How to revoke machine certificates quickly?

Similar Messages

• How to revoke mac os x  server push certificates?????

  I am trying to clean up my purchsed copy of Lion Server.  After I drag the os X server application to the trash and go to the apple store where I purchased Lion server for my mac it says that Server is already installed on my computer and the transaction cannot be completed.  So then I decided to try and delete the push certificates I created and when I try to revoke them it takes me to a screen that says "False" and I can't seem to revoke these certificats
  How can you get them revoked.  I am just learning by trial and error.  Any suggestions would be appreciated.  Thanks
  BG

  That page talks about Snow Leopard's Networking abilities, not Leopards.
  Off hand, I don't know whether what you describe is a new feature in Snow Leopard or not, but I've never seen Leopard do it (and, to be honest, wouldn't want to).
  In either case, it's basically just Bonjour telling the router to configure port forwarding. Given that, I'd start by enabling mod_bonjour in Apache:
  #LoadModule bonjour_module libexec/apache2/mod_bonjour.so
  but I don't know how other processes are doing it.

• Machine Certificate will not be recognized

  Hi All, i have a Setup as Follows
  - 5508/1142
  - heterogenous Client with WZC, XP, SP3, SSO
  - ACS 5.2, MS AD
  Target is Songle Sign On wih Machine Cerificates against AD. For testing purpose we tested with EAP-PEAP/MS Chapv2 and Machine Auth, works fine. Now we installed a Machine cert in the Machine cert Store (no User Cert) and reconfigured the WZC for using certs and Machin Auth. What we see is an Error Message in the System Tray that there is no certificate available. We checked it again, the MMC shows us a Machine cert in the Store.
  Where am i wrong, any help welcome.
  BR, Michael

  Hi Michael,
  This is how it works when you select the certificate method under the WZC:
  Computer authentication works only before logon
  By default, after logon, only user authentication works. This means that each user on the system needs a certificate (!) including administrator This can be overridden by AuthMode=2, but this is system-wide,  implying that for a different wireless network user authentication won't  work either. So AuthMode is not an option (except the computer is only used in one 802.1X network)
  This implies too that as soon as there is a computer certificate and no user certificate the network just does not work!
  This way it is not possible to use e.g. EAP-TLS with  certificates for computers and PEAP-MSCHAPv2 with username/password for  users
  So if you wish to use certificate based authentication for the machine, you need to use also for user authentication (using WZC).
  If you have both user and machine certificate, then after installing the certs, reboot the machine and verify if it works.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Machine certificate RADIUS wireless login

  Hi all,
  I have a customer who want's to have a computer authentication against RADIUS (allow only school devices to connect through SSID). As I am a network engineer I am struggling with NPS settings and machine certificates.
  I have lab settings in our office where I am using Windows Server 2012 and configured domain certificates using the links below
  https://4sysops.com/archives/how-to-deploy-certificates-with-group-policy-part-2-configuration/#creating-the-certificates
  http://www.petenetlive.com/KB/Article/0000919.htm
  Under NPS I have two policies, one for domain devices and one for non-domain devices
  Domain_devices policy:
  Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
                      Machine groups - domain\Domain devices  - PC added to that group
  Constraints - Auth. method - Microsoft Smart Card or other certificate
  Domain_devices policy:
  Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
  Constraints - Auth. method - Microsoft Protected EAP (PEAP)
  When tested with iPad this was able to connect fine but when testing with domain laptop NPS is returning Event ID 6273 Reason code 16
  Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
  password is correct as I am using same one for iPad as well as computer login
  Anybody with an idea why it's not working?
  Thanks

  Under NPS I have two policies, one for domain devices and one for non-domain devices
  Domain_devices policy:
  Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
                      Machine groups - domain\Domain devices  - PC added to that group
  Constraints - Auth. method - Microsoft Smart Card or other certificate
  Domain_devices policy:
  Conditions - NAS Port Type - Wireless-Other OT Wireless - IEEE 802.11
  Constraints - Auth. method - Microsoft Protected EAP (PEAP)
  When tested with iPad this was able to connect fine but when testing with domain laptop NPS is returning Event ID 6273 Reason code 16
  Hi Lukas,
  Based on your description, the first policy is for domain devices, the second policy is for non-domain devices, the iPad is non-domain device and the laptop is domain device, is that
  right?
  Due to the certificate was deployed via GPO, have you checked if the user or computer certificate was installed successfully in the laptops?
  To verify if the user certificate was installed in the laptop, please follow steps below,
   1. Click
  Start, click Run, enter MMC to open a Console.
   2. Click
  File, click Add/Remove Snap-in,
   3. In the Add or Remove Snap-ins, click
  Certificates, click Add, check My user account, click
  Finish, click OK.
   4. Expand
  Console Root\Certificates-Current User\Personal, if there are not any certificate in this container, it shows that user certificate was not installed successfully.
  To verify if the computer certificate was installed in the laptop, please follow steps below,
   1. Click
  Start, click Run, enter MMC to open a Console.
   2. Click
  File, click Add/Remove Snap-in,
   3. In the Add or Remove Snap-ins, click
  Certificates, click Add, check Computer account, click
  Finish, click OK.
   4. Expand
  Console Root\Certificates(Local Computer)\Personal, if there are not any certificate in this container, it shows that computer certificate was not installed successfully.
  Also, the NPS server and laptops are all need to trust CA, so please check if there is a CA certificate in the
  Trusted Root Certification Authorities\Certificates container.
  Best Regards,
  Tina
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected].

• I want to bind my client certificate with machine certificate in order to bind user with dedicated one machine. Kindly help

  I have created one dedicated root CA for domain and auto enrollment has been enabled through Group Policy.
  I want to bind my client certificate with machine certificate in order to bind user with dedicated with one machine. In order to prevent duplicate logins

  Hi,
  How about using
  User Rights Assignment?
  You can deny all other users’
  log on locally right on the machine.
  User Rights Assignment
  http://technet.microsoft.com/en-us/library/cc780182(v=WS.10).aspx
  Best Regards,
  Amy Wang

• How do I down load Quick Times to my other computers?

  I would like to know how to load D3381Z/A Quick Time on my other 2 computers.  I do not want to pay for the same down load again and again.
  Thanks ,
  Bobby
  4-5-12

  Thank you for your reply.  I had forgotten that I did have to get the pro version for what I wanted.  HOWEVER, I wish I had been notified that it was just for 1 machine.
  Thank you and have a great, happy and safe EASTER.
  Bobby

• L2TP based VPN with OpenS/WAN server, OpenSSL machine certificates

  I cannot seem to get OSX to accept the machine certificates for a VPN connection using Internet Connect.
  I have generated OpenSSL x509 certificates for the server and client side, the same process has generated certificates that work just dandy with WindowsXP. The certificates have "subjectAltName=" key/value pairs assigned to the IP address of the VPN server.
  Once generated I import the certificates into OS X (you have to run KeyChain Access with "sudo" from the console to get this to work). The certificate authority seems to be ok, the CA has been added to the x509Roots, and when I examine the machine certificate for my OS X install using KeyChain Access the certificate is marked valid.
  I generated the hash link for the certificate:
  ln -s /etc/racoon/certs/certname.pem /etc/racoon/certs/'openssl x509 -noout -in certname.pem'.0
  From the console I run '
  openssl verify certname.pem
  It fails unless I specify '-CAPath /etc/racoon/certs', then it passes.
  When Internet Connect is setup to use the certificates I can see in the OpenS/WAN logs that the OS X box connects and negotiates IPSEC to MAIN_3. At this point pluto logs the following:
  ignoring informational payload, type INVALIDCERTAUTHORITY
  This repeats for several re-tries before the OS X side gives up. No useful logging is generated on the OS X side for me to debug, and everything from the OpenS/WAN side seems to be kosher, it appears to be an oakley/racoon issue with validating the machine certificate provided by OpenS/WAN to the OS X side, with the OS X side unable to verify the certificate.
  Has anyone solved this? Any ideas on how to improve the logging output from OS X so I can see what racoon/oakley is carping about in the certificate files it is using?

  I'm having the same problem. I've got a machine cert on my Mac OS 10.4.6 client that was issued by my Win2003 CA. When I try and connect, it just hangs and then dies. In the Security Logs on the 2003 L2TP server, I even see a successful IKE negotiation (MS Event ID 541 and 543 below).
  EventID 541:
  IKE security association established.
  Mode:
  Key Exchange Mode (Main Mode)
  Peer Identity:
  Certificate based Identity.
  Peer Subject C=US, S=City, L=State, O=Company, OU=group, CN=machine.subdomain.company.com, E=[email protected]
  Peer SHA Thumbprint peerthumbrint
  Peer Issuing Certificate Authority O=company.com, CN=Certificate Authority
  Root Certificate Authority O=company.com, CN=Certificate Authority
  My Subject CN=server.subdomain.company.com
  My SHA Thumbprint mythumbrint
  Peer IP Address: x.x.x.x
  Filter:
  Source IP Address x.x.x.x
  Source IP Address Mask 255.255.255.255
  Destination IP Address x.x.x.x
  Destination IP Address Mask 255.255.255.255
  Protocol 0
  Source Port 0
  Destination Port 0
  IKE Local Addr x.x.x.x
  IKE Peer Addr x.x.x.x
  IKE Source Port 500
  IKE Destination Port 500
  Peer Private Addr
  Parameters:
  ESP Algorithm Triple DES CBC
  HMAC Algorithm SHA
  Lifetime (sec) 3600
  MM delta time (sec) 1
  EventID 543:
  IKE security association ended.
  Mode: Key Exchange (Main mode)
  Filter:
  Source IP Address X.X.X.X
  Source IP Address Mask 255.255.255.255
  Destination IP Address X.X.X.X
  Destination IP Address Mask 255.255.255.255
  Protocol 0
  Source Port 0
  Destination Port 0
  IKE Local Addr X.X.X.X
  IKE Peer Addr X.X.X.X
  IKE Source Port 500
  IKE Destination Port 500
  Peer Private Addr
  At least give me a some methods to debug with.

• Renew Machine Certificate for multiple Servers

  Hi,
  We have Windows 2003 Enterprise CA which issues certificates to servers which are used for various purpose like Wifi Authentication, Secure RDP. We have checked that the certificates are going to expire within few weeks. We want to renew certificates before
  expiry but the number of servers is high so we cannot do it manually by logging into each server.
  We doesn't have ACRS enabled for computer certificates and even if we configure it now that will not help.
  Is there a way to renew the certificates for all the servers remotely.

  On Tue, 15 Apr 2014 11:39:43 +0000, Sukhwin08 wrote:
  We already have auto-enrolment enabled through GPO. The settings are as follows
  Automatic certificate management........ Enabled Option Setting Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates .........Enabled
  Update and manage certificates that use certificate templates from Active Directory ..........Enabled
  I think that you're confusing Automatic Certificate Request Services and
  autoenrollment. In your first post in this thread you mention ACRS, however
  the above settings are for autoenrollment. ACRS is only for certificates
  that are based upon V1 certificate templates and then only for machine
  certificates. Autoenrollment on the other hand does not work for anything
  less than V2 certificates and supports both machine and user certificates.
  If you're using V1 certificate templates then you can set autoenrollment
  settings in a GPO and it will not have any impact at all.
  Paul Adare - FIM CM MVP
  Remember the signs in restaurants "We reserve the right to refuse
  service to anyone"? The spammers twist it around to say "we reserve
  the right to serve refuse to anyone." -- SPAMJAMR & Blackthorn in nanae

• Loading a Machine Certificate into System Keychain

  Does anyone know how to load a machine certificate (with a private key) into the System keychain?
  I can load the certificate if it doesn't have a private key, but then Internet Connect won't recognize it as a valid machine certificate. It seem Internet Connect only looks in the shared System Keychain for certificate for the L2TP over IPSec certificate authenticated protocol.
  I tried manually loading a Keychain that had a machine certificate in it already, but I ran into the old problem of the System Keychain requesting a password that nobody knows and when racoon tries to get the certificate from the System keychain it can't and fails.
  mtennes@asher:>>sudo /usr/sbin/systemkeychain -v -t
  Testing system unlock of /Library/Keychains/System.keychain
  (If you are prompted for a passphrase, cancel)
  System unlock is NOT working
  If I create a fresh System keychain that can be unlocked automatically I can't load a valid machine certificate with a private key into the System keychain, I can however load that same certificate into any keychain I create or event the X509Anchors keychain, but of coarse Internet Connect doesn't look there.
  mtennes@asher:>>sudo rm -rf System.keychain
  mtennes@asher:>>sudo /usr/sbin/systemkeychain -v -C
  /Library/Keychains/System.keychain installed as system keychain
  mtennes@asher:>>sudo /usr/sbin/systemkeychain -v -t
  Testing system unlock of /Library/Keychains/System.keychain
  (If you are prompted for a passphrase, cancel)
  System unlock is working
  Any ideas?
  PowerMac G5 2.7GHz DP   Mac OS X (10.4.6)   thawte Web Of Trust Notary

  How about using
  sudo systemkeychain -v -k /Library/Keychains/System.keychain -C "password"
  where “password” is the new keychain password that you want to give to the System keychain?
  That way you should be able to unlock the System.keychain to add whatever you need to add to it, because now you know the password.
  Ronald

• How to transfer my certificate to this new account from old acount

  how to transfer my certificate to this new account from old acount

  You don't.  Registration is a one time thing that you do the first time you install an application.  Once registered it does not need to be done again.
  You should see if yoiu can have the activations reset before you try installing on a new machine so that you still have the two activations that are available to you.  If not, you should still have an activation available for use with the new installation.
  To reset activations contact Adobe Support and ask them to reset your activations....  For the link below click the Still Need Help? option in the blue area at the bottom and choose the chat option...
  Serial number and activation chat support (non-CC)
  http://helpx.adobe.com/x-productkb/global/service1.html ( http://adobe.ly/1aYjbSC )
  To get it working on the new machine you just install and activate using the serial number you should already have.

• SSL VPN with machine certificate authentication

  Hi All,
  I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
  Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
  The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
  btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
  Thanks in advance for your help
  Hardware is ASA5540, software version 8.2(5).
  Some pieces of the configuration below:
  group-policy VPN4TEST-Policy internal
  group-policy VPN4TEST-Policy attributes
    wins-server value xx.xx.xx.xx
  dns-server value xx.xx.xx.xx
  vpn-simultaneous-logins 1
  vpn-idle-timeout 60
  vpn-filter value VPN4TEST_allow_access
  vpn-tunnel-protocol IPSec svc webvpn
  group-lock none
  ipsec-udp enable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  default-domain value cs.ad.klmcorp.net
  vlan 44
  nac-settings none
  address-pools value VPN4TEST-xxx
  webvpn
    svc modules value vpngina
    svc profiles value KLM-SSL-VPN-VPN4TEST
  tunnel-group VPN4TEST-VPN type remote-access
  tunnel-group VPN4TEST-VPN general-attributes
  address-pool VPN4TEST-xxx
  authentication-server-group RSA-7-Authent
  default-group-policy VPN4TEST-Policy
  tunnel-group VPN4TEST-VPN webvpn-attributes
  authentication aaa certificate
  group-alias VPN4TEST-ANYCONNECT enable

  Forgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.

• How to add a certificate to IIS global "Server Certificates" list using PowerShell?

  Hi, been surfing the web for an example on how to add a certificate to the "global" IIS "Server Certificates" list using PowerShell but to no luck. I already have code in place on how to tie / associate a specific website with a specific cert but not how
  to add the new .cer file using the "Complete Certificate Request..." wizard using PowerShell.... I dont expect the final code to become published but if someone had an idea on howto integrate / get an entry point on where to interact between the "Server Certificate"
  list in IIS and POSH I would be super happy! :|
  I am runnign IIS on a Windows 2008R2 x64 Standard Edition if that helps..... of course, I would saddle for an CLI if there is no other way, but POSH is of course the way to go! :)
  Thanks for the help in advance guys, take care!
  br4tt3

  Hi and thanks for the suggestions!
  Although it comes close, the suggested code example points on howto import / incorporate .pfx files - I am getting fed by .cer files which I need to add into the IIS console using POSH.
  I tried explore the IIS.CertObj object but was not able to work out if this one could be used for importing / adding .cer files into IIS! However, launching the following command from a POSH console with Import-Module Webadministration already
  loaded into that shell;
  $certMgr = New-Object -ComObject IIS.CertObj returns the following error message:
  New-Object : Cannot load COM type IIS.CertObj
  From an IIS perspective I have the following components installed;
  [X] Web Server (IIS)                                    Web-Server
      [X] Web Server                                      Web-WebServer
          [ ] Common HTTP Features                        Web-Common-Http
              [ ] Static Content                          Web-Static-Content
              [ ] Default Document                        Web-Default-Doc
              [ ] Directory Browsing                      Web-Dir-Browsing
              [ ] HTTP Errors                             Web-Http-Errors
              [ ] HTTP Redirection                        Web-Http-Redirect
              [ ] WebDAV Publishing                       Web-DAV-Publishing
          [X] Application Development                     Web-App-Dev
              [ ] ASP.NET                                
  Web-Asp-Net
              [X] .NET Extensibility                      Web-Net-Ext
              [ ] ASP                                    
  Web-ASP
              [ ] CGI                                    
  Web-CGI
              [ ] ISAPI Extensions                        Web-ISAPI-Ext
              [ ] ISAPI Filters                           Web-ISAPI-Filter
              [ ] Server Side Includes                    Web-Includes
          [ ] Health and Diagnostics                      Web-Health
              [ ] HTTP Logging                            Web-Http-Logging
              [ ] Logging Tools                           Web-Log-Libraries
              [ ] Request Monitor                         Web-Request-Monitor
              [ ] Tracing                                
  Web-Http-Tracing
              [ ] Custom Logging                          Web-Custom-Logging
              [ ] ODBC Logging                            Web-ODBC-Logging
          [X] Security                                   
  Web-Security
              [ ] Basic Authentication                    Web-Basic-Auth
              [ ] Windows Authentication                  Web-Windows-Auth
              [ ] Digest Authentication                   Web-Digest-Auth
              [ ] Client Certificate Mapping Authentic... Web-Client-Auth
              [ ] IIS Client Certificate Mapping Authe... Web-Cert-Auth
              [ ] URL Authorization                       Web-Url-Auth
              [X] Request Filtering                       Web-Filtering
              [ ] IP and Domain Restrictions              Web-IP-Security
          [ ] Performance                                 Web-Performance
              [ ] Static Content Compression              Web-Stat-Compression
              [ ] Dynamic Content Compression             Web-Dyn-Compression
      [X] Management Tools                                Web-Mgmt-Tools
          [X] IIS Management Console                      Web-Mgmt-Console
          [X] IIS Management Scripts and Tools            Web-Scripting-Tools
          [ ] Management Service                          Web-Mgmt-Service
          [ ] IIS 6 Management Compatibility              Web-Mgmt-Compat
              [ ] IIS 6 Metabase Compatibility            Web-Metabase
              [ ] IIS 6 WMI Compatibility                 Web-WMI
              [ ] IIS 6 Scripting Tools                   Web-Lgcy-Scripting
              [ ] IIS 6 Management Console                Web-Lgcy-Mgmt-Console
      [X] FTP Server                                      Web-Ftp-Server
          [X] FTP Service                                 Web-Ftp-Service
          [X] FTP Extensibility                           Web-Ftp-Ext
      [ ] IIS Hostable Web Core                           Web-WHC
  More or less the one thing that I am trying to get up and running is an automated FTPS solution - I just use the IIS console to be able to troubleshoot / compare how things scripted from POSH interacts in the MMC representation. The error I am getting
  might be that I am lacking some IIS components to be in place to be able to automate some parts of the IIS - as suggested by the IIS.CertObj object listed in the example..... I will get back if I can track down which component needs to be added to be
  able to reference the IIS.CertObj object.
  Br4tt3 signing out...
  br4tt3

• How can I remove the Quick Launch area from a SharePoint site

  We have a SharePoint site that includes a Quick Launch area by default.  We know how to add and delete items from the Quick Launch area but how can we delete the Quick Launch space (this would shift the main body portion over to the left and taking
  over the space once occupied by the Quick Launch area)?

  Hi,
  You can refer the below urls.
  http://sharepointpolice.com/blog/2010/04/07/hiding-the-quick-launch-in-sharepoint-2010/
  http://chrisstahl.wordpress.com/2010/03/15/hide-the-quick-launch-in-sharepoint-2010/
  http://sharepointpromag.com/sharepoint/four-ways-add-or-remove-quick-launch-menu-control
  Please remember to mark your question as answered & Vote helpful,if this solves/helps your problem.
  s p kumar

• How to get digital certificate informaiton of the email in mail adapter

  Hi, expert:
  I have a requirement to verify the validation of coming email with digital certification. The mail is with digital certification. If the coming email is valid, I 'll get the attachemt of the mail for further processing. I have a sender mail adapter and receiver file adapter configued.
  I have already my own developed adapter module, which is configued in mail adapter. My question is how to retrieve the detailed certificate information in the adapter module developed by myself. Is it feasible?
  Thanks a lot.

  Hi Oscar !!
  refer this blog & links , you will get all you are looking for
  <b>How to use Digital Certificates for Signing & Encrypting Messages in XI</b>
  /people/varadharajan.krishnasamy/blog/2007/05/11/how-to-use-digital-certificates-for-signing-encrypting-messages-in-xi
  http://help.sap.com/saphelp_nw04/helpdata/en/a8/882a40ce93185de10000000a1550b0/frameset.htm
  Thanks !
  Regards
  Abhishek Agrahari

• What Certificate store is used for machine certificates

  I have a requirement to have windows 7/8 users connect to the company network using VPN & IKEv2.
  I have a RH Linux 7 firewall/authentication server that the windows clients will connect to via a vpn.
  I have generated a self-signed Certificate Authority, and a client certificate. (using NSS & certutil)
  I have configured a VPN/IKEv2 connection on my windows 7 client system.
  I have selected "use machine certificates" on the security tab.
  However when I attempt to connect to the Linux 7 server. Windows returns a 13806 error. The windows process
  for locating the certificate cannot find the certificate. (I used mmc to install both the CA certificate & the client certificate)
  So I wondering since I specified the use of machine certificates, perhaps I've installed the certificates in the wrong "store".
  Is there a special "store" for machine certificates?   

  Hi MeipoXu, many thanks for working with me on this issue.
  Thru some trial & error testing I determined the Local Computer store "combo" that DOES NOT generate
  a 13806 error (cert not found) is to import the client cert to the "Personal" store under "Local Computer"
  and import the CA into the Trusted Root Certificates store, also under the "Local Computer"
  However I still get the 13819 error Invalid Certificate Type.  When I attempt to make a connection over vpn.
  Here are the trace entries:
   Frame: Number = 4, Captured Frame Length = 234, MediaType = NetEvent
  + NetEvent:
  - MicrosoftWindowsWFP: IPsec: Receive ISAKMP Packet
    - WfpUnifiedTracing_IKE_PACKET_RECV IKE_PACKET_RECV: IPsec: Receive ISAKMP Packet
       AsciiString ICookie: 76991f2483ab8271
       AsciiString RCookie: be81c4728325eb7f
       AsciiString ExchangeType: IKEv2 SA Init Mode
       UINT32 Length: 284 (0x11C)
       AsciiString NextPayload: SA
       UINT8 Flags: 32 (0x20)
       UINT32 MessageID: 0 (0x0)
       UnicodeString LocalAddress: 192.168.10.4
       UINT32 LocalPort: 500 (0x1F4)
       UINT32 LocalProtocol: 0 (0x0)
       UnicodeString RemoteAddress: 69.54.99.132
       UINT32 RemotePort: 500 (0x1F4)
       UINT32 RemoteProtocol: 0 (0x0)
       UINT64 InterfaceLuid: 1688849960927232 (0x6000006000000)
       UINT32 ProfileId: 2 (0x2)
    Frame: Number = 5, Captured Frame Length = 121, MediaType = NetEvent
  + NetEvent:
  - MicrosoftWindowsWFP: User Mode Error
    - WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
       AsciiString Function: IkeFindLocalCertChainHelper
     - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_NO_CERT
        UINT32 WinErrorValue: 0x000035EE - ERROR_IPSEC_IKE_NO_CERT - The IKE failed to find a valid machine certificate. Contact your network security administrator about installing a valid certificate in the appropriate certificate store.
    Frame: Number = 6, Captured Frame Length = 121, MediaType = NetEvent
  + NetEvent:
  - MicrosoftWindowsWFP: User Mode Error
    - WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
       AsciiString Function: IkeFindLocalCertChainHelper
     - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_NO_CERT
        UINT32 WinErrorValue: 0x000035EE - ERROR_IPSEC_IKE_NO_CERT - The IKE failed to find a valid machine certificate. Contact your network security administrator about installing a valid certificate in the appropriate certificate store.
    Frame: Number = 7, Captured Frame Length = 117, MediaType = NetEvent
  + NetEvent:
  - MicrosoftWindowsWFP: User Mode Error
    - WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
       AsciiString Function: IkeEncodeCertChainIkeV2
     - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
        UINT32 WinErrorValue: 0x000035FB - ERROR_IPSEC_IKE_INVALID_CERT_TYPE - Invalid certificate type.
    Frame: Number = 8, Captured Frame Length = 117, MediaType = NetEvent
  + NetEvent:
  - MicrosoftWindowsWFP: User Mode Error
    - WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
       AsciiString Function: IkeEncodeCertChainIkeV2
     - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
      - HRESULT ErrorValue: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
       -  LEHResult:
          UINT32 Code:      (................0011010111111011) 0x000035FB - ERROR_IPSEC_IKE_INVALID_CERT_TYPE - Invalid certificate type.
          UINT32 Facility:  (.....00000000111................) WIN32
          UINT32 X:         (....0...........................) Reserved
          UINT32 N:         (...0............................) Not NTSTATUS
          UINT32 C:         (..0.............................) Microsoft-defined
          UINT32 R:         (.0..............................) Reserved
          UINT32 S:         (1...............................) Failure
  $$$$$$$ N O T E :   Frame Numbers 9 thru 13 are exact same error message as Frame numbers 8 (the first) and Frame 14 (the last) $$$$$$$$ Then I close the connection
  and stop the trace.  
    Frame: Number = 14, Captured Frame Length = 123, MediaType = NetEvent
  + NetEvent:
  - MicrosoftWindowsWFP: User Mode Error
    - WfpUnifiedTracing_WFP_USERMODE_ERROR WFP_USERMODE_ERROR: User Mode Error
       AsciiString Function: IkeConstructAndSendMMResponse
     - WinErrorCode ErrorCode: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
      - HRESULT ErrorValue: ERROR_IPSEC_IKE_INVALID_CERT_TYPE
       -  LEHResult:
          UINT32 Code:      (................0011010111111011) 0x000035FB - ERROR_IPSEC_IKE_INVALID_CERT_TYPE - Invalid certificate type.
          UINT32 Facility:  (.....00000000111................) WIN32
          UINT32 X:         (....0...........................) Reserved
          UINT32 N:         (...0............................) Not NTSTATUS
          UINT32 C:         (..0.............................) Microsoft-defined
          UINT32 R:         (.0..............................) Reserved
          UINT32 S:         (1...............................) Failure
  So after a response is received from the Server (to complete the SA Initiation)
  Windows then "looks" for a cert to send to the server.
  It appears initially it can't find one because 13806 errors are reported (Frames  5 & 6)
  However the session does not issue an 13806.
  It goes on to Frame 7: Note the function IkeEncodeCertChainIkeV2 detects the invalid cert type
  Frames 8 thru 14 are just a repeat of the same error.
  Could this be a flaw in the windows VPN logic ?
  Guy