KDC certificate error

Hello,
Im having issues and errors in the event viewer with the KDC certificates.
We have 2 windows 2003 domain controllers (one was Certificate Authority) and we are migrating to Windows 2012, the steps that we have done are:
- Forest and domain at Windows 2003 level.
- Create 2 new domain controllers in Windows 2012 (only DNS and GC, no fsmo roles yet), adding it as new ones in the domain (so 4 domain controllers).
- Revoke all the certificates from the CA (it was only for tests propousal) and deinstall it completely.
- In the Windows 2003 domain controllers started the error:
Event Type: Warning
Event Source: KDC
Event Category: None
Event ID: 20
Date: 12/17/2006
Time: 1:49:47 AM
User: N/A
Computer: SERVER
Description:
The currently selected KDC certificate was once valid, but now is invalid and no suitable replacement was found. Smartcard logon may not function correctly if this problem is not remedied. Have the system administrator check on the state of the domain's public
key infrastructure. The chain status is in the error data.
- In the Windows 2012 domain controllers started the errors:
Event 82: CertificateServicesClient-CertEnroll: RPC server unavailable, error in template: DomainController
Event 13: CertificateServicesClient-CertEnroll: Error RPC: Server.domain.local/CAdomain (where Server is the domain controller were the CA was, and CAdomain the name of the old CA just deleted)
Event 6: CertificateServicesClient-AutoEnrollment: Error RPC
With certutil -dcinfo verify there was errors, so we applied certutil -dcinfo deleteBad. After that the errors are (for the 4 domain controllers):
*** Testing DC[0]: SERVER
** Enterprise Root Certificates for DC SERVER
No certs in Ent Root store!
** KDC Certificates for DC SERVER
0 KDC certs for SERVER
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)
We have deleted templates as this article (as we havent got CA now):
http://www.petenetlive.com/KB/Article/0000473.htm
But the errors still here. We have gpupdate /force and restart the domain controllers but nothing...
We have tried to request a new certificate with this steps:
Create a computer certificate using mmc snap-in 'certificates' by right clicking on 'Certificates' folder Under 'root\Personal' tree, and clicking All Tasks -> Request New Certificate. Certificate Enrollment window appears, you verify you are connected to
your network and you are logged onto the domain.
Then Click Next, which leads to a window stating the issue:
"Certificate types are not available"
"You cannot request a certificate this time because no certificate types are available. If you need a certificate contact your administrator."
Any help will be appreciate.
thanks

It appears that Active Directory wasn't cleaned correctly. You need to completely decommission CA server from Active Directory:
http://social.technet.microsoft.com/wiki/contents/articles/3527.how-to-decommission-a-windows-enterprise-certification-authority-and-how-to-remove-all-related-objects.aspx
Start with step 6.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool.

Similar Messages

Com.apple.kerberos.kdc certificate

The com.apple.kerberos.kdc certificate is a self signed root certificate(atleast it claims to be so) and is from a non trusted source. Should i keep it? Also, there is(was) another certificate that i accidentally deleted that too claims to be related to apple. Anyone have any opinion on these certificates? Only these two are set to expire in 2028. Rest of the certificates are all trusted and have no expiry dates.

I am having issue with com.apple.kerberos.kdc certificate(s) as well. I recently setup OS X Server 10.5 with updates to v10.5.2. I cannot get Mail, iCal/CalDAV, Sharing, and other serves to work from my client computers. It appears the issue is related to security and certficates named com.apple.kerberos.kdc & com.apple.systemdefault where the root certificates are self-signed and have the error message, "This root certificate is not trusted". Currently working to resolve this issue. So far it looks like I need to use Certificate Assistant to setup myself as CA (certificate authority) on my server and then set the trust values for the certificate. Since I'm a new comer to OS X Server I am still researching and looking for direction prior to proceeding. I setup OS X 10.5.x server in standard mode using Server Assistant, but expect to eventual switch to advanced mode when I get up to speed with server setting and preferences.
Anyone have any advise on how to resolve this certificate problem?

Windows smart card logon and kdc certificate (2008R2)

dear,
we are trying to implement a smartcard logon on 2008r2 dc and ca. Environment:
Domain controller - windows server 2008 R2
CA - windows server 2008 R2
testing server - windows server 2008 R2
when using smartcard logon, a message pops up "The system could not log you on. You cannot use a smart card to log on because smart
card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization.".
The domain controller has an error message : "Event 19: This event indicates an attempt was made to use smartcard logon, but the KDC is unable to use the PKINIT protocol because it is missing a suitable certificate",
when using "net stop kdc && net start kdc" there is a warning : "event 29 : The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card
logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate."
There were 2 dead CAs in the environment, we deleted them manually by following the instructions in http://support.microsoft.com/kb/555151;
We tried to renew the domain controller certification with the instructions in http://technet.microsoft.com/en-us/library/cc734096.aspx；http://technet.microsoft.com/en-us/library/cc733944(v=ws.10).aspx,
the result of "certutil -dcinfo verify" seemed to be correct, but the event 19 and 29 are still there.
How could we resolve this problem? Thanks in advance
The output of "certutil -dcinfo verify" is :
0: CTXDC
*** Testing DC[0]: CTXDC
** Enterprise Root Certificates for DC CTXDC
Certificate 0:
Serial Number: 781902753c5627b64bd4e45c38b648df
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/11 11:57
NotAfter: 2018/4/11 12:07
Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): 24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
** KDC certificate for DC
CTXDC
certificate 0:
Serial Number: 611648d2000000000030
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/21 12:05
NotAfter: 2014/4/21 12:05
Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
Certificate Template Name: DomainController
Non-root Certificate
template: DomainController, domain controller
Cert Hash(sha1): e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
Application[0] = 1.3.6.1.5.5.7.3.1
Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.2
Client Authentication
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 10 Hours, 36 Minutes, 16 Seconds
CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/21 12:05
NotAfter: 2014/4/21 12:05
Subject: CN=CTXDC.demo2.internal.jiean-technologies.lan
Serial: 611648d2000000000030
SubjectAltName: Other Name:DS object GUID=04 10 f1 68 15 d4 e6 4a 8c 40 80 c6 15 16 1d 26 49 4d, DNS Name=CTXDC.demo2.internal.jiean-technologies.lan
Template: DomainController
e5 e5 5f 80 b0 cd 7f b5 3d 86 51 3e f3 70 d0 8e 39 48 45 cd
Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
CRL 54:
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
52 95 06 73 26 3a 6a 22 a3 6f d7 6e b2 f3 4c 3d 02 9b 7e 54
Delta CRL 55:
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
8c c0 97 5e a3 13 9d a1 5c a2 c1 86 e8 65 ff b0 8b ea f4 a3
Application[0] = 1.3.6.1.5.5.7.3.2
Server Authentication
Application[1] = 1.3.6.1.5.5.7.3.1
Client Authentication
CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
Issuer: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
NotBefore: 2013/4/11 11:57
NotAfter: 2018/4/11 12:07
Subject: CN=demo2CA, DC=demo2, DC=internal, DC=jiean-technologies, DC=lan
Serial: 781902753c5627b64bd4e45c38b648df
Template: CA
24 43 b0 79 33 8d f4 74 2d 52 df 75 3a 50 73 85 62 25 fb 86
Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
Exclude leaf cert:
33 0e 29 2d 44 b0 f9 5d a8 7d 03 26 52 e0 cf 00 4c bf 66 2d
Full chain:
04 60 4a 63 ea 44 36 5a 8a 3e 43 b5 23 2a ee 8e a6 05 16 3b
Verified Issuance Policies: None
Verified Application Policies:
1.3.6.1.5.5.7.3.2
Server Authentication
1.3.6.1.5.5.7.3.1
Client Authentication
1 KDC certs for CTXDC
CertUtil: -DCInfo command completed successfully.

The KDC certificate must be good for "SmartCard logon" purpose. It is currently not.
I you do not use smartcards, do not worry.

KDC certificate

Can anyone explain what this console message is referring to? Thanks!
kdc[43]: WARNING Found KDC certificate (O=System Identity,CN=com.apple.kerberos.kdc)is missing the PK-INIT KDC EKU, this is bad for interoperability.

Follow up: I was able to solve this without a new certificate. I found the primary CA certificate for the machine and edited the trust settings to Always Trust for Kerberos client and server. No more errors in the log.
Open Utilities: Keychain Access
Select the System keychain, select Category Certificates.
Here you need to identify the Certificate Authority that best applies to your computer. If you don't know, you'll need to ask. Do a File->Get Info on the CA. Open the trust settings by clicking the triangle next to Trust. Scroll down until you see Kerberos Server and Kerberos Client. Change the trust settings from the pop-up menus to Always Trust.
That's it. If that is the relevant CA, the KDC error messages will go away.

Certificate error while calling a webservices from application deployed in

Hi,
When we are trying to invoke a web service from a client application which was deployed in weblogic server we are getting the certificate error. We are using go daddy certificate. Here is the log file
Anyone Please advice.
FileName
weblogic.log
FileComment
<Apr 25, 2011 1:51:15 PM EDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=*.wvu.edu,OU=Domain Control Validated,O=*.wvu.edu". The loading of the trusted certificate list raised a certificate parsing exception Could not set value for ASN.1 string object..>
<Apr 25, 2011 1:51:15 PM EDT> <Notice> <Security> <BEA-090898> <Ignoring the trusted CA certificate "CN=*.wvu.edu,OU=Domain Control Validated,O=*.wvu.edu". The loading of the trusted certificate list raised a certificate parsing exception Could not set value for ASN.1 string object..>
javax.xml.ws.WebServiceException: weblogic.wsee.wsdl.WsdlException: Failed to read wsdl file from url due to -- javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:322)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:77)
at weblogic.wsee.jaxws.spi.WLSProvider.createServiceDelegate(WLSProvider.java:62)
at javax.xml.ws.Service.<init>(Service.java:56)
at wvudatacollection.wsproxy.scheduler.TimeClockScheduler_Service.<init>(TimeClockScheduler_Service.java:71)
at wvudatacollection.wsproxy.scheduler.TimeClockSchedulerServiceWrapper.getStatus(TimeClockSchedulerServiceWrapper.java:96)
at wvudatacollection.wsproxy.scheduler.GetSchedulerStatusWrapper.getStatusCode(GetSchedulerStatusWrapper.java:10)
at sun.reflect.GeneratedMethodAccessor185.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at oracle.adf.model.binding.DCInvokeMethod.invokeMethod(DCInvokeMethod.java:561)
at oracle.adf.model.binding.DCDataControl.invokeMethod(DCDataControl.java:2113)
at oracle.adf.model.bc4j.DCJboDataControl.invokeMethod(DCJboDataControl.java:3009)
at oracle.adf.model.bean.DCBeanDataControl.invokeMethod(DCBeanDataControl.java:436)
at oracle.adf.model.binding.DCInvokeMethod.callMethod(DCInvokeMethod.java:256)
at oracle.jbo.uicli.binding.JUCtrlActionBinding.doIt(JUCtrlActionBinding.java:1437)
at oracle.adf.model.binding.DCDataControl.invokeOperation(DCDataControl.java:2120)
at oracle.adf.model.bean.DCBeanDataControl.invokeOperation(DCBeanDataControl.java:464)
at oracle.adf.model.adapter.AdapterDCService.invokeOperation(AdapterDCService.java:307)
at oracle.jbo.uicli.binding.JUCtrlActionBinding.invoke(JUCtrlActionBinding.java:693)
at oracle.adf.model.binding.DCInvokeAction.refreshInternal(DCInvokeAction.java:47)
at oracle.adf.model.binding.DCInvokeAction.refresh(DCInvokeAction.java:33)
at oracle.adf.model.binding.DCBindingContainer.internalRefreshControl(DCBindingContainer.java:3107)
at oracle.adf.model.binding.DCBindingContainer.refresh(DCBindingContainer.java:2759)
at oracle.adf.controller.internal.binding.TaskFlowRegionController.refreshRegion(TaskFlowRegionController.java:145)
at oracle.adf.model.binding.DCBindingContainer.internalRefreshControl(DCBindingContainer.java:3038)
at oracle.adf.model.binding.DCBindingContainer.refresh(DCBindingContainer.java:2759)
at oracle.adf.controller.v2.lifecycle.PageLifecycleImpl.prepareRender(PageLifecycleImpl.java:548)
at oracle.adf.controller.v2.lifecycle.Lifecycle$9.execute(Lifecycle.java:224)
at oracle.adfinternal.controller.lifecycle.LifecycleImpl.executePhase(LifecycleImpl.java:192)
at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.mav$executePhase(ADFPhaseListener.java:21)
at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener$5.before(ADFPhaseListener.java:395)
at oracle.adfinternal.controller.faces.lifecycle.ADFPhaseListener.beforePhase(ADFPhaseListener.java:60)
at oracle.adfinternal.controller.faces.lifecycle.ADFLifecyclePhaseListener.beforePhase(ADFLifecyclePhaseListener.java:44)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl._executePhase(LifecycleImpl.java:246)
at oracle.adfinternal.view.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:193)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:266)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:292)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adf.model.servlet.ADFBindingFilter.doFilter(ADFBindingFilter.java:191)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.adfinternal.view.faces.webapp.rich.RegistrationFilter.doFilter(RegistrationFilter.java:85)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:420)
at oracle.adfinternal.view.faces.activedata.AdsFilter.doFilter(AdsFilter.java:54)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl$FilterListChain.doFilter(TrinidadFilterImpl.java:420)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl._doFilterImpl(TrinidadFilterImpl.java:247)
at org.apache.myfaces.trinidadinternal.webapp.TrinidadFilterImpl.doFilter(TrinidadFilterImpl.java:157)
at org.apache.myfaces.trinidad.webapp.TrinidadFilter.doFilter(TrinidadFilter.java:92)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.security.jps.wls.JpsWlsFilter$1.run(JpsWlsFilter.java:96)
at java.security.AccessController.doPrivileged(Native Method)
at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:313)
at oracle.security.jps.wls.util.JpsWlsUtil.runJaasMode(JpsWlsUtil.java:146)
at oracle.security.jps.wls.JpsWlsFilter.doFilter(JpsWlsFilter.java:140)
at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:70)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at oracle.dms.wls.DMSServletFilter.doFilter(DMSServletFilter.java:202)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.RequestEventsFilter.doFilter(RequestEventsFilter.java:27)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3588)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2200)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2106)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1428)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:201)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:173)
Caused by: weblogic.wsee.wsdl.WsdlException: Failed to read wsdl file from url due to -- javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:313)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:305)
at weblogic.wsee.jaxws.spi.WLSProvider.readWSDL(WLSProvider.java:312)
... 70 more
Caused by: javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
at com.certicom.tls.record.WriteHandler.write(Unknown Source)
at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:123)
at weblogic.net.http.HttpURLConnection.writeRequests(HttpURLConnection.java:154)
at weblogic.net.http.HttpURLConnection.getInputStream(HttpURLConnection.java:358)
at weblogic.net.http.SOAPHttpsURLConnection.getInputStream(SOAPHttpsURLConnection.java:37)
at weblogic.wsee.util.is.InputSourceUtil.loadURL(InputSourceUtil.java:103)
at weblogic.wsee.util.dom.DOMParser.getWebLogicDocumentImpl(DOMParser.java:118)
at weblogic.wsee.util.dom.DOMParser.getDocument(DOMParser.java:65)
at weblogic.wsee.wsdl.WsdlReader.getDocument(WsdlReader.java:311)
... 72 more
Thanks,
Sajja
Edited by: user13514455 on Jun 13, 2011 8:35 AM

We resolved this problem for the same version of JDeveloper in the WebLogic Console. In the Domain Structure / Evironment / Servers / Settings for Default Server, click the Configuration and SSL tabs. Then change Hostname Verification to None and check the Use JSSE SSL box at the bottom.

How do I remove the certificat error everytime I try to access the Cisco Unified CM Administration web-page?

Hi,
Every time I want to have access to the Cisco Unified CM Console (System version: 7.0.1.11000-2), I use the https://10.10.x.x/ccmadmin/showHome.do homepage on my client computer, but when I open the page, I get a SSL certificate error, stating no trust to this webpage security certificate and if I those "continue to this page (not recommended)", I get access to the Cisco Unified CM Console web page.
I have tried to add the https://IP-adress to secure web pages in Internet Explorer 7, but this to no avail, it does not help.
How do I add this certificate to a trusted something, so I do not get this warning every time I open the page?
Kind regards,
Carl-Marius

Hi Michael,
It worked when I change the IP-address to the name that was written in the certificate, and imported the certificate to Internet Explorer.
Thank you for your fast and very precise help!
Kind regards,
Carl-Marius

Certificate error when try to send mail

Masters,
First of all sorry for my poor english. Im not IT specialist, so please ...
I need help to fix my problem. I know there are many post with this but i can't figure out.
We had a working enviroment with no certificate issue.
I tried to set the Outlook Anywhere, and so i messed up something. Now if user open outlook and send / or reply a mail got a certificate error message. I don't care Outlook Anyhere anymore but i need to fix my issue...
I have not enough reputation point, so i can't attach image. I used Snag to attach picture.
Certification error message:
This is how exchange certs looks like:
The problem is occure when start outlook and start or reply a mail. Certfication error pop-up, and inside the message windows on the Certification Chain tab i see: "mydomain".local
When i try to configure outlook anywhere i create and enable new certificate. I think when i did this i have to allow owerrite some service... I deleted that certification already.
If i install the cert to root CA, then works ok. But i don't want to install it all our server, because its workd earlier. How can i fix this?
Thank you

Hello,
First of all thank you for helpin' me.
I do not want to use outlook anywhere anymore, but now i know need 3rd certf for work...
Only i want to get back everything.
I know if i install to root CA than pop up disappear (i test this one of our server) but because earlier we have no installed this cert...so i don't understand what should i did...
1. i installed a new self-sign certificate and associate service SMTP for it.
2. after all test failed i decided to delete this cert...
3. now outlook get pop up with certificated issued by: ourcompany.local
- i did not seen any certificate in the certificate store with this name...
Now i test it again and the no pop up in outlook?! What happend? I check and the mentioned certificate not in the store?!
If i delete a certificate and assign service to another one, how many time need to affect this to the enviroment?
Thank you

SSL Offloading and Certificate Errors

I am attempting to offload SSL on an F5 load balancer. I made the certificate request from the load balancer, procured the certificate from Entrust, and installed on the load balancer. I then followed SSL Offloading TechNet instructions here:
http://technet.microsoft.com/en-us/library/dn635115(v=exchg.150).aspx. My two CAS servers still have the self-signed certificates bound in IIS. I am getting certificate
errors when making RPC over HTTPs connections in Outlook and the self-signed certificate is popping up.
My question is what do I do with the certificates on my 2 CAS servers? Do I leave the self-signed certificates on there and export the Entrust certificate from my F5 and then import it to my CAS servers and change the bindings in IIS?
Or do I have to make the CSR from a CAS server, issue a new Entrust certificate from that, import to both CAS servers, then import to the F5 and make sure all bindings are correct in IIS?
Or am I completely misunderstanding how this works and need to do something different entirely?
Thanks in advance for any guidance.

As I previously mentioned, I have already followed the SSL Offloading guide from technet, which included unticking Require SSL for all the various objects in IIS (OWA, ECP, EWS, RPC etc.)
Additionally I made sure SSL Offloading was enabled for Outlook Anywhere in Powershell. See for example output of Get-OutlookAnywhere:
RunspaceId                         : 1bdf6a03-d43d-4478-84cc-95e18806b11b
ServerName                         : TSTEXCG2013
SSLOffloading                      : True
ExternalHostname                   : tstowa.XXXX.com
InternalHostname                   : tstowa.XXXX.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://TSTEXCG2013.tstXXX.tstXXXX.tst/W3SVC/1/ROOT/Rpc
Path                               : D:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 847.32)
Server                             : TSTEXCG2013
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web
                                     Site),CN=HTTP,CN=Protocols,CN=TSTEXCG2013,CN=Servers,CN=Exchange
Administrative
                                     Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=XXX XXXX,CN=Microsoft
                                     Exchange,CN=Services,CN=Configuration,DC=tstXXXX,DC=tst
Identity                           : TSTEXCG2013\Rpc (Default Web Site)
Guid                               : 9b2bc5e2-41c1-4219-9186-8e6b8cb63dc0
ObjectCategory                     : tstXXXX.tst/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 7/10/2014 7:38:58 PM
WhenCreated                        : 6/23/2014 2:54:36 PM
WhenChangedUTC                     : 7/11/2014 12:38:58 AM
WhenCreatedUTC                     : 6/23/2014 7:54:36 PM
OrganizationId                     :
OriginatingServer                  : TSTXXXXDC02.tstXXXX.tst
IsValid                            : True
ObjectState                        : Changed

Office Web Apps deploy certificate error

IIS Using Domain Certificate, when access "https://fqdn/hosting/discovery" with certificate error.
Office web apps using same CA with Front End Server.
new web farm with this new certificate name.
Any suggest?
Thanks.

When you get the certificate are you able to view the certificate details? Do they match the name of the site?
Do you have the appropriate root certificate installed on the client that you are browsing from?
If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
Georg Thomas | Lync MVP
Blog www.lynced.com.au | Twitter
@georgathomas
Lync Edge Port Check (Beta)
This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Certificate Error while updating Maps in Nokia N95...

Sir/Madam
there is an error (certificate error: contact to supplier) occurring while updating nokia maps by using "nokia maps uploader".. please help me out

Do you mean Nokia Maps Loader or Nokia Maps Updater?
If you want to thank someone, just click on the blue star at the bottom of their post

Certificate error while connecting to multiple web service

I am having a web service test client through which I can connects and get reports from multiple web services.
In Development unix box, we are using "self-signed certificate" using keystore type JKS. In Production server, we are using certificate from CA.
The web service is running in Development and in Production.
Now I have developed single test client with a drop down selection for different web services. For example, if we select "Development", the request will go the development web service and if we select "Production", the request will go to Production web service.
Now while connecting to Develpment service, we are settings the below certificates details Because we are using the self signed certificate.
System.setProperty("javax.net.ssl.keyStore",keyStoreFileLocation);
System.setProperty("javax.net.ssl.keyStorePassword",keyStorePassword);
System.setProperty("javax.net.ssl.keyStoreType", keyStoreType);
System.setProperty("javax.net.ssl.trustStoreType",trustStoreType);
System.setProperty("javax.net.ssl.trustStore",trustStoreFileLocation);
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword);
I am clearing the System properties using the System.clearProperty() while pointing to Production service. because in Production we are using the CA certificate from Thawte so these details are not required at all and our JRE (java 5) is pre configured to support that CA certificate.
I am using Resin-2.1.12, axis1.2 and java5.
Now the problem is
(1) for the first time, when I send the request to Production Service URL, the report gets generated. For the next time when we are running against Development, it's giving below certificate error.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
(2) Now restart resin and run the test client against Developemnt service URL, here report gets generated and for the next time, run the test client against Production, it's giving the certificate error.
So for the 2nd request, it always gives the error irrespective of the web service instance selected.
Please suggest ....thanks in advance.

Hi ,
No, due to the issue is happening only on one computer.
The error "(401) Unauthorized" usually indicates that the connection has been established but the permission check fails. InfoPath Form Services uses the application pool identity of the web
application to connect to resources.
Does the account which login the computer have permission to connect to User Profile Service Application?
For a workaround, you can go to IIS Manager , set the User Profile Application Pool to Anonymous Access and try again.
Also you can have a look at the blog:
http://sharepointconnoisseur.blogspot.in/2011/04/how-to-resolve-401-unauthorized-error.html
Best Regards,
Eric
Eric Tao
TechNet Community Support

I am getting a certificate error message and there is no link on the page to add this site as an exception.

I am trying to open up the web page where we log into our employee email. Evidently the security certificate has been changed. I am getting a certificate error message, but I am not seeing a link provided where I can click to add this web site as an exception.

This is a user to user forum. You are defintely in wrong place.

Certificate error when downloading itunes...

I'm getting a certificate error in Internet Explorer when trying to download itunes on new computer.
It's blocking the download.
Help!

worked like a charm! I know PSE but don't know computers that well:))

Iphone getting a certificate error logging into Lync 2013

Hello,
I am having a strange issue with Lync Mobility. Android seems to work just fine, but my IPhone clients are throwing certificate errors. Everything is showing up properly in the Lync Connectivity Analyzer. The LyncDiscover URL seems to work just fine.Any
Anyone run into issues specifically with certificates and IPhone?

Check the following KB about Lync Mobile users cannot sign in after they update to client version 5.4:
http://support.microsoft.com/kb/2965499/en-us
Lisa Zheng
TechNet Community Support

Autodiscover, domain controllers, and certificate errors

I have just deployed and Exchange 2013 server in one of my sites. I'm having tons of issues with it, but one issue I'm having trouble thinking through goes like this:
All users have email addresses that are [email protected] Domain.com is our internal domain name and also a public domain. Now, in a Windows environment, if you were to nslookup domain.com within our network it
will resolve to any one of the domain controllers. On our infrastructure master DC there is an IIS website, with SSL, that handles certificate services for our internal CA.
Here's my problem: When a user opens Outlook and autodiscover attempts to find their Exchange connection info it first tries to reach the site
https://domain.com/autodiscover/autodiscover.xml. If that PC happens to resolve domain.com to the DC that has our certificate services website on it then the Outlook client sends a certificate error.
If the client is prior to Outlook 2013, the mailbox configuration just halts and throws an error.
What do I do to prevent this?

Hi,
Yes, we can have the following “switchers”
PreferLocalXML
ExcludeHttpRedirect
ExcludeHttpsAutoDiscoverDomain
ExcludeHttpsRootDomain
ExcludeScpLookup
ExcludeSrvRecord
ExcludeLastKnownGoodUR
Thanks,
Simon Wu
TechNet Community Support

KDC certificate error

Similar Messages

Maybe you are looking for