems to complete fine no errors. After the enrollment when I open System Preferences > Configuration Manager it says "Certificate
not found" If i check the ccmclient log file on the mac it shows the following errors
Failed to Parse MgmtAuthority ServerList
Failed to get server list
Failed to GetProperty Mode from Configuration Provider : 80070490
Requested certificates not available in store
Certificate not found in store. Bailing out!
Failed to validate certificate
The certificate shows up under system in the keychain, the only strange thing is it shows for name the user who enrolled in the certificate. I figured it should have showed the system name. The root ca is also there. Any help would be appreciated, thanksOkay so figured this out, and i'll post in case this happens to someone else. The certificate will always show under the keychain with a name of whoever the user was that did the enrollment. So if you used Joe Smith, then the certificate will be called
Joe Smith. In my case the account I used to enroll had a active directory display name of two words such as "Joe Smith" Because of this space in between, configuration manager client kept listing the certificate as "Joe". I was then realized that indeed just
like the error said the certificate could not be found because its looking for Joe and the the certificate says Joe Smith. The fix was instead do the enrollment with a normal account with no spacing in the name. This may be a bug or Microsoft may not recommend
creating AD accounts with display names with spaces.
Maybe you are looking for
-
Hi, I VPN to outside don't work. Please help.
-
Looking for a printer to print from iPad. I like canon. I have iOS 5.0.1
Looking for a printer to print from IPad. I like canon. I have iOS 5.0.1. What are people using.
-
RE: Fix for downloading audiobooks to iTunes issues IOS.7.4
Okay, so I've downloaded Audiobooks from Overdrive Media for years...right into iTunes with no issues. Until this week, right after I updated to IOS.7.4. Immediately after the update, I downloaded a couple of audiobooks, and noticed that they did n
-
How do I find and erase any spy software uploaded on to my iphone 4?
How do I find and erase any spy software that has been uploaded on to my iphone 4 without my knowledge ?
-
New Autofill feature question....
If I have login info for different sites I visit on my iphone will the autofill feature work for those? I can't seem to get it to work. Please advise. Thanks!