PEAP: Enforce that client must verify server certificate

Hi,
I have PEAP setup with server certificate. The ACS server is used for radius authentication and cisco wireless access point 1240 series are used in WPA2/AES. In my setup, clients are working fine with or without server certificate verification. how could i enforce that client should verify the server certificate otherwise the wireless not authenticated..
Regards

You could to that with an Active Directory policy or something like that.  There isn't anything on the AP or Radius server that can be done.

Similar Messages

  • What do these SSL error messages mean?  How do I fix this problem? (SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT) & (SSL_ERROR_BAD_CERT_ALERT - SSL client cannot verify your certificate.)

    In my error log files for iPlanet Web server 4.1SP9 (running on Solaris) I am seeing the following errors sporadically dispersed seemingly at random throughout the day.
    Error receiving connection (SSL_ERROR_CERTIFICATE_UNKNOWN_ALERT)
    Error receiving connection (SSL_ERROR_BAD_CERT_ALERT - SSL client cannot verify your certificate.)
    Error receiving connection (Not connected)

    Hi,
    Are you trying to install a certificate in iWS.
    When did you get this error messages ?
    For more infomartion about error codes. Please look the below link.
    http://www.mozilla.org/projects/ security/pki/nss/ref/ssl/sslerr.html
    http://knowledgebase.iplanet.com/ikb/kb/ articles/4811.html
    Regards,
    Dakshin.
    Developer Technical Support
    Sun Microsystems
    http://www.sun.com/developers/support.

  • Mail - Constantly asking me to verify server certificate

    Hey guys, I'm new here. Hope everybody's well and hopefully somebody can help me!
    I've recently bought a domain name and have created a couple of email addresses. I set them up through Mail and they were fine for the last couple days, until now..
    I keep getting asked to verify my mail server certificate? I've already clicked "always trust" a fair few times, it prompts me to enter my administrator password and then seems to work. Only recently it's been asking me for this password twice.. as in, I'll enter it, and then it will ask for it agian INSTANTLY, as though I'd entered it wrong or something.
    Here's a screenshot of my problem:
    http://img179.imageshack.us/img179/9245/picture6xv1.png
    It's becoming very frustrating, and everytime I quit Mail and relaunch it asks me to verify the certificate again.
    Is this a Leopard problem? Or something to do with my hosts?
    Any help is really appreciated.
    Thanks
    Felix

    I had this problem. I solved it by making two separate self-signed certficates on my server. (It used to have only one.) Then I assigned one vertificate to SSL for SMTP and one to SSL IMAP/POP.
    Mail.app now remembers to trust these certificates now, simply by clicking "Always Trust" (whatever it was) as one expects one should. Once when first receiving email, and then one more time for sending email (for the SMTP).
    My Mail.app is configured to send and reveice through the same server but receive from mail.myserver.com and send to smtp.myserver.com.
    It doesn't seem to matter what I called the certficates. I just names them "MyCompany Mail" and "MyCompany SMTP", and assigned them to POP/IMAP and SMTP.
    It actually made sense that Mail.app would forget my trust setting for the certificate for mail.mycompany.com when I later trusted the same certificate for smtp.mycompany.com.
    Maybe this helps some of you!

  • Every website I try to go to (such as Facebook, Twitter, etc that are safe) is saying that the website is unsafe and that I must accept the certificate).

    Yesterday my Firefox seemed to spasm and I believe I had a virus (every time I hit the "home" button which is google.com for me, it would send me to this weird site that I knew wasn't safe). I uninstalled and re-installed Firefox and ran virus scanners but nothing was found. After restarting Firefox, every website that I try to go to is giving me an unsafe error and that I must give each site a security exception, even for safe sites like Facebook, Twitter, etc. Once I did get on Facebook, everything is in HTML format and I can't use it at all I tried restarting/uninstalling/resetting Firefox again but to no avail. I checked my Firewalls and nothing came up. Here is the data from the troubleshooting information.
    <pre><nowiki>Application Basics
    Name: Firefox
    Version: 34.0
    User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
    Multiprocess Windows: 0/1
    Crash Reports for the Last 3 Days
    All Crash Reports (including 3 pending crashes in the given time range)
    Extensions
    Name: avast! Online Security
    Version: 9.0.2021.112
    Enabled: false
    ID: [email protected]
    Graphics
    Adapter Description: Intel(R) HD Graphics 4600
    Adapter Description (GPU #2): NVIDIA GeForce GT 755M
    Adapter Drivers: igdumdim64 igd10iumd64 igd10iumd64 igdumdim32 igd10iumd32 igd10iumd32
    Adapter Drivers (GPU #2): nvd3dumx,nvwgf2umx,nvwgf2umx nvd3dum,nvwgf2um,nvwgf2um
    Adapter RAM: Unknown
    Adapter RAM (GPU #2): 2048
    Device ID: 0x0416
    Device ID (GPU #2): 0x0fcd
    Direct2D Enabled: true
    DirectWrite Enabled: true (6.3.9600.17111)
    Driver Date: 8-19-2013
    Driver Date (GPU #2): 10-4-2013
    Driver Version: 10.18.10.3277
    Driver Version (GPU #2): 9.18.13.2745
    GPU #2 Active: false
    GPU Accelerated Windows: 1/1 Direct3D 11 (OMTC)
    Subsys ID: 380117aa
    Subsys ID (GPU #2): 380117aa
    Vendor ID: 0x8086
    Vendor ID (GPU #2): 0x10de
    WebGL Renderer: Google Inc. -- ANGLE (Intel(R) HD Graphics 4600 Direct3D9Ex vs_3_0 ps_3_0)
    windowLayerManagerRemote: true
    AzureCanvasBackend: direct2d
    AzureContentBackend: direct2d
    AzureFallbackCanvasBackend: cairo
    AzureSkiaAccelerated: 0
    Important Modified Preferences
    browser.cache.disk.capacity: 358400
    browser.cache.disk.smart_size.first_run: false
    browser.cache.frecency_experiment: 3
    browser.places.smartBookmarksVersion: 7
    browser.sessionstore.upgradeBackup.latestBuildID: 20141120192249
    browser.startup.homepage_override.buildID: 20141120192249
    browser.startup.homepage_override.mstone: 34.0
    dom.mozApps.used: true
    extensions.lastAppVersion: 34.0
    gfx.direct3d.last_used_feature_level_idx: 0
    media.gmp-manager.lastCheck: 1417643038
    network.cookie.prefsMigrated: true
    places.history.expiration.transient_current_max_pages: 104858
    plugin.disable_full_page_plugin_for_types: application/pdf
    plugin.importedState: true
    privacy.sanitize.migrateFx3Prefs: true
    Important Locked Preferences
    JavaScript
    Incremental GC: true
    Accessibility
    Activated: false
    Prevent Accessibility: 0
    Library Versions
    NSPR
    Expected minimum version: 4.10.7
    Version in use: 4.10.7
    NSS
    Expected minimum version: 3.17.2 Basic ECC
    Version in use: 3.17.2 Basic ECC
    NSSSMIME
    Expected minimum version: 3.17.2 Basic ECC
    Version in use: 3.17.2 Basic ECC
    NSSSSL
    Expected minimum version: 3.17.2 Basic ECC
    Version in use: 3.17.2 Basic ECC
    NSSUTIL
    Expected minimum version: 3.17.2
    Version in use: 3.17.2
    Experimental Features
    </nowiki></pre>
    Hopefully you can figure something out as I love Firefox but it's very frustrating that I can't use it and that this is happening. I also use Avast! Anti-security but I'm fairly certain that is having no effect on this problem. As I said I've also ran malware and virus scanners but nothing came up harmful.

    Hello,
    Try disabling Avast's web shield and try going to a few safe sites where you experienced the "untrusted connection". You can also follow this article for other common troubleshooting steps: [["This Connection is Untrusted" error message appears - What to do]].
    You can try these free programs to scan for malware, which work with your existing antivirus software:
    * [http://www.malwarebytes.org/products/malwarebytes_free/ MalwareBytes' Anti-Malware]
    * [http://general-changelog-team.fr/en/downloads/viewdownload/20-outils-de-xplode/2-adwcleaner AdwCleaner] (for more info, see this [http://www.bleepingcomputer.com/download/adwcleaner/ alternate AdwCleaner download page])
    * [http://www.microsoft.com/security/scanner/default.aspx Microsoft Safety Scanner]
    * [http://support.kaspersky.com/viruses/disinfection/5350 Anti-Rootkit Utility - TDSSKiller]
    * [http://www.surfright.nl/en/hitmanpro/ Hitman Pro]
    * [http://www.eset.com/us/online-scanner/ ESET Online Scanner]
    If your home page is has been changed, and you don't have any suspicious extensions:
    * Tools (or [[Image: New Fx Menu]]) > Add-ons > Extensions
    You can use the [https://addons.mozilla.org/en-US/firefox/addon/searchreset/ Search Reset Tool] to reset your home page, new tab page, and search bar back to default. The extension then uninstalls itself once these preferences are reset.
    Let us know if that helps.

  • Trying to order calendar ..but each time it says that I must verify address..but then it goes back to reassembling the calendar and then saying I must verify my address

    Made calendar..when I try to purchase..it puts together the calendar but then says that I need toi verify my account information...but if I try to do anything...it just goes back and assembles the calendar again and then says that I need to verify my account information,

    Go to the Apple store (store.apple.com) and re-emter (not just verify)all of your information,
    Before ordering your book preview it using this method - http://support.apple.com/kb/HT1040 - and save the resulting PDF for reference - the delivered book will match it.
    and if the preview is fine order
    LN

  • Certificate Exception - applet client to java server with SSL

    Hi,
    I'm having some trouble getting SSL working and hope
    someone can shed some light. I've been plowing through
    these forums for a couple of days - seems lots of folks
    have had this problem but I can't find a clear solution.
    I've written a server in java. The client is an applet.
    This is an internet app so I have no control over
    configuring clients. I'm trying to prove SSL communication from the applet to my server. This is
    commercial software so the customer would put their own
    keys on the machine and resign the applet before deploying.
    I've created a keystore with keytool. Then I self-
    signed it. Then I signed my applet jarfile. I've even tried exporting the certificate and importing using the java plug-in control panel
    (obviously not something I can do in the real world but
    just wanted to see if that was it). I start up my server
    and navigate to a web page to start the applet. For
    development purposes, I'm doing this all on one machine. I'm running jdk 1.4.1_02. We're requiring the
    Sun plug-in as our client java VM.
    Once the client starts to connect, I get this error in
    the plug-in console:
    java.security.cert.CertificateException: Couldn't find trusted certificate
    On my server, I get:
    Wed May 14 16:27:46 EDT 2003 [EXCEPTION]: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
    javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
         at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
         at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(DashoA6275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
         at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
         at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
         at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
         at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
         at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
         at java.io.InputStreamReader.read(InputStreamReader.java:167)
         at java.io.BufferedReader.fill(BufferedReader.java:136)
         at java.io.BufferedReader.readLine(BufferedReader.java:299)
         at java.io.BufferedReader.readLine(BufferedReader.java:362)
         at com.pactolus.webBroker.psWebLegClientThread.run(psWebLegClientThread.java:130)
         at java.lang.Thread.run(Thread.java:536)
    The client code is pretty simple:
    SSLSocketFactory factory = (SSLSocketFactory)
        SSLSocketFactory.getDefault();
    tcpSocket = (SSLSocket) factory.createSocket(addr,
                                                 iPortNbr);
    tcpSocket.setUseClientMode(true);
    tcpSocket.startHandshake();followed by a thread kick-off which will listen on the
    socket for incoming messages.
    The server code is:
    SSLContext sslCtxt = SSLContext.getInstance("SSL");
    KeyManagerFactory kmf = KeyManagerFactory.getInstance
       ("SunX509");
    KeyStore ks = KeyStore.getInstance("JKS");
    char[] password = keyPassword.toCharArray();
    ks.load(new FileInputStream(keyFile), password);
    kmf.init(ks, password);
    sslCtxt.init(kmf.getKeyManagers(), null, null);
    SSLServerSocketFactory factory = 
        sslCtxt.getServerSocketFactory();
    secureTCPSocket = (SSLServerSocket)
        factory.createServerSocket(port);
    secureTCPSocket.setNeedClientAuth(false);followed by a thread kick-off which will listen for
    connections and spin-off other threads to manage each
    client socket.
    I'm pretty much at my wits end. As I said, seems lots of
    folks have had this problem but I haven't yet seen a
    firm answer.
    If anyone can shed some light on this so I can get my
    proof of conecept going, I would really appreciate it -and buy you a couple of beers!
    Thanks,
    Scott Johnson

    Problem resolved! It was the certificate. I can get it working in a test scenario by using the test certs file
    provided with the jdk on the client and server sides.
    So, does this mean that I MUST use a certificate from
    one of the known authorities as delivered with the JDK?
    My applet will be used by internet clients. I'm requiring
    the sun plug-in. Is it true there is no way to get
    a certificate I've created to be presented to the client
    so it can choose to add it to it's trusted authorities?
    I am required to use, say, a Verisign certificate?
    I can get my sample working but only if I place a
    jssecacerts (a copy of the samplecacerts) where both the client and server can get at it. In the real world, I can't do that on the client.
    Presumably the client will only have the cacerts that was delivered with the Sun plug-in. I'm restricted, then, to using a server key file signed with a certificate from
    one of the providers found in the cacerts file? Or, can
    I present to the client a certificate which it can
    choose to accept as trusted and place in it's cacerts file? Any info would be appreciated - I've already
    committed those duke bucks!
    Scott
    Hi,
    I'm having some trouble getting SSL working and hope
    someone can shed some light. I've been plowing
    through
    these forums for a couple of days - seems lots of
    folks
    have had this problem but I can't find a clear
    solution.
    I've written a server in java. The client is an
    applet.
    This is an internet app so I have no control over
    configuring clients. I'm trying to prove SSL
    communication from the applet to my server. This is
    commercial software so the customer would put their
    own
    keys on the machine and resign the applet before
    deploying.
    I've created a keystore with keytool. Then I self-
    signed it. Then I signed my applet jarfile. I've
    even tried exporting the certificate and importing
    using the java plug-in control panel
    (obviously not something I can do in the real world
    but
    just wanted to see if that was it). I start up my
    server
    and navigate to a web page to start the applet. For
    development purposes, I'm doing this all on one
    machine. I'm running jdk 1.4.1_02. We're requiring
    the
    Sun plug-in as our client java VM.
    Once the client starts to connect, I get this error
    in
    the plug-in console:
    java.security.cert.CertificateException: Couldn't find
    trusted certificate
    On my server, I get:
    Wed May 14 16:27:46 EDT 2003 [EXCEPTION]:
    javax.net.ssl.SSLHandshakeException: Received fatal
    alert: certificate_unknown
    javax.net.ssl.SSLHandshakeException: Received fatal
    alert: certificate_unknown
    at
    com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(Dasho
    6275)
    at
    com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.b(Dasho
    6275)
    at
    com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA627
    at
    com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA627
    at
    com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA627
    at
    com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA627
    at
    com.sun.net.ssl.internal.ssl.AppInputStream.read(Dasho
    6275)
    at
    sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDec
    der.java:406)
    at
    sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDeco
    er.java:446)
    at
    sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
    at
    java.io.InputStreamReader.read(InputStreamReader.java:
    67)
    at
    java.io.BufferedReader.fill(BufferedReader.java:136)
    at
    java.io.BufferedReader.readLine(BufferedReader.java:29
    at
    java.io.BufferedReader.readLine(BufferedReader.java:36
    at
    com.pactolus.webBroker.psWebLegClientThread.run(psWebL
    gClientThread.java:130)
         at java.lang.Thread.run(Thread.java:536)
    The client code is pretty simple:
    SSLSocketFactory factory = (SSLSocketFactory)
    SSLSocketFactory.getDefault();
    tcpSocket = (SSLSocket) factory.createSocket(addr,
    iPortNbr);
    tcpSocket.setUseClientMode(true);
    tcpSocket.startHandshake();followed by a thread kick-off which will listen on
    the
    socket for incoming messages.
    The server code is:
    SSLContext sslCtxt = SSLContext.getInstance("SSL");
    KeyManagerFactory kmf = KeyManagerFactory.getInstance
    ("SunX509");
    KeyStore ks = KeyStore.getInstance("JKS");
    char[] password = keyPassword.toCharArray();
    ks.load(new FileInputStream(keyFile), password);
    kmf.init(ks, password);
    sslCtxt.init(kmf.getKeyManagers(), null, null);
    SSLServerSocketFactory factory = 
    sslCtxt.getServerSocketFactory();
    secureTCPSocket = (SSLServerSocket)
    factory.createServerSocket(port);
    secureTCPSocket.setNeedClientAuth(false);followed by a thread kick-off which will listen for
    connections and spin-off other threads to manage each
    client socket.
    I'm pretty much at my wits end. As I said, seems lots
    of
    folks have had this problem but I haven't yet seen a
    firm answer.
    If anyone can shed some light on this so I can get my
    proof of conecept going, I would really appreciate it
    -and buy you a couple of beers!
    Thanks,
    Scott Johnson

  • I have a box that I cannot get past.  It says cannot verify server identity.  How can I get rid of it?

    I cannot get past a box that says "cannot verify server identity"

    Try just holding down the power button and restarting. I've no idea what you're talking about but if it's a file copy, move, etc., it shouldn't take 3-4 days.
    Power down. Power up.
    Clinton

  • Is a truststore neeeded if the server certificate is signed by a CA?

    I have a server SSL certificate that has been signed by a trusted certificate authority (CA). I'm using a java desktop application to consume web services at that server over ssl/https using Axis 2 (no client certificate authentication). Everything is working fine, but I see code examples using a truststore or keystore (by the way, what is the difference?) and I'm starting to wonder if I need to use this kind of mechanism. Some articles I have read imply that I don't need to use a keystore because the server's certificate is signed by a CA. I've read lately about some man-in-the-middle attacks that involve intercepting https traffic and impersonating the server. Will my solution be vulnerable to this kind of attack if I don't use a keystore? If I simply provide Axis with an https endpoint url of the web services, will my solution be secure? Any help would be appreciated. Thanks.

    SSL provides you with privacy, integrity, and authentication. That is, the messages are encrypted, tamper-evident, and come from an authenticated identity. Whether that's the identity you want to talk to is another question. So the application has to perform the authorization step, i.e. check the identity against what is expected. You do this by getting the peer certificates out of the SSLSession, usually in a HandshakeCompletedListener, and check that the identity of the server is what you expect. SSL can't do this for you as only the application knows who it expects to talk to. Another way around this is to ship a custom truststore that only contains the server certificate for the correct server, so it won't trust anybody else.

  • HT5012 Why can't I log onto the iBook store? message reads cannot verify server identity

    I no longer can log into the iBook store when I previously could - also I continue to get notices that read "cannot verify server"

    Hello Jkmcdonald530,
    This may be due to an inability to properly communicate with the iTunes Store. The following article provides troubleshooting steps that can help re-establish communication between the store and your iPad.
    Can't connect to the iTunes Store
    http://support.apple.com/kb/TS1368
    Cheers,
    Allen

  • How do I remove "cannot verify server" message?

    I have a message that says "cannot verify server" with options to cancel, details, or continue. I hit any of these and nothing happens. I cannot power down the ipad.

    Right-click on the Identity Plate, and change the selected Identity Plate from "Lightroom Mobile" to "Lightroom".

  • Lync 2013 mobile client. Can't verify the certificate from the server. Please contact your support team

    We upgraded Lync Server 2010 to Lync 2013.
    Users are able to login on desktop clients but unable to connect on mobile client. We get following error message:
    Can't verify the certificate from the server.
    Please contact your support team

    Please check the Root CA is installed on your mobile device.
    Can you sign in externally?
    Please check you have updated the DNS records for Lync mobile autodiscover service.
    Lisa Zheng
    TechNet Community Support

  • Can a server trust *client* code without a certificate

    Here's a sticky security question
    I want my server to trust that a client has performed the operation it says it has on some data held by the client (the client performs the operation to reduce server load). The server can supply code to perform the operation to the client, via a serialized object or RMI.
    However, I don't want every client to have to register with the server (eg if each client had its own certificate this would be necessary)
    Presumably something must happen as the client performs the operation to show that the correct (server generated) code was used.
    If the object whic h knows how to perform the operation is sent using RMI with a public sign method and the server lends its own private key for the signing, in a private field of this object, can a malicious client discern the private key of the server simply by deserializing the object ? Encryption of the serialized object doesn't seem to help as a normal client needs to decrypt, so the malicious one can too.
    What about if a private/public key pair is generated at the server and given to the client for signing? again the malicious client could sign using the key then perform a completely different operation.
    What should actually be signed at the client end - the object sent which performs the operation ? the server needs to know that this signature proves that the code it sent was used.
    would be interested in any ideas (this is for a university project)
    thanks to all
    John

    thanks for this
    a policy would be fine for a server only to allow certain clients to connect - but what I want to ensure is that once connected, a client really does use the code generated by the server - in effect I want to have untrusted clients (eg anyone) to be able to connect, but I need to trust that they perform a certain operation.
    I think that with RMI I can ensure that a certain method is called if the client has a true (verified...how?) java virtual machine installed, and not a malicious one... but I am coming to the conclusion that to ensure that the right code is used, I will have to give each client its own public/private key and let the server hold a register of trusted clients (which reduces the elegance of the system)
    Jon

  • Lync 2010 Certificate Issue - "There was a problem verifying your certificate from the server"

    Greetings.
    My Issue:
    Lync 2010 client does not connect to server;error displayed "Cannot sign into Lync. There was a problem verifying the certificate from the server."
    Description:
    The client is running on my Windows 7 box, and my CA server is a Windows Server 2003 box. I have installed the hotfix on the Server 2003 box to update the Web Enrollment portion of CA to allow for newer clients (Vista and 7) to receive certificates from
    this server. 
    Lync server is running on Server 2008 R2 STD, installation was a success.
    The Windows 7 box is a part of the domain.
    I have manually exported the Root CA from my Enterprise CA server from
    Trusted Root Certification Authorities -> Certificates and imported into the same location on my Windows 7 box. 
    If I look at the certification path on the Root CA, on my Windows 7 box,  it says "The certificate is OK." The same goes for the servers involved. 
    Still nothing.
    I have read the other forum posts on here about people having success once they manually import the Root CA from the Enterprise CA server, but this is not my case here. 
    All certificates are successfully assigned on the Lync server box; however, I did have to manually import the Root CA into Lync server's
    Trusted Root Certification Authorities -> Certificates before I could successfully assign them. Had to do this on another deployment I completed, so I didn't think anything of it.
    To recap: it seems that even with my Root CA imported into my Windows 7 box I can still not connect to my Lync server with the client, and I get the error message "There was a problem verifying the certificate from the server."

    Solved
    Solution :  Export certificate from Lync Server Start > Administrative Tools > IIS > Server Certificate > Export >   abc.pfx   save it,  Copy and place the certificate where Ms Lync 2010 client is installed or getting certificate
    error.  Follow these steps on client machine to install certificate 
    Run > mmc > add or remove snap in > certificates > computer account > local computer >finish > ok > expand Certificate > Trusted Root Certification Authorities > Certificate > All task > Import > copy abc.pfx certificate
    and delete unnecessary certificate from there.
    Restart Client machine and open microsoft Lync client 2010 and open option menu > Personal > Advanced > choose Auto Configuration > save ok

  • Need for NPS server certificate with PEAP-MS-CHAPv2

    Hi,
    I have a question about a small setup I'm currently testing. In a Wireless access with 802.1X authentication based on PEAP/MS-CHAPv2, and a NPS server (MS server 2012R2), I've noted reading technet documentation that the NPS server or other RADIUS server
    do have a certificate (issued by a 3rd party CA or by an AD CS environment).
    However, it remains for me a point I would like to clarify (sorry I surely have a bad understanding of documentation). If my client is configured for not "validate server certificate", do I still need to have a certificate on the NPS server ?
    Well, I know it is not secured, but this will permit me to test without configuring an AD CS, and without buying a certificate.
    Many thanks in advance for your answer.
    Regards,
    Fabrice

    You also need a server certificate in this case as the protection in Protected EAP is due to the encryption of the TLS session.
    Not validating the server certificate just means that no additional check of the name is done, so the client would be able to connect to any RADIUS server - given that its certificate chain is valid. But the certificate chain as such is checked as in every
    SSL handshake.
    You don't need a certificate issued by a commercial CA though - you could use an inhouse PKI. For tests you could use a self-signed certificate as well.
    Edit: If you want to test self-signed certificates the easiest way is probably to install the web server role and use its built-in option to create a self-signed certificate.
    Elke

  • DSEE Server certificate required on client side?

    I have DSEE 6.3 working in my environment but I am not sure it's configured as it should be....
    I am using tls:simple and everything works, the certificate store is setup with
    the CA and LDAP server certificates on both the LDAP servers and clients.
    Questions:
    - I was expecting the LDAP client to only require the CA certificate however that didn't work!?
    - Shouldn't the server present the server certificate and the client would accept it by validating against the CA certificate? Why would it need to have the server certificate as well?
    - If I deploy the LDAP server certificates to the clients will they all need to be replaced/updated when the server certificate expires?
    Additional info:
    My DSEE server is configured to NOT accept certificate based client authentication.
    All my certificates are valid when I check them with certutil -V
    Edited by: smorris@ on Jan 5, 2009 8:58 PM

    Hi,
    I ended up getting a certificate signed by my internal CA and it worked just as expected.
    I can only assume my CA certificate wasn't actually a CA...
    Checking the output of the commands you suggested clearly shows this - I must have been blind when I ran this last time (or looking at a different cert).
    I guess my question should now be - why was the certificate I created not a valid CA?
    Create CA:
    CA.sh -newca
    Create certdb:
    /usr/sfw/bin/certutil -A -n test-ca -t TC,, -d . -i testca.pem
    Certutil output on this CA:
    /usr/sfw/bin/certutil -d . -L
    test-ca CT,,
    /usr/sfw/bin/certutil -V -e -l -u V -d . -n test-ca
    test-ca : Issuer certificate is invalid.
    /usr/sfw/bin/certutil -d . -L -n test-ca
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number: 0 (0x0)
    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Issuer: "<snip>"
    Validity:
    Not Before: Mon Dec 08 01:57:47 2008
    Not After : Tue Dec 06 01:57:47 2016
    Subject: "<snip>"
    Subject Public Key Info:
    Public Key Algorithm: PKCS #1 RSA Encryption
    RSA Public Key:
    Modulus:
              <snip>
    Exponent: 65537 (0x10001)
    Signed Extensions:
    Name: Certificate Basic Constraints
    Data: Is not a CA.
    Name: Certificate Comment
    Comment: "OpenSSL Generated Certificate"
    Name: Certificate Subject Key ID
    Data:
    <snip>
    Name: Certificate Authority Key Identifier
    Key ID:
    <snip>
    Signature Algorithm: PKCS #1 SHA-1 With RSA Encryption
    Signature:
         <snip>
    Fingerprint (MD5):
    <snip>
    Fingerprint (SHA1):
    <snip>
    Certificate Trust Flags:
    SSL Flags:
    Valid CA
    Trusted CA
    Trusted Client CA
    Email Flags:
    Object Signing Flags:
    Edited by: smorris@ fixed format

Maybe you are looking for

  • Can I Merge Tracks with Garageband?

    Hello there, Mostly I like to use Reason when it comes to recording and mixing tracks but since buying the new Aluminum Macbook, which incorporates a music software package of its own, I thought I'd try a different approach. My problem, however, is t

  • HP Pavilion DV8el Entertainment recovery and partitioning drive C

    Someone must have done this before, but I just cannot find anything... I had to replace drive C for bad sectors, and now the Recovery Disks I had made three years ago crash with blue screen on partitioning the drive. Nothing can be installed via that

  • Need help I can't install windows 7 to my SATA HD

    need help I can't install windows 7 to my SATA hard drive, when it gets to the part of selecting a drive partition to install windows it tells me my hardware does not support booting to this disk check that the disk's controller is enabled in the bio

  • TS3694 how will i turn on my iphone3g?

    i updated my iphone 3g (4.2.1)now it needs to be restored in the itunes but it said iphone could not be restored error 1015 now i cant open my iphone3g...i cant used it anymore.

  • Syncing file not found

    when i try to synch my i-pod i get a message that says 'required file cannot be found' this files appear to be song imported into i tunes not the one purchased. I have tried restoreing the i-pod but nothing seems to work.