User portal HTTPS certificate

Similar Messages

• MFA Server - User portal and mobile app web server should be installed where?

  Hi. We are in the process of testing the Multi-Factor Auth server and are currently using it for two-factor authentication to RDS for a couple of users. At the moment we are only using the phone call/text options but I'd like to get the mobile app portion
  working to test.  Also still need to implement the user self-service portal for testing.
  Currently I have a vm that was dedicated to MFA where the Multi-Factor Authentication Server software was installed.  Now though I'm a bit confused as to if its safe to install the user portal and mobile app web service portion on this same machine
  or if they should go on a different server(s)?  Currently the box is internal but I'm guessing if it has also act as the web server we would stick it behind the TMG for external inbound access.  Is external access to the primary MFA server ok? 
  What's the best practice for separation of the MFA roles; or is there none and its fine to just put it altogether? 
  Thanks.

  Hello Col. Forbin,
  Thanks for posting here!
  You have a dedicated MFA server and if you install User Portal on the same server as the MFA Server, it uses RPC to communicate with the MultiFactorAuth service locally.
  If the User Portal is installed on a different server, it must connect via the Web Service SDK. You can use either a username/password of a service account that is a member of the PhoneFactor
  Admins security group, or you can configure client certificates. If using the username/password, you can encrypt the appSettings section of the web.config file if desired.
  Under Inetpub\wwwroot\MultiFactorAuth when you edit the web.config file you need to make sure these values are set.
  USE_WEB_SERVICE_SDK:
  true
  WEB_SERVICE_SDK_AUTHENTICATION_USERNAME: domain\user
  WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD:
  password
  OVERRIDE_PHONE_APP_WEB_SERVICE_URL: 
  You might want to refer this thread link:
  https://social.msdn.microsoft.com/Forums/en-US/ad1f6fc1-ab3f-482d-a435-e4fd6665f640/mfa-user-portal-issue?forum=windowsazureactiveauthentication
  Additional reference links:
  https://technet.microsoft.com/en-us/library/dn376347.aspx#multifactor
  https://pfweb.phonefactor.net/install/6.2.1.16387/release_notes.txt
  Let me know if you have any further questions!
  Regards,
  Sadiqh Ahmed

• User portal file browsing

  So I'm feeling out my user portal and I want a way for my people to download software.  I had previously set up a Sharepoint library and made an iFrame for users to view it on.  Works great in that the sharepoint frame recognizes their AD account so no additional login.  I have the issue of duplication of files.  I already have a share with all my software neatly organized and to duplicate this on a sharepoint library seems a waste.
  I could just list all my software and then link each name to the file but that seems inefficient especially since I'll update software regularly.  Not to mention I want to do the same thing with some 
  So can anyone suggest a way for a normal user to browse the available folder/file structure and download said files? 
  This topic first appeared in the Spiceworks Community

  I use File Manager, and although it does not supot FTP its a pretty good manager. With several cloud options. 
  https://itunes.apple.com/us/app/file-manager-free/id479295290?mt=8
  However, a quick google search of the App store revealed this:
  iUnarchive Lite - Archive and File Manager with support for Dropbox, Box, Skydrive, SugarSync, WebDAV en FTP
  https://itunes.apple.com/us/app/iunarchive-lite-archive-file/id380663019?mt=8

• Cannot see latest helpdesk requests in user portal

  We have upgraded to the latest version of Spiceworks. However, one of our users still cannot see their latest tickets in the user portal. They can see past tickets that are still open but not the latest ones. The latest ticket they can see was from 2015-02-11. The latest ticket raised is from 2015-07-07 We tried raising two test tickets and he received the following message: You are not authorised to view this ticket.
  The account that he uses to raise tickets is not part of Active Directory. Could this be the reason? But why would his previous tickets still show?
  This topic first appeared in the Spiceworks Community

  URL is this https://manage.windowsazure.com/<my account id>#Workspaces/All/dashboard
  The portal page which I see has different background and different set of items (some of them are the same though). I'd gladly paste the screenshot but am getting this message:
  "Body text cannot contain images or links until we are able to verify your account."  I wonder why.

• 3rd Party End User Portal Offerings

  Just wondering if anyone is aware of any 3rd party end user portal offerings.
  The out of the box one does not provide the look & feel we are after (too "industrial" & IT-like) for our clients, so I was interested in any 3rd party off the shelf offerings that may available. We are a small, non-Sharepoint IT environment,
  so customising the out-of-box version would not be the preferred option. We would be greatly interested in a more "client friendly" offering as delivered by many of the other service management tool vendors. We would also prefer to have a non-Sharepoint
  version if one exists.
  Another key feature that we would be after is for the incident/service logging to be integrated with the knowledgebase so suggestions are presented as the client enters the title of their issue. I've seen this in the client portal offering of a number of
  other service management products and it is a great feature. Effectively can provide an answer to the client without them having to log a ticket.
  Any advice or suggestions would be greatly appreciated.

  The master pages of the SharePoint are locked by Microsoft, so I kind of doubt anyone has any custom portals for you.
  However you can obviously easilly change the colours, title and image logo etc via Site Actions \ Site Settings. I'm not a SharePoint expert but this is very little effort and any IT person can manage that. But if you say wanted to move the menu
  to a top frame menu, you cant.
  To remove that Need Help bit and replace it, refer to this easy to follow blog post by the SCSM engineering team:
  http://blogs.technet.com/b/servicemanager/archive/2012/02/06/customizing-the-scsm-2012-self-service-portal-how-do-i-change-the-need-help-or-description-text.aspx
  I think your entering Title functionality with Help Article suggestions would be a great future, same as here on the Technet forums, but I cannot see that anyone would have been able to create that functionality in SCSM with the portal. Maybe in future versions,
  but I wouldnt hold my breath.
  SCSM 2012 is not a quick out of the box product that you just install and off you go in a day, it takes a fair bit of configuring for the portal, ROs, SLAs etc. If you are a small IT counsultancy with small to medium businesses as your market, I might go
  so far as to say this is not the product for you. But that is just my personal opinion.

• MFA User Portal Issue

  Recently downloaded and installed the Multi-Factor Authentication server software on an on premises Windows 2012 R2 server.  I also installed the User Portal into IIS.  When I access the website for the user portal I am prompted with this error:
  Error communicating with the local Multi-Factor Authentication service. Please contact your administrator.
  I have looked everywhere for a solution but have not had much luck.  The MFA service is running under the Server Services and I have linked to our AD and synced under Directory Integration.  The user name and password fields are ghosted out so
  I can't type in these fields.  Anyone run across this?  IS it an IIS 8 or Windows 2012 R2 issue?  Am I the first person ever to experience this issue?  Any help would be appreciated.

  I found a solution for my installation, now it works fine. 
  1. Install User Portal
  2. Install SDK
  3. Create a certificate (I used from a domain root ca) and bind it to the Pages Portal and SDK
  4. Configure the web.config
      <add key="USE_WEB_SERVICE_SDK" value="true"/>     <add key="WEB_SERVICE_SDK_AUTHENTICATION_USERNAME"
  value="domain\user"/>     <add key="WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD" value="PW"/>
  4. Install Windows Authentication on IIS
  5. For the Website SDK disable anonymous authentication and enable Windows Authentication 

• Public SharePoint Online Site with External User Portal

  Hello Everyone,<o:p></o:p>
  My company switched over to Office 365 a few months ago, and now would like to start using our Public SharePoint site to share information (documents
  pertaining to their orders/drawings/etc.) with our customers (external users).<o:p></o:p>
  <o:p> </o:p>
  I have seen documentation on how to share documents with individual users, but we were looking to do something a little bit different. We would ultimately
  like to have a public site with generic company information (like hours, about us,directions etc.) that anyone can see.
  We would also like to use SharePoint as almost an "FTP type" service where we could post documents and share them with individual
  external
  users. HOWEVER, instead of sharing individual documents, we were wondering if there was a way that an external user (that we have granted
  access) could sign into the public SharePoint site, and then see information that ONLY pertains to them.
  I have been doing some research on this, and I haven't seen that anyone else has tried this. Has anyone had any luck? Or would you have suggestions on how to make
  this work? I had originally posted this question on the Office 365 SharePoint forum, and they suggested posting this question here. Any help would be appreciated. Thanks!

  Hi,
  did you finally manage to get what you requested here above ? Indeed, I am also struggling to set up the same (public website with individual content sharing with external authentified user).
  For external user, I am quite sure that we need to go through MS ID creation (I have created some test users using https://login.live.com).
  Our public website is done and (almost) working. I have then created a sub-site for the same, this one to manage permission based on authentified user
  But I am stuck when trying to assign a document library with relavant permission.
  Would be great to share our feedback and I have searched a lto on the web and did not find any satisfying answer to this design (If there is any... here is my doubt...)
  Thanks in advance
  stef

• No "Remote-User" in HTTP header when HTTP request gets to WLS

  Hello Exprers,
  I have a customer, using 10.3.3 on Linux machine. Web server as Apache.
  He wants Remote-User in HTTP header, he used to get it when he used Tomcat. But when he transffered to Apache and 10.3.3, he is not getting the Remote-User in header, instead he is getting proxy-remote-user.
  He wants the Remote-user in HTTP header.
  Any clue, on why he is not getting it.

  Hi,
  We are facing error while doing openConnection
  When I tried with simple java file it worked as shown below
  import java.io.*;
  import javax.net.ssl.HttpsURLConnection;
  public class test
  public static void main(String[] args) throws Exception
  String httpsURL = "https://rcfe.aspac.citicorp.com:40054/servlet/Verify";
  URL myurl = new URL(httpsURL);
  HttpsURLConnection con = (HttpsURLConnection)myurl.openConnection();
  InputStream ins = con.getInputStream();
  InputStreamReader isr = new InputStreamReader(ins);
  BufferedReader in = new BufferedReader(isr);
  if (con!=null)
  System.out.println("con="+con);
  System.out.println(ins);
  Output*
  [rcrrgbg2@kauh0079:/rcrmap2/weblogic/bea/ORA_PFRD/forms/j2ee] java test
  con=com.ibm.net.ssl.www2.protocol.https.e:https://rcfe.aspac.citicorp.com:40054/servlet/Verify
  sun.net.www.protocol.http.HttpURLConnection$HttpInputStream@5f6c5f6c
  However when I tried with below program I am able to write upto Web CL URL but after that no log is written when it tries to do openConnection() for this line csConn=(HttpsURLConnection)new URL(webclURL).openConnection(); in the below code
  Some part of the code:_
  =======================================================================
  import java.io.*;
  import javax.servlet.http.*;
  import javax.servlet.*;
  import java.util.Hashtable;
  import java.io.File;
  import java.io.FileInputStream;
  import javax.servlet.ServletException;
  import javax.servlet.ServletOutputStream;
  import javax.servlet.http.HttpServlet;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  import javax.net.ssl.HttpsURLConnection;
  import java.net.URL;
  public class CRMSLogin extends HttpServlet
  private static final long serialVersionUID=-6294676216324813290L;
  public void doPost(HttpServletRequest request,HttpServletResponse response) throws ServletException,IOException
  String iniFile=request.getParameter("CRMS_INI_FILE_PATH");
  String sessionId=request.getParameter("SessionId");
  String applId=request.getParameter("apl_id");
  String userId=request.getParameter("userId");
  String clientIp=request.getRemoteAddr();
  Properties iniProp=this.getProperties(iniFile);
  String crmsAppServerContext=iniProp.getProperty("CRMS_APP_SERVER_CONTEXT");
  String appModule=iniProp.getProperty("CRMS_MODULE");
  String webclURL=iniProp.getProperty("WEBCL_URL");
  // HttpsURLConnection csConn=null;
  String crmsFormsTerm=null;
  crmsFormsTerm=getEntitlements(iniFile.trim(),sessionId,applId.trim(),clientIp.trim(),webclURL.trim());
  String baseContent=this.getBaseContent(iniProp);
  ServletOutputStream out=response.getOutputStream();
  baseContent=baseContent.replaceAll("<!APP_TITLE!>","Credit Risk Management System");
  baseContent=baseContent.replaceAll("<!APP_CONTEXT!>",crmsAppServerContext);
  baseContent=baseContent.replaceAll("<!APP_MODULE!>",appModule);
  baseContent=baseContent.replaceAll("<!APP_TRACE!>",crmsFormsTerm.replaceAll(" ", ""));
  baseContent=baseContent.replaceAll("<!USER_ID!>",userId);
  baseContent=baseContent.replaceAll("<!SESSION_ID!>",sessionId);
  baseContent=baseContent.replaceAll("<!APPL_ID!>",applId.trim());
  baseContent=baseContent.replaceAll("<!CLIENT_IP!>",clientIp.trim());
  baseContent=baseContent.replaceAll("<!INI_FILE!>",iniFile.trim());
  out.println(baseContent);
  out.flush();
  out.close();
  private synchronized Properties getProperties(String inifile)
  Properties iniProp=new Properties();
  FileInputStream iniFileStream=null;
  try
  iniFileStream=new FileInputStream(inifile);
  iniProp.load(iniFileStream);
  iniFileStream.close();
  catch(Exception e)
  finally
  try
  if(iniFileStream!=null)
  iniFileStream.close();
  catch(Exception e)
  return iniProp;
  public static synchronized String getEntitlements(String inifile,String sessionId,String applId,String clientIp,String webclURL)
       HttpsURLConnection csConn=null;
       OutputStreamWriter requestStream=null;
       BufferedReader responseStream=null;
       StringBuffer responseData=new StringBuffer();
       String csReturnString=null;
       //String webclURL=null;
       BufferedWriter traceLog=null;
       int csCount=6;
       Properties iniProp=new Properties();
       String traceFile=null;
       String entitlementData=null;
       try
       readIniProperties(inifile,iniProp);
       traceFile=getTraceFile(iniProp);
       traceLog=new BufferedWriter(new FileWriter(traceFile,true));
       if(traceFile!=null)
       traceLog.write("###########################");
       traceLog.write("P A R A M E T E R S");
       traceLog.write("###########################");
       traceLog.newLine();
       traceLog.write("INI_FILE:"+inifile);
       traceLog.newLine();
       traceLog.write("SESSION_ID:"+sessionId);
       traceLog.newLine();
       traceLog.write("APPL_ID:"+applId);
       traceLog.newLine();
       traceLog.write("CLIENT_IP:"+clientIp);
       traceLog.newLine();
       traceLog.write("count:"+csCount);
       traceLog.newLine();
       traceLog.write("###########################");
       traceLog.newLine();
       //webclURL=getWebclURL(traceLog,iniProp);
       if(webclURL!=null)
       traceLog.write("Web CL URL:"+webclURL);
            traceLog.newLine();
       csConn=(HttpsURLConnection)new URL(webclURL).openConnection();     
  traceLog.write("Open Connection - Completed!");
       traceLog.newLine();
       csConn.setRequestMethod("POST");
       csConn.setDoInput(true);
       csConn.setDoOutput(true);
       requestStream=new OutputStreamWriter(csConn.getOutputStream());
       traceLog.write("Open Request Stream - Completed!");
       traceLog.newLine();
       requestStream.write("SessionId="+sessionId+"&ClientIP="+clientIp+"&apl_id="+applId+"&count="+csCount);
       requestStream.flush();
       requestStream.close();
       traceLog.write("Write Params to Request Stream - Completed!");
       traceLog.newLine();
       responseStream=new BufferedReader(new InputStreamReader(csConn.getInputStream()));
       traceLog.write("Open Response Stream - Completed!");
       traceLog.newLine();
       while((csReturnString=responseStream.readLine())!=null)
       responseData.append(csReturnString);
       traceLog.write("Response Stream Reading - Completed!");
       traceLog.newLine();
       responseStream.close();
       csConn.disconnect();
       entitlementData=getEntitlementData(traceLog,responseData.toString(),iniProp);
       traceLog.write("responseData::"+responseData);
       traceLog.newLine();
       traceLog.newLine();
       traceLog.write("entitlementData::"+entitlementData);
       traceLog.newLine();
       traceLog.flush();
       traceLog.close();
       catch(Exception e)
       e.printStackTrace();
       finally
       try
       if(requestStream!=null)
       requestStream.close();
  =======================================================================
  output_
  ###########################P A R A M E T E R S###########################
  INI_FILE:/rcrmap1/rcrrgbg2/crms.ini
  SESSION_ID:%2526%253ASIGNED_TICKET%253D%2526PROVIDER_TICKET%253D002c6e4cH0tZy2Gj4JBCOiSL7uSlKisfsqgwP9KoRRn7e%252BY%253D%253AKRSERVER0006%252BA9A52AAE%252B4D1DC7AA%252B14400
  APPL_ID:RCRMKR
  CLIENT_IP:169.165.42.174
  count:6
  Web CL URL:https://rcfe.aspac.citicorp.com:40054/servlet/Verify
  Please help to guide us.
  Regards,
  Harish

• How to add a user defined HTTP header field?

  Hi, everyone!
  I want to add a user defined HTTP header field to a HTTP
  response header.
  I use the following statements in testHeader.jsp
  response.addHeader("myheader", "123");
  response.sendRedirect("middleHeader.jsp");
  in middleHeader.jsp,
  out.print(request.getHeader("myheader"));
  But the output in middleHeader.jsp is null!
  How to add a user defined HTTP header field to a HTTP
  response header? Are there some sample codes?
  Cheers,
  George

  the send redirect actually creates a new request (through the client) and thus a new response
  thus the headers you set in the response are gone for the next request/response
  You can try servletDispatcher.forward

• How to create a new user over HTTPS

  Hi. I have set up conf.xml and web.xml so that when the user accesses a page in the secure area of the website, then they are taken to a login page where they enter their username and password and the form calls j_security_check on the server. All this happens over SSL as the transport garauntee is CONFIDENTIAL. But how to create a new user over HTTPS? If I have a create new account pages in the secure area of the website, then the only way the user can access these pages is by logging in, but they don't have a login as yet.

  An update. It looks that if the auth-constraint section (which lists the roles that can access this area) is missing, then everyone can access the region and it is over HTTPS. So far, the following seems to be working
     <security-constraint>
        <display-name>View My Account</display-name>
        <web-resource-collection>
           <web-resource-name>My Account Area</web-resource-name>
           <url-pattern>/myaccount/*</url-pattern>
        </web-resource-collection>
        <auth-constraint>
           <role-name>myrole</role-name>
        </auth-constraint>
        <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
     </security-constraint>
     <login-config>
        <auth-method>FORM</auth-method>
        <realm-name>Form-Based Authentication Area</realm-name>
        <form-login-config>
           <form-login-page>/newaccount/login.html</form-login-page>
           <form-error-page>/newaccount/loginerr.html</form-error-page>
        </form-login-config>
     </login-config>
     <security-role>
        <role-name>myrole</role-name>
     </security-role>
     <security-constraint>
        <display-name>Create New Account</display-name>
        <web-resource-collection>
           <web-resource-name>New Account Area</web-resource-name>
           <url-pattern>/newaccount/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
           <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
     </security-constraint>

• Mode not available on user portal

  If we setup the default for users to be OTP how do they change to OTP+pin and set a PIN?
  I turned all the users options on for the portal but the MODE option did not show up
  If I set myself up as an admin then I get a mode option for the user I searched for
  Thanks
  -chuck

  Mode is dictated by the admin. Users can't choose for themselves whether to require PIN or not. Users can be set to PIN mode in the MFA Server or through the User Portal Admin functionality in the User Portal.

• How to check whether the user has a certificate or not?

  Hi everyone.
  We're currently finishing a web project and the last step is to check whether users accessing the application have a valid certificate or not.
  Users with a valid certificate can access all the data. Users without any certificate installed on their browsers may still proceed, but they won't be able to see all data. Please note that the lack of a certificate doesn't mean an error - it's just another use case.
  Is there any way to check whether users have a certificate installed on their browsers?
  Thanks in advance.
  Edit: sorry, I forgot to post some tech details. We're using Struts 1.2 on a Tomcat 5 app server.
  Message was edited by:
  advaca

  I am not sure how Tomcat handles this, but you need to use two-way (mutual authentication) request but not enforce SSL between Tomcat and the client browser. This will make the browser prompt the user for the cert they want to send. Then you'll need to tackle the other part of your problem, getting the correct content displayed depending on whether the user sent a cert or not. I'm even less help there than I was on the first part of your question.
  So, yeah - good luck with that
  Lee

• TMS User Portal: The connection was reset. TMS 14.6.0 + TMSPE 1.4.0.8

  Hello,
  I am building a small CMR setup in my lab for a customer demo.
  The problem is that TMS User Portal is not accessible and shows "The connection was reset". Everything else works fine.
  I struggle to find any reference on similar issues. Can somebody please suggest where to start looking?
  The setup details:
  Windows Server 2012 Std, x64
  SQL Server 2008 R2
  Thank you in advance,
  Best regards,
  Dmitry.

  I have installed jre-7u51-windows-x64.exe form the Java site. Installation went well, Java console shows 'enabled'. However, if I start TMS locally (127.0.0.1) and navigate to the Conference Control Center - it says:
  "Java support has not been detected. This page requires Java to be installed and enabled in your browser. Java may not be installed, or may be disabled in your browser due to configuration or security settings."
  What am I missing?

• How to create User Portal in OID programmatically in JSP

  Hi.
  I want to create User Portal programmatically in JSP (if posible) or have to use procedure.
  I check with package wwsec_api, it just have 'function
  add_portal_user', but it say we must have "the user must already exist in OID before this function is called."
  So, i checked for 'how to create User in OID'. What i got (in metalink)just methods that 'Create manually Portal Users in to OID' by LDAP or PL/SQL coding (with list of user in flat files).
  What i want to do is, How to create User POrtal in OID by JSP? What are the procedure/table/method involved?
  Do anybody have any samples?..
  Thanks.

  I had to write my own because I could not find one anywhere. Here is an addUser() method that seems to work pretty well.
  import oracle.ldap.util.jndi.ConnectionUtil;
  import javax.naming.directory.*;
  import javax.naming.*;
  public class LdapUser
  public LdapUser(){}
  public void addUser(String pUsername, String pPassword, String pFirstName, String pLastName, String pEmail)
  try
  InitialDirContext ctx = ConnectionUtil.getDefaultDirCtx("host", "port", "orcladmin", "pwd");
  BasicAttributes attrs = new BasicAttributes();
  BasicAttribute oc = new BasicAttribute("objectclass");
  oc.add("top");
  oc.add("person");
  oc.add("inetOrgPerson");
  oc.add("organizationalPerson");
  oc.add("orclUser");
  oc.add("orclUserV2");
  attrs.put(oc);
  BasicAttribute gn = new BasicAttribute("givenName", pFirstName);
  attrs.put(gn);
  BasicAttribute sn = new BasicAttribute("sn", pLastName);
  attrs.put(sn);
  BasicAttribute cn = new BasicAttribute("mail", pEmail);
  attrs.put(cn);
  BasicAttribute pwd = new BasicAttribute("userpassword", pPassword);
  attrs.put(pwd);
  // Etcetera, etcetera...
  ctx.createSubcontext("cn="+pUsername+",cn=users,dc=whatever,dc=com", attrs);
  ctx.close();
  System.out.println("Success!!");
  catch (NameAlreadyBoundException nabe)
  System.out.println("Username is already in use. Please choose another.");
  catch (NamingException ne)
  System.out.println("NamingException: " + ne);
  catch (Exception e)
  System.out.println("User account was not created.");
  }

• Cisco ISE NDES EAP and HTTP certificates from different CA

  Hi guys, hope this is something you can help with…
  2 x ISE 1.2 (patch 5) 3415 appliances with hostnames webproxy1.customerdomain.com and webproxy2.customerdomain.com
  AD integration with customerdomain.local
  Guest authentication (CWA) using a separate interface on the ISE appliance (Gigabit 1) routing into its own VRF for isolation
  Corporate authentication is using EAP-TLS which is working fine
  BYOD using NSP with SCEP for iPads only at this stage using NDES on <customerdomain.local>
  I have installed a signed GlobalSign server certificate for HTTPS for guests (with SAN fields webproxy1.customerdomain.com and webproxy2.customerdomain.com)
  I have also installed a signed server certificate from the customer's CA for EAP (with CN of psn.customerdomain.local and SAN fields psn.customerdomain.local , webproxy1.customerdomain.com and webproxy2.customerdomain.com)
  The issue I have is if the two certificates are assigned for EAP and HTTP respectively the NSP process fails to generate a certificate though SCEP to the NDES server.
  As soon as I use the same internally signed certificate for HTTP and EAP it works, this then causes a problem with the HTTPS certificate being trusted by guests.
  This does not work with the GlobalSign certificate being used for both HTTPS and EAP, only the internal one works.
  Can you confirm if it is a valid design to have the ISE use one certificate for HTTPS and another for EAP signed by different CAs, it appears it has to be the internal CA used in the SCEP process to work.
  Thanks
  Andy

  I have now tested this with a test HTTP cert signed by a public CA and an EAP cert signed by my internal and SCEP works fine.  I am wondering if this is a certificate tier length issue.  My working example has a RootCA->IssuingCA->Cert.  It fails with a cert with a 3-tier heirarchy RootCA->IntermediateCA->IssuingCA->Cert.
  Can anyone confirm this works on other deployments with a 3-tier certificate chain with SCEP?
  Thanks