Secure Tarantella and Certificats w/ multible names

Similar Messages

• The dreaded 404 message using basicHttpBinding, Transport security mode, and certificates

  I am working on setting up a WCF service using mutual authentication with both client and server certifiates. The service is hosted in IIS 7, and I'm trying to access it from a simple console app. When I try to connect to the service, I get the error ""There
  was no endpoint listening at
  https://localhost/IISHostedService/MyService.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details." The inner exception is "The remote server returned an error:
  (404) Not Found."
  I have seen people all over the net reporting this error, but so far none of their fixes work for me. I have an HTTPS binding in IIS for my app, and I am able to browse to my service (using either http or https) and view it with no problems. I can get the
  wsdl (also over either protocol) with no issues, but connecting from the client doesn't work.
  Here is my server config:
  <system.serviceModel>
  <behaviors>
  <serviceBehaviors>
  <behavior>
  <serviceCredentials>
  <serviceCertificate findValue="ServerCertificate" storeLocation="LocalMachine" x509FindType="FindBySubjectName" />
  <clientCertificate>
  <authentication revocationMode="NoCheck" />
  </clientCertificate>
  </serviceCredentials>
  <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
  <serviceDebug includeExceptionDetailInFaults="true" />
  </behavior>
  </serviceBehaviors>
  </behaviors>
  <serviceHostingEnvironment multipleSiteBindingsEnabled="true" />
  <bindings>
  <basicHttpBinding>
  <binding name="BasicHttpBinding_MyService">
  <security mode="Transport">
  <transport clientCredentialType="Certificate" />
  </security>
  </binding>
  </basicHttpBinding>
  </bindings>
  <services>
  <service name="MyService">
  <endpoint binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_MyService" contract="Namespace.IContract" />
  </service>
  </services>
  </system.serviceModel>
  And my client:
  <system.serviceModel>
  <behaviors>
  <endpointBehaviors>
  <behavior name="clientEndpointBehavior">
  <clientCredentials>
  <clientCertificate findValue="ClientCertificate" storeLocation="LocalMachine" x509FindType="FindBySubjectName"/>
  </clientCredentials>
  </behavior>
  </endpointBehaviors>
  </behaviors>
  <bindings>
  <basicHttpBinding>
  <binding name="BasicHttpBinding_MyService" closeTimeout="00:10:00"
  openTimeout="00:10:00" receiveTimeout="00:10:00" sendTimeout="00:10:00"
  allowCookies="false" bypassProxyOnLocal="false" hostNameComparisonMode="StrongWildcard"
  maxBufferSize="65536" maxBufferPoolSize="524288" maxReceivedMessageSize="65536"
  messageEncoding="Text" textEncoding="utf-8" transferMode="Buffered"
  useDefaultWebProxy="true">
  <readerQuotas maxDepth="32" maxStringContentLength="8192" maxArrayLength="16384"
  maxBytesPerRead="4096" maxNameTableCharCount="16384" />
  <security mode="Transport">
  <transport clientCredentialType="Certificate" />
  </security>
  </binding>
  </basicHttpBinding>
  </bindings>
  <client>
  <endpoint address="https://localhost/IISHostedService/MyService.svc behaviorConfiguration="clientEndpointBehavior"
  binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_MyService"
  contract="Namespace.IContract" name="BasicHttpBinding_MyService" />
  </client>
  </system.serviceModel>
  I am not sure if it matters, but this client and server are running on the same physical machine in a test environment. I have confirmed that both the client and the server certificates are installed, and that the issuing authority is trusted. The virtual
  folder is set in IIS to "Accept" client certificates, and SSL is not required.
  Does anyone have any thoughts what I may be missing? This service works without a problem over HTTP, so it has to be somehow related to the certificate that is being passed. With the Server certificate, I just trapped the ServicePointManager.ServerCertificateValidationCallback
  event to manually approve the certificate if the subject matched what I was looking for (the subject does not match the domain name, since this is a test environment). Do I need to do something similar for the client certificate?
  EDIT: One thing I do notice is that, in the WSDL, the soap location is always pointing to http. I'm not sure if that is correct or not:
  <wsdl:service name="MyService">
  <wsdl:port name="BasicHttpBinding_MyService" binding="tns:BasicHttpBinding_MyService">
  <soap:address location="http://computerName.domain.com/IISHostedService/MyService.svc" />
  </wsdl:port>
  </wsdl:service>

  A little more information (since this is the main thing I have to work on today):
  After some research, I decided to try using a custom certificate validator, in case something is wrong with the client certificate. In the clientCertificate\authentication node on the server, I set the certificateValidationMode="Custom" and set customValidationType="MyType.Validator,
  MyType". My type is apparently being found (when it is not found I get a "service could not be activated" error), but my Validate() method is never being called.
  Now this leads me to believe that it's not a problem with the client certificate, but something else, before it even gets that far.

• Secure connection failed: The Certifying Authority for this certificate is not permitted to issue a certificate with this name. (Error code: sec_error_cert_not_in_name_space) PLEASE HELP ME!!

  I have gone to this website almost everyday for years and I have not changed anything in my internet settings, but now I'm getting this message: secure connection failed: The Certifying Authority for this certificate is not permitted to issue a certificate with this name. (Error code: sec_error_cert_not_in_name_space) The only thing I KNOW I did differently, was I installed a CAC reader to my computer, since then, this has been happening. Is there a setting I can change?? E-mail is: [email protected] Thanks! Megan

  There were recently several users getting this error code who use AVAST 2015. If you recently got that program, please see:
  * [https://support.mozilla.org/questions/1029578 Can NOT access https://www.google.com for google voice, mail etc.]
  * [https://support.mozilla.org/questions/1028985 Avast Forum connection failed - works in Chrome etc.]
  * [https://support.mozilla.org/questions/1028190 Since last FF update I can't sign out of Yahoo and when I close FF it tells me it has crashed.]

• There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"

  Good day Guys
  First of all I am not an Exchange Expert, and I might be asking a very stupid question, but please bare with me. :) 
  While I was on leave our Mail server fell over and The company got a Specialist to help out for the time being.
  We where\are on Microsoft Exchange 2007 , which Fell over, and the specialist was able to recover as much data as he could.
  They then installed Exchange 2013 and tried to migrate everything from 2007 to 2013 and not everything migrated over.
  But the problem is, Outlook Anywhere was enable on 2007 and worked a 100% (before the disaster)
  With Exchange 2013 I get the following error message when trying to connect With Outlook 2013, using an external connection:
  "There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site "Mailserver"
  Outlook is unable to connect to the Proxy server. (Error Code 0)"
  Has anyone had the Similar when migrating over from 2007 to 2013 or is this an Issue on IIS and nothing to do with Exchange migration?
  Your assistance will be greatly appreciated.

  Hi,
  Firstly, I would suggest we use Exchange 2013 FE as the Outlook Anywhere proxy server.
  For the certificate issue, it mostly occurs because the host name that Outlook are trying to access does not match the certificate SAN. Please check with this point. If they do not match, you
  can change the host name by referring to the following article:
  https://support.microsoft.com/kb/940726/en-us?wa=wsignin1.0
  Thanks,
  Simon Wu
  TechNet Community Support

• Foxfire just updated to 3.6.14. Now when I open Facebook, in the secured site, it keeps asking the name of this computer each and every single time. Facebook does not recognize the computer, as it did before.

  As above, whenever I reopen Facebook, I have to put in my log in information, and then I have to put in "home", as the name of my computer, and I have to do this each time I open up Facebook, after I just got the new Firefox update to 3.6.14.

  * Websites remembering you and automatically log you in is stored in a cookie.
  * Create an allow cookie exception (Tools > Options > Privacy > Cookies: Exceptions) to keep such a cookie, especially for secure websites and if cookies expire when Firefox is closed.
  * In [[Private Browsing]] mode all cookies are session cookies that expire if that session is ended, so websites won't remember you.
  * Do not use [[Clear Recent History]] to clear the "Cookies" and the "Site Preferences"
  Clearing "Site Preferences" clears all cookies, images, pop-up windows, software installation, and password exceptions.
  * http://kb.mozillazine.org/Cookies

• I need reset my security information, I offered my user name and password is correct bout I can't get the information from your website in my email. So that I can't buy new app pay my money.

  I need reset my security information, I offered my user name and password is correct bout I can't get the information from your website in my email. So that I can't buy new app pay my money.

  Hi,
  Which website your are using to update the Adobe Flash player? No Adobe website ever ask for any id and password to update the flash player.
  If you are using MAC machine and its the password prompt while installing update that you are talking about then please follow What userid & password do I need to install Flash Player?
  -Varun

• Hi my name is khalied and I have a problem in my account the problem is that I forget my security answers and I forget the email that you will send the security questions to it and I hope you help me

  i have forget my security questions and the email how can I reset it

  If you can't remember your rescue email address (you won't be able to view and/or change it until you can answer your questions) then you will need to contact Support in your country to get the questions reset (these are user-to-user forums).
  Contacting Apple about account security : http://support.apple.com/kb/HT5699
  When they've been reset you can then use the steps on this page to view and/or change your rescue email address for potential future use : http://support.apple.com/kb/HT5620

• PKCS#11 Provider unable to fetch asymmetric keys and certificates

  Hi,
  I'm facing a problem while getting keys and certificate from Eracom HSM (ProtectServer Orange:38039 Model: PSO:PL50) using Sun PKCS#11 Provider. It gets only the symmetric keys but NEVER gets the asymmetric keys.
  My code snippet and configuration file are:
       Java Code:
       java.io.InputStream is = new java.io.FileInputStream("pkcs11.cfg");
  sun.security.pkcs11.SunPKCS11 pkcs11_provider = new sun.security.pkcs11.SunPKCS11(is);
  System.out.println("Provider Name : " + pkcs11_provider.getName());
  java.security.Security.addProvider(pkcs11_provider);
  KeyStore ks = KeyStore.getInstance("PKCS11", pkcs11_provider);
  ks.load(null, "password".toCharArray());
  java.util.Enumeration obj_enumeration = ks.aliases();
  while (obj_enumeration.hasMoreElements()) {
  String str_certAlias = (String) obj_enumeration.nextElement();
  System.out.println("Alias : " + str_certAlias);
       pkcs11.cfg:
       name = Eracom
       library = G:\Eracom\cryptoki.dll
       slot = 0
       attributes(*, CKO_PRIVATE_KEY, *) = {
       CKA_TOKEN = false
       CKA_SENSITIVE = false
       CKA_EXTRACTABLE = true
       CKA_DECRYPT = true
       CKA_SIGN = true
       CKA_SIGN_RECOVER = true
       CKA_UNWRAP = true
       attributes(*, CKO_PUBLIC_KEY, *) = {
       CKA_ENCRYPT = true
       CKA_VERIFY = true
       CKA_VERIFY_RECOVER = true
       CKA_WRAP = true
  I also ran my program without specifying any attributes in configuration file, also tried many other combination, but in all cases (with or without attributes) only symmetric keys are loaded from HSM. I am able to get all keys (symmteric and asymmteric) and certificates from the same HSM using IAIK PKCS#11 Provider. Though, the Sun PKCS#11 Provider is working fine with SmartCard tokens (Rainbow, Alladin etc.)
  Any help to resolve my problem would be highly appreciated.
  Thanks in advance.

  I recently had a problem with ECDSA and the PKCS#11 library of nCipher. Here's info from one of their engineers about the PKCS11 library:
  "There are two separate issues - one is that our current pkcs11
  release doesn't support ECDSA signature with SHA-2 hashes
  (the v11.00 firmware adds support for it, but the main release version of
  the pkcs11 library hasn't been updated to take advantage of it yet).
  There is a hotfix version that does support SHA-2 hashes with some
  restrictions, talk to [email protected] for details, and V11.10
  should be out soon and have that merged in.
  But the issue with setting CKA_SIGN is that our underlying HSM API
  allows elliptic curve keys to be either key exchange (ECDH) or
  signature (ECDSA) keys, but not both at one.
  At the PKCS #11 level, if you specify CKA_DERIVE=true and let
  CKA_SIGN default, it will default to false, and vice versa.
  If you specify both CKA_DERIVE=true and CKA_SIGN=true, then we
  return CKR_TEMPLATE_INCONSISTENT because we can't do both with
  the same key. (However, the tests using C_GetMechanismInfo will
  show that we can do both mechanisms, because we can - so long
  as you use different keys, even though they have the same PKCS#11
  type.)
  I can't comment on when or how that will be changed."
  I was using the PKCS#11 library through NSS when I ran into the problem, but I imagine Java would run into similar problems also using the PKCS#11 library. I was able to generate keypairs but not create a CSR (which required making a signature, which required SHA-2).
  Can you just use the java classes to speak to the netHSM? I've never directly written code to do so myself, but I have used Corestreet's OCSP product that uses the java classes to speak to the nCipher HSMs (though not using EC). It might work better than going through the PKCS#11 layer. There should be a java directory under NFAST_HOME that contains some jars.
  Please post back if you figure anything out as I'll probably be playing with this stuff myself soon.
  Dave

• WRT160N and certificate?????

  Everything seems configured correctly.  My laptop recognizes router, but after asking me for "user name"  "password" and "login domain"  which I say/named linksys ...it gives me same list again and says I may need a certificate.  User certificate cannot be found on this computer.  My old WRT54G V8  worked fine.  I had no problems.  Laptop is Gateway/Vista

  Well you get this error message on your Wireless Computer only when the wireless security on your Router is set to WEP. As WEP is the Older Level of security.You get this message with most of the N Series Router.To Solve you problem you have 2 choises.
  1: Change the Security Mode on your Router to WPA or WPA2 Personal. 
  Assuming you have a Windows XP OS. 
  2: On your Wireless Computer... Click on Start - Control Pannel - Network Connections - Right click on your Wireless Network Connections and click on "Properties" and then you need to click on the tab "Wireless Network"  Below "Preferred Networks" you need to click on ADD butto, under "Network Name SSID" type your Wireless Network Name, Under "Network Authentication" let it be "Open" and under "Data Encryption" select "WEP" and below you need to Uncheck the Box "Key is Provided to me Automatically"  and above that under "Network Key and Confirm Network Key" type your Security key and click Ok and Ok. Now right click on your Wireless Network Connections and click on "View Available Wireless Network", Locate your Wireless network and click on Connect. 
  Once Connected to your Network, Now check if you are able to go online. 
  Message Edited by dibbler on 07-30-2009 03:27 PM

• PEAP-MS-CHAPv2 - mobile devices and certificates

  I'm looking to secure our wireless infrastructure and CHAPv2 seems to be what we need but I have a couple of concerns.
  Our external domain is company.net but our internal domain where the NPS server would sit is domain.company.local
  We have a lot of mobile devices - some are on the domain, some are not. 
  I'm happy to use an internal certificate or a 3rd party certificate, but given the different domain suffixes, is this going to be possible?  If I use a certificate with subject name domain clients won't trust it.  If I use subject name of company.net,
  no clients will trust the NPS server.
  How do I get all domain PCs and domain/non-domain mobile devices to trust and connect to the NPS server?

  Hi,
  When you deploy 802.1X authenticated wireless access that uses PEAP-MS-CHAP v2, RADIUS servers must have digital certificates in order to perform mutual authentication. To issue certificates to your NPS servers you have the option of deploying
  a private CA on your network, or purchasing a server certificate from a third party certification authority.
  During PEAP-MS-CHAP v2 authentication, the IAS or RADIUS server supplies a certificate to validate its identity to the client. Client computer and user authentication is accomplished with passwords, which eliminates some of the difficulty of deploying certificates
  to wireless client computers.
  Since user authentication is performed with password-based credentials, not certificates, the certificate which is issued to NPS use the internal domain suffix. But non-domain member computers must have the private CA certificate manually
  installed in the Trusted Root Certification Authorities certificate store for them to trust certificates, such as NPS server certificates, that are issued by the private CA.
  Besides, are all users in the internal domain? If users are in two domains, you have two options,
  Create a two-way forest trust for both sides of the trust.
  Install a new NPS server in external domain.
  For detailed information, please refer to the link below,
  Create a two-way, forest trust for both sides of the trust
  http://technet.microsoft.com/en-us/library/cc778851(v=WS.10).aspx
  Certificates and NPS
  http://technet.microsoft.com/en-us/library/cc772401(v=WS.10).aspx
  PEAP-MS-CHAP v2-based Authenticated Wireless Access Design
  http://technet.microsoft.com/en-us/library/dd348500(v=WS.10).aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Secure Mobility Client Certificate Problem | scep-forwarding-url

  Hi All,
  I am having a problem configuring SCEP for my secure mobilty client.  I have created a connection profile to allow certificate requestes but when I fill in the scep-forwarding-url field I get an error. 
  The CA we are using is an internal MS CA with SCEP already enabled.  This has been configured for a long time with our current Cisco VPN client using certificate authentication.  The ASA is running 8.4.1.
  Here is the error I get when I try to enter the command into the group policy associated with my certificate enrollement connection profile:
  group-policy SSLGP attributes
  scep-forwarding-url value http://10.1.1.2/certsrv/mscep/mscep.dll
  Attempting to retrieve the CA/RA certificate(s) using the URL. Please wait ...
  Received 3 CA/RA certificate(s) using the SCEP URL.
  NON-RESIDENT CERT: serial: 11111111000100000145, subject: cn=SCEP_ADD_ON,o=OUNIT,c=UK
  NON-RESIDENT CERT: serial: 11111111000100000146, subject: cn=SCEP_ADD_ON,o=OUNIT,c=UK
  NON-RESIDENT CERT: serial: 11111111478AAB288393FAFf2a3E274, subject: cn=CERTSVR-01
  WARNING: Please check if you have all the required certificate(s) in the config to authenticate the certificates that will be issued using this SCEP URL
  Can someone explain why this is happening as it will not take the config?
  Thanks in advance.
  Ian

  Ian:
  I'am a roockie working on CA. I did the instalation over 2003 server and I checked and scep server is reachable in fact if I enter ther scep url I  get a message regarding the thumbprint and password. I got the same messege regarding the additional trustpoints, but in my environment I just have only one CA server. I notice by the certificate serial that I have the certificates generated on the CA numbered as 2 and 3 respectively but I have three questions.    
  1 .- I checked If the certificates could be exported as a .cer file but I just have two options as .dat or as text but I dont know how to import the text because the format looks different from the text chains we use to generate the trust points.
  2.- Because my config was not working I erased the ASA config and gave a different hostname to the ASA in fact I create an identity certificate with this name ¿Do i need to return to the original hostname?
  3.- Does the TAC gave You additional information on how to deal with CA server?

• Verisign certificate & Chain File Name

  Perhaps a newbie question, but here goes:
  I am having trouble installing a Verisign certificate on my Weblogic 6.0
  server. I have my private key and certificate file installed properly I
  believe, but am unsure what to put in the Certificate Chain File entry
  in the console. I only have 1 certificate for this server. I have tried
  to
  a) leave it empty - in which case it uses a default file name which does
  not exist
  b) use the certificate I got from Verisign
  c) export a class 3 certificate from my browser and use that file
  In all the cases that I give it an existing file name, I get the
  following stack trace:
  weblogic.security.CipherException: Incorrect encrypted block
  at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:208)
  at
  weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
  at weblogic.security.X509.verifySignature(X509.java:243)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)
  <Sep 5, 2001 8:18:55 AM PDT> <Alert> <WebLogicServer> <Inconsistent
  security configuration, weblogic.security.AuthenticationException:
  Incorrect encrypted block possibly incorrect
  SSLServerCertificateChainFileName set for this server certificate>
  weblogic.security.AuthenticationException: Incorrect encrypted block
  possibly incorrect SSLServerCertificateChainFileName set for this server
  certificate
  at weblogic.security.X509.verifySignature(X509.java:251)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)

  OK. Found out what it was.
  The Server Certificate Chain File name is what Verisign calls the
  Intermediate Certificate. So what you need to do is grab that cert off the
  Verisign site, paste it into a new file on your server and put that file
  name in as the path to the Chain File name.
  New question: Why the 2 names for the same thing ? The documentation could
  be a bit clearer here, as it's a very simple process that seems more
  complicated than it needs to be (IMHO).
  Brian Hall wrote:
  Perhaps a newbie question, but here goes:
  I am having trouble installing a Verisign certificate on my Weblogic 6.0
  server. I have my private key and certificate file installed properly I
  believe, but am unsure what to put in the Certificate Chain File entry
  in the console. I only have 1 certificate for this server. I have tried
  to
  a) leave it empty - in which case it uses a default file name which does
  not exist
  b) use the certificate I got from Verisign
  c) export a class 3 certificate from my browser and use that file
  In all the cases that I give it an existing file name, I get the
  following stack trace:
  weblogic.security.CipherException: Incorrect encrypted block
  at weblogic.security.RSApkcs1.decrypt(RSApkcs1.java:208)
  at
  weblogic.security.RSAMDSignature.verify(RSAMDSignature.java:89)
  at weblogic.security.X509.verifySignature(X509.java:243)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)
  <Sep 5, 2001 8:18:55 AM PDT> <Alert> <WebLogicServer> <Inconsistent
  security configuration, weblogic.security.AuthenticationException:
  Incorrect encrypted block possibly incorrect
  SSLServerCertificateChainFileName set for this server certificate>
  weblogic.security.AuthenticationException: Incorrect encrypted block
  possibly incorrect SSLServerCertificateChainFileName set for this server
  certificate
  at weblogic.security.X509.verifySignature(X509.java:251)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:440)
  at
  weblogic.t3.srvr.SSLListenThread.<init>(SSLListenThread.java:297)
  at
  weblogic.t3.srvr.T3Srvr.initializeListenThreads(T3Srvr.java:942)
  at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:403)
  at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:169)
  at weblogic.Server.main(Server.java:35)

• Problem with Java keystore and certificates (unable to find valid cert path

  Our program is made so that when a certificate is not signed by a trusted Certification Authority, it will ask the user if he/her wishes to trust the certificate or not. If they decide to trust the certificate, it will accept the self signed certificate and import it into the keystore and then use that certificate to log the user in. This works fine. It will import the certificate into the keystore and use the specified ip address to establish a connection with the LDAP server (Active Directory in our case) and authenticate properly. However, the problem arises when we then try and connect to a different ip address (without restarting tomcat, if we restart tomcat, it works fine...). It imports the certificate into the keystore fine, but always gives the exception
  "Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
  and does not authenticate with our LDAP server (which is Active Directory). The problem seems to be that it is no longer looking at the System.setProperty("javax.net.ssl.trustStore", myTrustStore);
  I have tried multiple times to just reset this property and try and "force" it to read from my specified trust file when this error happens. I have also imported the certificates directly into the <java_home>/jre/lib/security/cacerts and <java_home>/jre/lib/security/jssecacerts directories as the java documentation says that it will look at those directories first to see if it can find a trusted certificate. However, this does not work either. The only way that I can get this to work is by restarting tomcat all together.
  If both of the certificates are already in the keystore before tomcat is started up, everything will work perfect. Again, the only problem is after first connecting to an IP address using TLS and importing the certificate, and then trying to connect to another IP address with a different certificate and import it into the keystore.
  One of the interesting features of this is that after the second IP address has failed, I can change the IP address back to the first one that authenticated successfully and authenticate successfully again (ie
  I use ip 1.1.1.1, import self signed certificate, authenticates successfully
  login with ip 2.2.2.2 import self signed certificate, FAILS
  login again with 1.1.1.1 (doesn't import certificate because it is already in keystore) successfully authenticates
  Also, I am using java 1.5.0_03.
  Any help is greatly appreciated as I've been trying to figure this out for over a week now.
  Thanks

  Please don't post in threads that are long dead and don't hijack other threads. When you have a question, start your own topic. Feel free to provide a link to an old post that may be relevant to your problem.
  I'm locking this thread now.

• How do I unlink my Apple ID from another persons I tunes account? I keep getting their security questions and one of my emails can't be used

  How do I unlink my Apple ID from another persons I tunes account? I keep getting their security questions and one of my emails can't be used. It keeps telling me I its linked to another account but it shouldn't anymore. Plus my security questions belong to the other person and it has no reset option

  depend on the version of itunes and if it's OS X or windows i suppose
  in itunes on ny computer in the upper right corner left of the search bar there is a circle with a black siloet  and my name beside it
  if I click on the v beside it I can a menu with logout as an option

• Server 2012 R2 - Essentials Experience - - I jacked my CA and certificates all to @#&$%!!

  Windows Server 2012 R2 - Essentials Experience
  In trying to put pieces together, I jacked my CA and certificates all to @#&$%!!
  Some of the factors involved are:
   Server0 - Hyper-V Host
    Server1 - DC, 2012 R2 Essentials Experience role
    Server2 - Exchange 2013
   Client Machines -
    Windows 7 Pro
    XP (Yes, these are my cross to bear... - worth noting their presence, but I'm working them out) 
   The functional requirements:
    Anywhere Access for Remote users
     - Remote Desktop for Windows 7 machines
    Outlook Web Access
  The mistake... 'Web Application Proxy'
   -which uninstalled the CA
  There is a CA back now, but after days of spinning in cirles in a rare area where I feel nearly completely lost (Certificate services) I am asking for help getting these pieces put back together.
  The current situation:
   The network is up with all of the network and business services required to work 'Inside the Office' - so the client is "functional".
   The "Essentials Experience" is broken and won't install to the clients, though it does provide the Essentials website, access to server shared files (fairly gracefully, I might add) and, as an administrator user, I can get to the servers via
  RWA through the site and there are no certificate problems with that since I have a secured certificate for the domain. 
   OWA has been moved to a further back burner while I try to get the Essentials Experience functioning t the point where the remote users can get to their workstations through RWA... This is the biggest current hurdle... RWA for the clients.
  Trying to install the client to the workstations nets me the "The Server is not available.  Try connecting this computer again,..." message at the point of username and password authentication.
  The clientdeploy.log finishes like this:
   [4976] 141016.153746.2670: ClientSetup: Standard Error:
   [4784] 141016.153746.2670: ClientSetup: The exit code of the process (C:\Windows\system32\nslookup.exe) is: 0
   [4784] 141016.153746.2670: ClientSetup: Set CD Fail reason 10 for SQM in ClientDeployment.exe
   [4784] 141016.153746.2670: ClientSetup: RecordClientDeploymentFailReason: Save registry failed in ClientDeployment.exe : System.UnauthorizedAccessException: Cannot write to the registry key.
    at Microsoft.Win32.RegistryKey.EnsureWriteable()
    at Microsoft.Win32.RegistryKey.CreateSubKeyInternal(String subkey, RegistryKeyPermissionCheck permissionCheck, Object registrySecurityObj, RegistryOptions registryOptions)
    at Microsoft.Win32.RegistryKey.CreateSubKey(String subkey, RegistryKeyPermissionCheck permissionCheck)
    at Microsoft.WindowsServerSolutions.ClientSetup.ClientDeploy.Helper.RecordClientDeploymentFailReason(UInt32 failReason)
   [4784] 141016.153746.2670: ClientSetup: Exiting ValidateUserTask.Run
   [4784] 141016.153746.2670: ClientSetup: Task with Id=ClientDeploy.ValidateUser has TaskStatus=Failed
   [4784] 141016.153746.2670: ClientSetup: Task with Id=ClientDeploy.ValidateUser has RebootStatus=NoReboot
   [4784] 141016.153746.2670: ClientSetup: Exting ConnectorWizardForm.RunTasks
   [1272] 141016.153755.0976: ClientSetup: Back from the Client Deployment Wizard
   [1272] 141016.153755.0976: ServerDiscovery:HostsFileUpdater: Removing hosts file entry: 1-WGB-01
   [1272] 141016.153755.0976: ClientSetup: Saving Wizard Data
   [1272] 141016.153755.0976: ClientSetup: End of ClientDeploy: ErrorCode=1603
  The computerconnector.log shows nothing of value.
  What I want to accomplish as a 'first step' toward recovery is to get the workstations properly connected so they show up in the Dashboard 'Devices' pane and can be managed and access by the Essentials tools.
  Secondarily, I would like to get the client side tools in place and functioning (I expect the latter will be a side effect of the former).
  So,... for anyone patient enough to have read this far... uh,... help?

  Actually,... I can now confirm the delicacy of which you speak...
  After a support incident with Microsoft which spanned a marathon 18+ hours on the phone and remote access by no fewer than 7 Microsoft Engineers, we got to a successful result. 
  It is a point of utter frustration for me when people put in threads like this then don't bother to come back and report 'how the issue was solved', and sadly, I am about to have done that merely because my span of functional attention and valuable reporting
  capability was basically gone before I submitted the ticket and following all that was done in my state was not conceivably possible. 
  So - all I can do is apologize for not being able to report a valuable resolution and give a few little tidbits.
  The net result is this - DO WHAT YOU CAN TO AVOID THE SITUATION IN THE FIRST PLACE.  Once your CA is in place, LEAVE IT THE $%@& ALONE!!!!  I mean... my best current advice.
  In all, the CA was uninstalled and reinstalled 4 times after my blunder and significant work was done in ADSIEdit as well as substantial manual manipulation of certificates and CAs that was well outside of my (quite considerable) scope of expertise.
  I wish I had more to offer in the world of resolution.
  With this said, I will make one more request of viewers and moderators alike:
  THIS QUESTION IS OFFICIALLY NOT ANSWERED.  IT WILL NEVER BE ANSWERED.  THE RESOLUTION IS NOT AVAILABLE TO THE MORTAL MAN.
  DO NOT MARK IT AS ANSWERED
  IF YOU MUST DO SOMETHING, DELETE THE WHOLE THREAD, BUT DO NOT BURDON PEOPLE WHO ARE LOOKING FOR REAL ANSWERS WITH THE NECESSITY OF READING THROUGH THIS.
  DO NOT MARK THIS QUESTION AS ANSWERED
  I hope this makes sense for people, and I hope people will appreciate NOT having to read this as though there is some 'resolution' contained within.