Dspublish -f or GPO for trusted root certification?

Hi,
 I've currently configured a GPO and applied it to several of my main OUs using "\Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities" with the root CA cert.
I believe I can get my domain clients to accept the root CA by using dspublish instead (which may be better as my domain has a lot of blocked inheritance OUs). I can run the commands below to achieve this:
certutil -f -dspublish <Root CA Cert.cer> RootCA
certutil -f -dspublish <Root CA CRL.crl> SubCA
What I'm not sure about is why I would want one method over the other? If I was to use both (as I've already applied a GPO), could it cause any issues?

with the GPO method, you can make the CA trusted granularly for specific sets of computers depending on their OU location. You may also enforce the GPO which will pass even through the blocked GPO inheritance.
You can apply GPOs to either domain level, or to any lower OU level. If you operate only a single domain, this is enough.
You cannot apply GPOs to the whole forest, although you could apply GPOs to AD sites. But this might not be always so easy due to some firewall constraints.
When you publish the certificates into AD, you publish them into Configuration partion. This is forest wide partition, so the certificates will be trusted on all computers from the whole forest automatically.
Also, if you want to make an ISSUING CA to be trusted as NTAuth certification authority, the only option is to do it through AD. I do not thing there is a way how to achieve NTAuth with GPO, although I might be mistaken - you could probably make do
with Preferences - Registry, but I didn't try it myself yet.
NTAuth issuing CAs are those, which can issue DC certificates and user logon certificates (smart card logon OID, client authentication OID). Note that NTAuth trust is meant for ISSUING CAs and not for ROOT CAs so if you are concerned only about root CA here,
do not bother with the NTAuth thing.
ondrej.

Similar Messages

  • Install Trusted Root Certification certificate using ZCM

    Trying to figure out how to install into Trusted Root Certification Authorities a certificate for a local server. We have several that we created local certificates and want to prevent the users from geting the error message or having to do the steps to import.
    Has anyone accomplished this? Its very possible I am just way over thinking it, so feel free to wack me in the head if so...
    Matt

    Use Microsofts CertMgr.exe from a bundle.
    On 1/20/2014 4:56 PM, medust wrote:
    >
    > Trying to figure out how to install into Trusted Root Certification
    > Authorities a certificate for a local server. We have several that we
    > created local certificates and want to prevent the users from geting the
    > error message or having to do the steps to import.
    >
    > Has anyone accomplished this? Its very possible I am just way over
    > thinking it, so feel free to wack me in the head if so...
    >
    >
    > Matt
    >
    >

  • Trusted root certification authority.

    Hello,
    I notice with every server and client machine in our organisation, that some how 2 root certificates (purpose: All) are getting added automatically.
    These root certificates are already expired and not related to our current enterprise CA server.
    I checked RSOP.html on client machine and or GPO's on DC, but could not figure out the source.
    Any help greatly appreciated.
    Thanks.

    Hi,
    You are welcome.
    You may enable CAPI2 log to monitor certificate store operations, which is under Applications and Services Logs\Microsoft\Windows\CAPI.
    After you enable CAPI2 log, delete those 2 root certificates, wait to see whether they will be added again. If they do, check CAPI2 log to find detailed information.
    More information for you:
    Enable CAPI2 event logging to troubleshoot PKI and SSL Certificate Issues
    http://blogs.msdn.com/b/benjaminperkins/archive/2013/10/01/enable-capi2-event-logging-to-troubleshoot-pki-and-ssl-certificate-issues.aspx
    Best Regards,
    Amy
    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

  • No "Allow users to select new root certification authorities (CAs) to trust" option in GPO

    Hello,
    We have a Windows 2008 R2 standard server, which is the domain controller
    I copied a policy and wanted to clear unneeded properties in that newly copied policy.  There are few properties below "Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies/Trusted Root Certification Authorities"
    that are shown in Group Policy Object Settings, but not in GP Editor!  Maybe it is a property coming from our old 2003 domain controller, as I saw in a technet page that those properties were available in 2003 active directory policies.
    How can I remove those properties from the policy?
    Thanks, Dominic

    Hi Dominic,
    Based on your description, we can check the scenario 1 and scenario 2 described in the following hotfix, and we can install the hotfix if one of these two scenarios
    represents our situation.
    The "Trusted Root Certification Authorities" setting cannot be removed from a GPO in Windows 7 or Windows Server 2008 R2
    http://support.microsoft.com/kb/2842986/en-us
    Hope it helps.
    Best regards,
    Frank Shen

  • A question about the "Third-Party Root Certification Authorities" X509 store

    Hello All
    Can someone please help me with the following question.
    Reading some MS documentation I see MS have a program called 'Microsoft Root Certification Program" where by if a third party ACME for example create a Root CA and it passes this program then MS will add the CA Cert to Windows Update for downloading
    to the clients "Third-Party Root Certification Authorities" X509 store, correct so far?
    if so when a client is building a certificate chain for a cert I understand it first checks its local store for relevant certificates (e.g. Trusted Root Certification Authorities etc..) then if not their checks the AIA extension so locate the cert.
    Question does the client (e.g. clients using CAPI/CAPI2) also check the "Third-Party Root Certification Authorities" X509 store or do the Certs in this logical store also reside (get copied to) the "Third-Party Root Certification
    Authorities" X509 store. In other words are these store names in the GUI just logical partitions for human viewing  but actually reside in the same location in the registry and therefore checked by the client
    Thanks All
    AAnotherUser__
    AAnotherUser__

    > does the client (e.g. clients using CAPI/CAPI2) also check the "Third-Party Root Certification Authorities" X509 store or do the Certs in this logical store also reside (get copied to) the "Third-Party Root Certification Authorities"
    X509 store
    yes. Trusted Root CAs container is an aggregated container for all trusted root CAs (for natively trusted CAs and for Root Certification Program members).
    Vadims Podāns, aka PowerShell CryptoGuy
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell File Checksum Integrity Verifier tool.

  • Default certificate policies for DoD Root CA 2?

    I receieved a PDF signed with a valid certificate issued under the chain DoD Root CA 2 > DOD CA-27. The signing cert was a soft-cert with certificate policies 2.16.840.1.101.2.1.11.5 (medium assurance) and 2.16.840.1.101.2.1.11.18 (medium 2048 assurance). The signature failed to validate ("The selected certificate path has errors: Invalid policy constraint") and it looks like the root cause is that Reader XI ships with 3 certificate policies (2.16.840.1.101.2.1.11.4, 2.16.840.1.101.2.1.11.9, and 2.16.840.1.101.2.1.11.19) defined for DoD Root CA 2 that don't include either of the policies in the signing cert.
    It's possible to modify the policies for DoD Root CA 2 so that the signing cert is accepted, but it's a pain to explain to users and doesn't promote confidence in the signature.
    Is there a better way to resolve this problem?
    Who sets the default certificate policies and why would they not match the actual DoD PKI issuance policies?

    Certificate policies are specified in trusted identity along with trust. Some certificate authorities contract with Adobe to include their trusted root certificates in Adobe-sponsored list, which Acrobat/Reader may periodically download and update from Adobe server. Each certificate authority specifies which certificate policies to include in their certificates. So in the case of "DoD Root CA 2" it is DoD that sets certificate policies for their certificates and specifies Policy Restrictions in this trusted root identity when it is included in the Adobe-sponsored list.
    As to why DoD issues signing certificates with policies other than those defined in "DoD Root CA 2" trusted root included in the Adobe-distributed list, I can only speculate that perhaps DoD has some internal mechanism of distributing trust lists, like GPO-controlled, and that the ones that they distribute internally may indeed have certificate policies in the signer certificate in the PDF that you received. The goal here is to restrict which document recipient may get a valid signature.
    Of course, one can go to Acrobat UI and change the Policy Restrictions, but this requires some work and knowledge how to do that.
    Some organizations distribute internally different trust lists to different divisions, so that only signatures with Policy Restrictions specified for a specific division get validated as Valid out-of-the-box, but not when the same signature is validated in a different division. Adobe-distributed trust list contains only Policy Restrictions applicable to everybody.

  • Push windows trusted root certificate to adobe trusted store/certificate

    Hi,
    Can we push windows trusted root certificate to adobe trusted store/certificate ?
    Regards,
    Nitin Harikant

    I have tried something similar by trying to import the Windows Cert Store into Adobe, but I never did have it work. I just recently found the option is XI for Adobe to look at the Windows store itself.
    XI: Edit > Preferences > Signature > (Verification) More... > (Windows Integration) Check Validating Signatures, Check validating Certified Documents
    It should happen right away; although I will note I am having issues with this working for Non-Admins on a Terminal Server. Might be a privilege issue.
    If you want to set via GPO:
    Key Path: Software\Adobe\Adobe Acrobat\11.0\Security\cASPKI\cMSCAPI_DirectoryProvider
    Value Name: iMSStoreTrusted
    Value Type: Reg_DWORD
    Value Data: 62, or 60 (Hex)
    Link: Digital Signatures

  • Why do other browsers ( IE, Chrome, Opera,Safari) list StartCom Class 2 Primary Intermediate Server CA as a Trusted Intermediate Certification Authority but Firefox doesn't?

    We are setting up registrations for a paid event and have bought a SSL certificate for our site. Everything works fine when the registration page is accessed through IE, Chrome, Opera or Safari (which list StartCom Class 2 Primary Intermediate Server CA as a Trusted Intermediate Certification Authority), but when I click on that link in Firefix I get the "This Connection is Untrusted" page because only StartCom Class 1 is listed as trusted.
    Why is that?

    It is always the responsibility of a website to send the complete certificate chain.
    You can check the certificate chain of breastfeedingconference.asn.au and see that the server doesn't send the intermediate certificate.
    * http://www.networking4all.com/en/support/tools/site+check/

  • Why are the Equifax Trusted Roots not included in the latest release?

    The Equifax Trusted Roots that were included in Yosemite 10.10.2 are missing from Yosemite 10.10.3.  These are still valid trusted roots for GeoTrust and need to be included.  Why were they removed?

    I'm afraid that I distracted you with my background mention of hierarcharial keywords; I'm not asking about them.
    I've entered keywords for several years of using Lightroom.  Suddenly, this week, I find that most (yet not all) of them have the attribute of "don't include the keyword in an exported file's metadata."  I never intended to ask for that; I thought all keywords will stay with the file and its offspring, and that's what I wanted.
    So I'm asking:
    1.     What did I do "wrong" to induce Lightroom to give the keywords that attribute? I never intended to ask it to.
    2.     Where does Adobe document how to enter keywords reliably so that they stay with the file on output?  I can't find that Adobe does.
    > Can you be more clear about keywords in square brackets? I know when you export the keywords as a list you can get a normalized data file that uses punctuation and tabs as delimiters...
    I did export the keywords into such a list:  most keywords in the plain-text list have square brackets surrounding them, indicating keywords that will be omitted from metadata of any image that Lightroom exports.
    My concern is not that the brackets are there.  They encode the attribute of "don't include the keyword in an exported file's metadata," and recognizing that attribute concerns me.
    > ...but I've never seen keywords in image files or in the interface rendered so.
    I haven't, either.
    Dick Rawson

  • How to create gpo for all users in all ou?????

    hello,plz help me.i want to create gpo for all users in all ou.but i dont want that gpo to do in domain????

    Can you elaborate what you mean by "but i dont want that gpo to do in domain"?
    In terms of applying it to all users, that's simple enough, you can simply leave the GPO's security filtering with its default setting as "Authenticated Users" which then apply to everyone.
    In terms of it applying to all OUs, you only have two options.
    1) Create the GPO and link it to the root of your domain, so it then applies to the entire domain and all the OUs within it.
    2) Create the GPO, but instead link it to each OU that you want it to apply to. You can apply one GPO to as many OUs as you want, simply right click on the OU and select "Link an Existing GPO...". It's then not applied to the root of the domain, only the
    OUs, but any changes you make to the GPO are applied to all the OUs that you've linked it to (rather than having a separate GPO for each of them).

  • What value/text to be entered in the trusted point- certification chain space

    What value/text to be entered in the trusted point- certification chain space

    Yes the certificate is signed by the root CA.
    I have two certificates in the certificate chain which was downloaded from the CA.
    I have pasted both the certificate in the trusted point and the certificate sections and unable to access UCSM ...invalid certificate error.
    The value entered in trusted point and certitificate tabs are same?

  • SCCM 2012 PKI - Changing of Trusted Root

    This is in reference to SCCM 2012 SP1 CU4.
    We are in the middle of a PKI migration thereby our Root CA is changing. I added the new root CA to the "Trusted Root Certificate Authorities" in the "Client Computer Communication" tab but it seems to not be where I need to make my change.
    My testing with the new certs (Document Signing on Primary Site and Computer Cert on Clients) has been a bust so far.
    The documentation at http://technet.microsoft.com/en-us/library/bb633098.aspx is the closest I can find but it is only good for SCCM 2007 as the registry key it references doesn't exist.
    In HKLM\SOFTWARE\Microsoft\CCM\Security there is a "Certificate Issuers" key that does not show my newly trusted Root and I imagine that is part of the problem. I can edit the key but within 10 seconds it reverts back.
    Has anyone been through this process in SCCM 2012 or have any documentation to point me towards?

    Apologies, it was https(confirmed again just in case). Typoed in my post above.
    I'm using logparser for the IIS log to pull any traffic coming from my client's IP address and the only errors I see are when it tries to talk over port 80. Any requests to 443 return with a code of 200. Here's
    all the entries if you see anything I'm overlooking.
    date time s-port cs-method cs-uri-stem cs-uri-query sc-status sc-substatus sc-win32-status
    7/11/2014 0:00 1/1/2000 14:19 443 GET /sms_mp/.sms_aut mplist 403 7 5
    7/11/2014 0:00 1/1/2000 14:19 443 GET /sms_mp/.sms_aut mplist 500 0 64
    7/11/2014 0:00 1/1/2000 14:19 443 GET /sms_mp/.sms_aut mplist 403 7 5
    7/11/2014 0:00 1/1/2000 14:19 443 GET /sms_mp/.sms_aut mplist 500 0 64
    7/11/2014 0:00 1/1/2000 14:25 443 GET /sms_mp/.sms_aut mplist 403 7 5
    7/11/2014 0:00 1/1/2000 14:27 443 CCM_POST /ccm_system_windowsauth/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:27 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:27 443 CCM_POST /ccm_system_windowsauth/request 401 2 5
    7/11/2014 0:00 1/1/2000 14:27 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:28 443 GET /sms_mp/.sms_aut mplist 403 7 5
    7/11/2014 0:00 1/1/2000 14:28 443 GET /sms_mp/.sms_aut mplist 500 0 64
    7/11/2014 0:00 1/1/2000 14:28 443 GET /sms_mp/.sms_aut mplist 500 0 64
    7/11/2014 0:00 1/1/2000 14:28 443 GET /favicon.ico 404 0 2
    7/11/2014 0:00 1/1/2000 14:28 443 CCM_POST /ccm_system_windowsauth/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:28 443 CCM_POST /ccm_system_windowsauth/request 401 2 5
    7/11/2014 0:00 1/1/2000 14:28 443 GET /SMS_MP/.sms_aut MPLIST1&TXS 200 0 0
    7/11/2014 0:00 1/1/2000 14:28 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:28 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:28 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 GET /SMS_MP/.sms_aut MPLIST 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 GET /SMS_MP/.sms_aut MPKEYINFORMATIONEX 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system_windowsauth/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system_windowsauth/request 401 2 5
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system_windowsauth/request 401 2 5
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system_windowsauth/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 14:30 443 GET /sms_mp/.sms_aut mplist 403 7 5
    7/11/2014 0:00 1/1/2000 14:30 443 GET /sms_mp/.sms_aut mplist 500 0 64
    7/11/2014 0:00 1/1/2000 14:30 443 GET /favicon.ico 404 0 2
    7/11/2014 0:00 1/1/2000 14:30 443 GET /sms_mp/.sms_aut mplist 200 0 0
    7/11/2014 0:00 1/1/2000 14:32 443 GET /favicon.ico 404 0 2
    7/11/2014 0:00 1/1/2000 14:32 443 GET /sms_mp/.sms_aut mplist 200 0 0
    7/11/2014 0:00 1/1/2000 14:32 443 GET /sms_mp/.sms_aut mplist 200 0 0
    7/11/2014 0:00 1/1/2000 14:32 443 GET /sms_mp/.sms_aut mplist 500 0 64
    7/11/2014 0:00 1/1/2000 14:32 443 GET /sms_mp/.sms_aut mplist 200 0 0
    7/11/2014 0:00 1/1/2000 14:32 443 GET /browserconfig.xml 404 0 2
    7/11/2014 0:00 1/1/2000 14:33 443 GET /sms_mp/.sms_aut mpcert 200 0 0
    7/11/2014 0:00 1/1/2000 14:36 443 GET /sms_mp/.sms_aut mplist 500 0 64
    7/11/2014 0:00 1/1/2000 14:36 443 GET /sms_mp/.sms_aut mplist 200 0 0
    7/11/2014 0:00 1/1/2000 17:22 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:24 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:24 80 CCM_POST /ccm_system/request 403 4 64
    7/11/2014 0:00 1/1/2000 17:24 80 CCM_POST /ccm_system/request 403 4 5
    7/11/2014 0:00 1/1/2000 17:24 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:24 443 GET /SMS_MP/.sms_aut MPLIST 200 0 0
    7/11/2014 0:00 1/1/2000 17:24 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:24 443 GET /SMS_MP/.sms_aut MPKEYINFORMATIONEX 200 0 0
    7/11/2014 0:00 1/1/2000 17:29 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:30 80 CCM_POST /ccm_system/request 403 4 64
    7/11/2014 0:00 1/1/2000 17:30 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:30 443 GET /SMS_MP/.sms_aut MPLIST 200 0 0
    7/11/2014 0:00 1/1/2000 17:30 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:30 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:30 443 GET /SMS_MP/.sms_aut MPKEYINFORMATIONEX 200 0 0
    7/11/2014 0:00 1/1/2000 17:41 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:42 80 CCM_POST /ccm_system/request 403 4 64
    7/11/2014 0:00 1/1/2000 17:42 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:42 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:42 443 CCM_POST /ccm_system/request 200 0 0
    7/11/2014 0:00 1/1/2000 17:42 443 GET /SMS_MP/.sms_aut MPLIST 200 0 0
    7/11/2014 0:00 1/1/2000 17:42 443 GET /SMS_MP/.sms_aut MPKEYINFORMATIONEX 200 0 0
    7/11/2014 0:00 1/1/2000 18:16 443 GET /sms_mp/.sms_aut mplist 500 0 64
    7/11/2014 0:00 1/1/2000 18:16 443 GET /sms_mp/.sms_aut mplist 200 0 0
    7/11/2014 0:00 1/1/2000 18:16 443 GET /sms_mp/.sms_aut mpcert 200 0 0

  • HT5012 What is the necessity of using these trust root certificates ? In which scenario we can use these certificates?

    Hi all ,
    I would like to know about the trust store and trust root certificates . Please let me know why we have to use these certificates and in which scenario it could be helpful?

    Hi All,
    Please help me in advise for my query.
    Thanks,
    Sriram

  • Pushing Trusted Root

    I created an app object for my trusted root cert that only contains the key
    HKEY_CURRENT_USER\Software\Microsoft\SystemCertifi cates\Root\ProtectedRoots.
    If I associate it with the Root of the tree, users only, then it works fine
    if it's put in the start menu or in App Explorer.
    However, I want to Force Run/Run once this so that users don't have to
    "install" it. When I make it force run, (and leave the "Show Progress" up),
    I don't see it distribute (which may be because it's only one Key, and
    happening too fast) but more importantly, it doesn't work. It doesn't add
    the trusted root, and I still get cert errors on my SSL Pages.
    When do User keys get distributed? Do I have to manually run this app in
    order to get the User Key to import into the reg? If not, What can I do to
    track down why this isn't working on Force Run, but IS working when I
    double click it.

    This what you mean?
    AXT_FILE 3.1
    [Application Name]
    Value=Trusted Root Certificate
    [Application Caption]
    Value=Trusted Root Certificate
    [Macro]
    Name=SOURCE_PATH
    Value=\\hsis1\apps\Trusted Root Certificate
    [Application Path]
    Value=c:\windows\notepad.exe
    [Application Flags]
    Flag=Install Only
    Flag=No Distribution Window
    [Application Platform]
    Flag=Windows 95
    Flag=Windows NT
    [Registry Key Create]
    Flag=Write Always
    Key=HKEY_CURRENT_USER\Software
    [Registry Key Create]
    Flag=Write Always
    Key=HKEY_CURRENT_USER\Software\Microsoft
    [Registry Key Create]
    Flag=Write Always
    Key=HKEY_CURRENT_USER\Software\Microsoft\SystemCer tificates
    [Registry Key Create]
    Flag=Write Always
    Key=HKEY_CURRENT_USER\Software\Microsoft\SystemCer tificates\Root
    [Registry Key Create]
    Flag=Write Always
    Key=HKEY_CURRENT_USER\Software\Microsoft\SystemCer tificates\Root\ProtectedRoots
    [Filter OS Version]
    Type=Windows 95
    Major Version=-1
    Minor Version=-1
    Revision Version=-1
    Build Version=-1
    Flag=Greater Than or Equal
    [Filter OS Version]
    Type=Windows NT
    Major Version=-1
    Minor Version=-1
    Revision Version=-1
    Build Version=-1
    Flag=Greater Than or Equal
    [Registry Value Create]
    Type=Binary
    Flag=Write Always
    Flag=Always Distribute Setting
    Key=HKEY_CURRENT_USER\Software\Microsoft\SystemCer tificates\Root\ProtectedRoots
    Name=Certificates
    Length=44
    Value=18 00 00 00 01 00 00 00 70 9F 63 6D CC 25 C7 01
    Value=01 00 00 00 18 00 00 00 AC E4 03 D8 03 DE 10 06
    Value=14 ED 97 E6 04 0B 0B 4B C5 C0 8D 92
    [Application Association Flags]
    Flag=Launcher
    [Application Distribution Rules]
    File=DIRU0029.XML
    Show Icon=0

  • Error while creating GTC for trusted source reconciliation in OIM11g

    Hi,
    I got an exception while trying to create GTC for Trusted source Reconciliation in OIM11g
    Class/Method: CreateGenConnectorAction/imageScreen encounter some problems: Provider Exception[[
    java.lang.Exception: Provider Exception
    at com.thortech.xl.webclient.actions.CreateConnectorAction.getGenericAdapter(CreateConnectorAction.java:2265)
    at com.thortech.xl.webclient.actions.CreateConnectorAction.imageScreen(CreateConnectorAction.java:1196)
    at com.thortech.xl.webclient.actions.CreateConnectorAction.goNext(CreateConnectorAction.java:521)
    at sun.reflect.GeneratedMethodAccessor4673.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at org.apache.struts.actions.DispatchAction.dispatchMethod(DispatchAction.java:269)
    at com.thortech.xl.webclient.actions.tcLookupDispatchAction.execute(tcLookupDispatchAction.java:133)
    at com.thortech.xl.webclient.actions.tcActionBase.execute(tcActionBase.java:894)
    at com.thortech.xl.webclient.actions.tcAction.execute(tcAction.java:213)
    at com.thortech.xl.webclient.actions.CreateConnectorAction.execute(CreateConnectorAction.java:135)
    at org.apache.struts.chain.commands.servlet.ExecuteAction.execute(ExecuteAction.java:58)
    at org.apache.struts.chain.commands.AbstractExecuteAction.execute(AbstractExecuteAction.java:67)
    at org.apache.struts.chain.commands.ActionCommandBase.execute(ActionCommandBase.java:51)
    at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
    at org.apache.commons.chain.generic.LookupCommand.execute(LookupCommand.java:305)
    at org.apache.commons.chain.impl.ChainBase.execute(ChainBase.java:191)
    at org.apache.struts.chain.ComposableRequestProcessor.process(ComposableRequestProcessor.java:283)
    at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1913)
    at org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:462)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
    at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
    at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:300)
    at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at com.thortech.xl.webclient.security.XSSFilter.doFilter(XSSFilter.java:103)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at com.thortech.xl.webclient.security.CSRFFilter.doFilter(CSRFFilter.java:61)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.iam.platform.auth.web.PwdMgmtNavigationFilter.doFilter(PwdMgmtNavigationFilter.java:115)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.iam.platform.auth.web.OIMAuthContextFilter.doFilter(OIMAuthContextFilter.java:100)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:330)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
    at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.doIt(WebAppServletContext.java:3684)
    at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3650)
    at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
    at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
    at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2268)
    at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
    at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1446)
    at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
    at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
    Caused by: java.lang.reflect.InvocationTargetException
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:48)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:600)
    at com.thortech.xl.gc.util.ProviderFacade.getProvider(ProviderFacade.java:344)
    at com.thortech.xl.webclient.actions.CreateConnectorAction.getGenericAdapter(CreateConnectorAction.java:2201)
    ... 47 more
    Caused by: java.lang.NullPointerException
    at com.thortech.util.logging.Logger.isDebugEnabled(Logger.java:599)
    at com.thortech.xl.gc.impl.recon.SharedDriveReconTransportProvider.initialize(SharedDriveReconTransportProvider.java:106)
    ... 53 more
    Thanks & Regards,
    Prasad

    Most likely you are hitting below bug
    Bug 14271576 - OIM BETA : CONNECTOR LOGS ARE NOT GETTING UPDATED IN 11G R2 [preferrred fix ...]
    or
    Bug 13605443 - NULL POINTER EXCEPTIONS IN OIM SERVER DURING RECONCILIATION USING GTC CONNECTOR
    Thanks Deepak

Maybe you are looking for

  • Need help for two thing:: JFace/SWT and Drawing an updating graph! plz help

    Hey all, This is my first post on this forum and I was wondering if you guys can help me with two problems that im currently having and I would be really grateful. 1. When ever i try to use the SWT/JFace tools and run it as a java app. I get this err

  • Trouble with apps in Creative Cloud

    I have for a while now not been able to launch my app-section in Creative Cloud? Why might this be?

  • I can't remove event handler functions

    Hi guys! Please help to remove event handler functions of a FLVPlaback. I add some functions for an FLVPlaback instance and that's why doesn't work the control panel (play button, pause button and so on) Here is a link: http://sexaid.fw.hu/vg/vg.html

  • Error Trying to Create Capture Media Error 80004005

    Hey everyone need some help here.  I was at TechEd last week, in which I did the hands-on-lab on using boot media to capture a reference PC, can't remember the name.  Anyway, here is my problem, I tried to do the exact same set up on our setup and it

  • Strange reaction in IE

    I created a simple flash movie that acts as a slideshow that stops at the last image. It looks and plays fine in all browsers besides IE 7. In IE the movie cuts in and out. Also, it loops instead of stopping on the last image. I used stop() on the ke