Wireless clients not trusting well-known Certificate Authorities by default??

Similar Messages

• Airport wireless clients not seeing airport ethernet clients.

  I have a problem with airport wireless clients not being able to see airport ethernet clients on the same base station - bonjour does not work for this, appletalk does not work for this, and Remote Desktop does not work for this either. Is there a way around this? Is this normal or a bug? I can change the last surviving ethernet machine to wireless but I if I can avoid the cost that would be good.
  Miklos.

  It's ok, I got it working. I just reset the second airport, went through the "easy" set up, reset, went into manual config, changed the network to a WDS (to match the main base station) and changed the setting that allows further distribution of the network, and it's working perfectly now!!
  Hooray!!
  I have to say, of all my Apple experiences, the base station set up was the least "Apple", it was confusing, complex, and somewhat erratic, but now that I have the config perfect, it seems to be working without a hitch. I just hope they can include network templates in the next software (for other people since I'm good to go now anyway) - that would be more Apple - so that people can just go bang I have this config, and perhaps for the more obscure set ups a fine tune would work off a template to get people set up faster and easier and with less confusion.
  Miklos.

• Enterprise subordinate CA does not show up in certificate authorities list

  After much discussion I decided the best approach was to clean eveything up and start over. I went through the KB on decommissioning an enterprise CA and Subordinate CA, install a new standalone root, and a new enterprise subordinate CA. Everything appeared
  to be working with one exception. The new Enterprise Subordinate does not show up in the Certificate Authorities section of Public key services in AD Sites&Services. It does show up in AIA, CDP and Enrollment services. The standalone root is trusted and
  I set up group policy with the certificate of the Enterprise Subordinate as a trusted intermediate. The templates were configured also as well as autoenrollment for computers but so far only the DCs and my workstation has received certificates. I am sure I
  am missing something but after 100s of pages and artcle after article I don't see it. I ran the certutil -viewstore query and it doesn't see it either and it doesn't tell me how to fix it. Also, what is the deal with case; it seems no matter how careful I
  was with upper and lower case letter AD did what it wanted and my published CA name looks like I can't figure out hows caps lock works.
  Thanks in advance
  [email protected]

  yes, it is possible. However, you will need to make some modifications on root CA:
  certutil -setreg ca\dsconfig "AD Configuration naming context"
  certutil -setreg ca\dsconfigdn "AD Configuration naming context"
  certutil -setreg ca\dsdomaindn "AD Forest root domain DN"
  AD configuration naming context is (usually) CN=Configuration, DC=rootdomainname, DC=domainsuffix.
  To extend Root CA CRL validity, in the Certification Authority MMC, select properties of Revoked Certificates folder and specify validity period (something about 6-12 months). Make sure that Delta CRLs are NOT enabled. Save settings and restart certificate
  services.
  Then you should republish all CRLs and publish CRL to Active Directory:
  certutil -dspublish -f path\RootCAcrl.crl
  My weblog: http://en-us.sysadmins.lv
  PowerShell PKI Module: http://pspki.codeplex.com
  Windows PKI reference:
  on TechNet wiki

• Make client to trust server's certificate?

  hi,
  I am new to SSL, and I ran into this problem:
  I have a simple https server (written in java) which gives out certificate to its https client (written
  in C++, Win Inet API). Server certificate is generated using java keytool command:
  "keytool -genkey -keystore certs -keyalg rsa -alias jamie -storepass serverkspw -keypass serverpw"
  Each time the client gets a certificate, a "security alert" window pops up saying "The certificate issuer
  for this site is untrusted or unknown. Do you wish to proceed?" with "YES", "NO", ... choices.
  Is there a way to get rid of this pop up window? So the client can "trust" the https server??
  Any ideas/comments welcome.
  Thanks .
  jk

  Yes - you need to get your certificate signed by one of the Certificate Authorities (CAs) whose root certs are in your client's "trusted certificate" storage. The general approach is to ask a CA (like, say, Verisign or Thawte) to sign your server-cert. You do this by generating your cert, and then then generating a CSR (Cert Signing Request) and sending the CSR to the CA. The CA sends your cert back with their root-cert at the top of the cert-chain. The client will then trust your cert, because it trusts the CA.
  The other way to achieve this is to arrange for your client to store your cert in their "trusted store". Specific steps depend on the client. I don't recall where the Inet API looks for its trusted-cert storage.
  Grant

• All devices listed as wireless clients not showing up.

  I  have an airport extreme (newest version) I have my apple tv, computer and ipad showing up listed as wireless clients, however my iphone does not show up. It is connected to my network. I have tested with another iphone (same version 4S and same iOS) it shows up but not Mine.
  Do u know why it is not showing up?

  remove power cord from the PSU and >>Clear CMOS Guide<<
  if the wifi card is removable, try to reseat it
  also install latest killer drivers from:
  http://www.msi.com/support/mb/X99S-GAMING-9-ACK.html#down-driver&Win8.1 64
  [try older version as well if needs]

• Silverlight app in Lync CWE fails with "Client not trusted", despite being added to trusted sites

  We're trying to get a silverlight app up and running in a Lync 2013 CWE. We have a Lync 2010 server on it's own domain, which is not the same domain as the 2013 client machine. Clients on the different domains communicate perfectly.
  The silverlight app is hosted on our own webserver, which is in the same domain as the 2013 client machine. We tried hosting it on the other domain, with the same result.
  YES, we've added the domain to our trusted sites in registry, but still we get the exception.
  The line that fails:
   _conversation = (Conversation)LyncClient.GetHostingConversation();
  How to get the app to work in our client?

  Please check “How to: Install a CWE application in Lync SDK” at
   http://msdn.microsoft.com/en-us/library/office/jj933101.aspx
  As the problem is related with Lync client development, please post your question in the following forum:
  http://social.msdn.microsoft.com/Forums/lync/en-US/home?forum=communicatorsdk
  Lisa Zheng
  TechNet Community Support

• [INFO] Not so well known things about LR keyboard shortcuts

  Hi,
  There are a few things that you should know about keyboard shortcuts in LR.
  I already posted information about this last year for non english speaking
  users but I had to be more accurate because this is of interest for english
  speaking users as well.
  This information can help solve some problems encountered if
  - you are using an english version of LR with a non-english keyboard layout
  - you are using a non english version of LR
  - you want to change some keyboard shortcuts even when using the english
  version
  - you want to fix some bugs in the localized keyboard shortcuts
  Here we go...
  1. When using a non english version of LR, the translations are read from a
  file named \Program Files\Adobe\Adobe Photoshop Lightroom
  2\Resources\fr\TranslatedStrings.txt. The localized keyboard shortcuts are
  also described in this file.
  2. For the english version \Program Files\Adobe\Adobe Photoshop Lightroom
  2\Resources\en\TranslatedStrings.txt doesn't exist by default because the
  default values for texts and keyboard shortcuts are hard-coded.
  3. Any change in TranslatedStrings.txt, including changes related to
  keyboard shortcuts, will be taken into account after reloading LR. These
  changes will also be reflected in the Help Panel that is displayed when you
  use the Help | Shortcuts command.
  5. So if you are using a localized version or the english version of LR (see
  next point), you'll be able to change the default keyboard shortcuts.
  4. Some keyboard shortcuts of the english version are unreachable when using
  a keyboard with a foreign layout. You're not stuck, however. Nothing
  prevents you from creating a TranslatedStrings.txt file in \Program
  Files\Adobe\Adobe Photoshop Lightroom 2\Resources\en. This file doesn't need
  to be the full translation file. It just has to include all the lines ending
  with Key=xxxxx + a few additional ones (or just the lines related to the
  shortcuts that you want to change). You can download a full sample with
  french shortcuts from http://www.mainsoft.fr/Files/LR/TranslatedStrings.txt
  . Just create the file, edit the shortcuts as you want and reload LR. I
  don't know how you can add comments to this file.
  5. Attn french users: there's a bug described in the thread titled "Missing
  shortcut in Lightroom 2.2 french". You'll be able to fix it by using the
  information above (this is also described in the thread itself).
  So that's it. LR doesn't offer you a keyboard shortcut editor - something
  unexpected for a software at that price level - but you can edit them
  anyway.
  Enjoy!
  Patrick

  Hi,
  This post is still valid for LR3. It's a pity that this new version
  still doesn't have a built-in keyboard customization feature.
  I shoul add a few additional details, though.
  - You have to create the \en subfolder yourself. Once created and once you have also created the TranslatedStrings.txt file, it will be taken into account.
  - It appears that the TranslatedStrings.txt files corresponding to each supported language do not contain the same commands. For some languages, some commands do not have any shortcut (or the translator was not concentrating on his job and the quality assurance dpt. just missed the point). So if you don't find the line(s) related to the shortcut that you want to customize in the file corresponding to your language, look for it in the other files.
  - Some characters can't be used for customizing a shortcut, even if they are not already used for another shortcut. It depends on each local keyboard. I guess this is due to the very same problem that exists since LR 1.0: the program uses its own keyboard handler and fails to adapt to keyboards that are not corresponding to the selected language. From the beginning, many of us european users have told to Adobe that a user can select in LR a working language that is not corresponding to the keyboard and country settings used on the system. This is a common situation. They are just ignoring the problem.

• Guest Wireless client not getting IP addresses

  WLC 5508 as anchor  running 7.0.116.0  locally configured DHCP scope. Scope has been enabled.  There are 2 Foreign controllers in different locations Mobility ggroups have been configured   and there is communication between them  I am able to ping , mping and eping.  I have gone through my configuration but can't find what is missing.

  I am pasting the debug and show wlan  info below  the first is for the  foreign controller
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.09.23 07:51:16 =~=~=~=~=~=~=~=~=~=~=~=
  *apfReceiveTask: Sep 22 23:30:29.265: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
  *osapiBsnTimer: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Disassociated
  *apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
  *osapiBsnTimer: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsAssoStateDec
  *apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Disassociated to Idle
  *apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [08:17:35:31:1c:90]
  *apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Adding mobile on LWAPP AP 08:17:35:31:1c:90(0)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Association received from mobile on AP 08:17:35:31:1c:90
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying site-specific IPv6 override for station 00:21:5d:a9:2b:a4 - vapId 1, site 'default-group', interface 'management'
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying IPv6 Interface Policy for station 00:21:5d:a9:2b:a4 - vlan 30, interface id 0, interface 'management'
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Initializing policy
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 08:17:35:31:1c:90 vapId 1 apVapId 1for this client
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Not Using WMM Compliance code qosCap 00
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 08:17:35:31:1c:90 vapId 1 apVapId 1
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfMsAssoStateInc
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Idle to Associated
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
  *apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 Sending Assoc Response to station on BSSID 08:17:35:31:1c:90 (status 0) ApVapId 1 Slot 0
  *apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Associated
  *DHCP Socket Task: Sep 23 12:51:30.920: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:30.921: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
  *DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
  *DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
  *DHCP Socket Task: Sep 23 12:51:58.456: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  WLAN Identifier.................................. 1
  Profile Name..................................... calguest
  Network Name (SSID).............................. calguest
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Number of Active Clients......................... 2
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 1800 seconds
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ management
  Multicast Interface.............................. Not Configured
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  Quality of Service............................... Bronze (background)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
  Authentication................................ Global Servers
  Accounting.................................... Global Servers
  Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  Web Based Authentication...................... Disabled
  Web-Passthrough............................... Disabled
  Conditional Web Redirect...................... Disabled
  Splash-Page Web Redirect...................... Disabled
  Auto Anchor................................... Enabled
  H-REAP Local Switching........................ Disabled
  H-REAP Local Authentication................... Disabled
  H-REAP Learn IP Address....................... Enabled
  Client MFP.................................... Optional but inactive (WPA2 not configured)
  Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Mobility Anchor List
  WLAN ID IP Address Status
  1 10.12.130.114 Up
  Next is for the  anchor
  =~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2011.09.23 07:51:16 =~=~=~=~=~=~=~=~=~=~=~=
  *apfReceiveTask: Sep 22 23:30:29.265: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) DHCP Policy timeout. Number of DHCP request 0 from client
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Pem timed out, Try to delete client in 10 secs.
  *apfReceiveTask: Sep 23 12:51:08.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 12) in 10 seconds
  *osapiBsnTimer: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5009) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Disassociated
  *apfReceiveTask: Sep 23 12:51:18.488: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 45) in 10 seconds
  *osapiBsnTimer: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireCallback (apf_ms.c:608) Expiring Mobile!
  *apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsAssoStateDec
  *apfReceiveTask: Sep 23 12:51:28.488: 00:21:5d:a9:2b:a4 apfMsExpireMobileStation (apf_ms.c:5132) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Disassociated to Idle
  *apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 0.0.0.0 DHCP_REQD (7) Deleted mobile LWAPP rule on AP [08:17:35:31:1c:90]
  *apfReceiveTask: Sep 23 12:51:28.489: 00:21:5d:a9:2b:a4 Deleting mobile on AP 08:17:35:31:1c:90(0)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Adding mobile on LWAPP AP 08:17:35:31:1c:90(0)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Association received from mobile on AP 08:17:35:31:1c:90
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Changing ACL 'none' (ACL ID 0) ===> 'none' (ACL ID 255) --- (caller apf_policy.c:1621)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying site-specific IPv6 override for station 00:21:5d:a9:2b:a4 - vapId 1, site 'default-group', interface 'management'
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Applying IPv6 Interface Policy for station 00:21:5d:a9:2b:a4 - vlan 30, interface id 0, interface 'management'
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (8): 130 132 139 150 12 18 24 36 0 0 0 0 0 0 0 0
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 STA - rates (12): 130 132 139 150 12 18 24 36 48 72 96 108 0 0 0 0
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Initializing policy
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 START (0) Change state to AUTHCHECK (2) last state AUTHCHECK (2)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 AUTHCHECK (2) Change state to L2AUTHCOMPLETE (4) last state L2AUTHCOMPLETE (4)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) DHCP Not required on AP 08:17:35:31:1c:90 vapId 1 apVapId 1for this client
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Not Using WMM Compliance code qosCap 00
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Plumbed mobile LWAPP rule on AP 08:17:35:31:1c:90 vapId 1 apVapId 1
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 0.0.0.0 L2AUTHCOMPLETE (4) Change state to DHCP_REQD (7) last state DHCP_REQD (7)
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfMsAssoStateInc
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 apfPemAddUser2 (apf_policy.c:223) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Idle to Associated
  *apfMsConnTask_7: Sep 23 12:51:30.795: 00:21:5d:a9:2b:a4 Scheduling deletion of Mobile Station: (callerId: 49) in 1800 seconds
  *apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 Sending Assoc Response to station on BSSID 08:17:35:31:1c:90 (status 0) ApVapId 1 Slot 0
  *apfMsConnTask_7: Sep 23 12:51:30.796: 00:21:5d:a9:2b:a4 apfProcessAssocReq (apf_80211.c:5241) Changing state for mobile 00:21:5d:a9:2b:a4 on AP 08:17:35:31:1c:90 from Associated to Associated
  *DHCP Socket Task: Sep 23 12:51:30.920: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:30.921: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmQueryRequested'
  *DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:34.871: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
  *DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  *DHCP Socket Task: Sep 23 12:51:43.998: 00:21:5d:a9:2b:a4 DHCP dropping packet due to ongoing mobility handshake exchange, (siaddr 0.0.0.0, mobility state = 'apfMsMmAnchorExportRequested'
  *DHCP Socket Task: Sep 23 12:51:58.456: 00:21:5d:a9:2b:a4 DHCP received op BOOTREQUEST (1) (len 308,vlan 30, port 13, encap 0xec03)
  WLAN Identifier.................................. 1
  Profile Name..................................... calguest
  Network Name (SSID).............................. calguest
  Status........................................... Enabled
  MAC Filtering.................................... Disabled
  Broadcast SSID................................... Enabled
  AAA Policy Override.............................. Disabled
  Network Admission Control
  Radius-NAC State............................... Disabled
  SNMP-NAC State................................. Disabled
  Quarantine VLAN................................ 0
  Maximum number of Associated Clients............. 0
  Number of Active Clients......................... 2
  Exclusionlist Timeout............................ 60 seconds
  Session Timeout.................................. 1800 seconds
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ management
  Multicast Interface.............................. Not Configured
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  Static IP client tunneling....................... Disabled
  Quality of Service............................... Bronze (background)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  WMM UAPSD Compliant Client Support............... Disabled
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
  Authentication................................ Global Servers
  Accounting.................................... Global Servers
  Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
  802.11 Authentication:........................ Open System
  Static WEP Keys............................... Disabled
  802.1X........................................ Disabled
  Wi-Fi Protected Access (WPA/WPA2)............. Disabled
  CKIP ......................................... Disabled
  Web Based Authentication...................... Disabled
  Web-Passthrough............................... Disabled
  Conditional Web Redirect...................... Disabled
  Splash-Page Web Redirect...................... Disabled
  Auto Anchor................................... Enabled
  H-REAP Local Switching........................ Disabled
  H-REAP Local Authentication................... Disabled
  H-REAP Learn IP Address....................... Enabled
  Client MFP.................................... Optional but inactive (WPA2 not configured)
  Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  SIP CAC Fail Send-486-Busy Policy................ Enabled
  SIP CAC Fail Send Dis-Association Policy......... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled
  Mobility Anchor List
  WLAN ID IP Address Status
  1 10.12.130.114 Up

• E1200 Wireless Client List will not display and causes web UI to temporarily stop responding

  I picked up an E1200 and set it up successfully.  I am using wireless MAC filtering, and decided to pull up the list of connected wireless clients (Wireless >> Wireless MAC Filter >> push "Wireless Client List" button).
  When I do so, it immediately throws this back:
  Immediately after this the Web UI of the E1200 becomes inaccessible.  It still routes traffic, and the router remains pingable, but it will not allow access to the Web UI for several minutes.  The error that appears upon attempt to access the Web UI during this time window is similar to the above, but reads "Error 102 (net::ERR_CONNECTION_REFUSED): The server refused the connection."
  I have tried this in Google Chrome, Firefox 4, and MSIE on two separate computers.  Each browser displays the error a bit differently (MSIE, for example, just says it can't display the page and gives no further detail) but the net results are always the same.  I have tried resetting the device to factory defaults in addition to re-downloading the firmware from the Cisco/Linksys website and installing it.  No improvement.
  I have also noted that the Log (Administration >> Log; and yes, I have it enabled) doesn't appear to be picking up anything at all.  In fact, the Security log, which supposedly (according to the Help) "displays the login information for the Router’s browser-based utility," is also blank.
  Is this a bug, or should I head back to the retailer and swap this device?

  Ok - I nailed this down, I think, and it looks like a firmware bug.
  Short version is that a factory reset cleared the issue, but during stepwise reconfiguration the problem came back.  Through a bunch of iteration I figured out that if I have the E1200's DHCP server disabled *and* have wireless clients connected to it, the problem I described appears.
  Turn the DHCP server back on and the problem goes away.  Turn it off and the problem comes back.  Turn it back on and it goes away.  You get the idea.
  If I had to pose a theory here, it's that the initial display of the Wireless Client List, which uses "IP Address" as the default sort, somehow implodes if the E1200 isn't actually assigning those IP addresses to the clients.
  When this happens it appears to crash the Web UI wholesale.  Just for grins, while the Web UI was unresponsive, I pinged the router it as before - still pingable - then ran nmap against it - no open ports found on the router.  When the Web UI is functional, though, nmap detects port 80 quite easily.  I have not timed how long it takes for the Web UI to come back up, but it is longer than 5 minutes, and I presume some sort of watchdog process has to detect that it has gone kaput and start it up again.
  Final test was to restore my saved configuration from before the factory reset (note that the saved config was done under the same firmware version, and in this config, the DHCP server is disabled).  Boom, problem.  Wait for the Web UI to come back, turn on the DHCP server.  Problem goes away.  Turn the DHCP server off.  Boom, problem comes back.
  So, there you go.
  Would be interesting if someone could verify this via a test against another E1200.  It may be worth noting that in my baseline test I was also using Manual wireless setup (vs. Wi-Fi Protected Setup), and WPA2.  Didn't make any other setting changes from the factory defaults.  I did not actually have to turn the Wireless MAC Filter on to do the test.  All one needs to do is click Enable on the Wireless MAC Filter tab, and then do *not* click Save Settings - just clicking Enable will light up the Wireless Client List button, which you can then push to get the list.  That is how I handled testing to ensure that neither specific entries, nor the Prevent/Permit setting, nor having the filter enabled in saved configuration were involved in the problem.
  Separately, no explanation for the lack of entries in the security log, but that pretty much looks like a firmware bug to me as well.

• Verisign certificate not trusted by Nokia phones..

  Hi there,
  I have E71 and E72 with latest firmwares, but when I go to web site using HTTPS, I got certificate warning (not trusted) if the certificate is signed by:
  "verisign class 3 international server ca - g3"
  How this can be happened?
  I got this also with my old WM6.5 device.
  Solved!
  Go to Solution.

  Few Nokia devices like X-Series , Asha series ,have the  VeriSign Class 3 certificate expired or not present,so when the application tries to access a secure server where  VeriSign Class 3 International Server CA - G3 certificate is present.The application fails to make secure connection and the message displayed is verification failed Certificate Type:  X.509 type 3.
  So how can the user uses any secure application launched in year 2012 in these devices.

• Can I use ASA to be a DHCP Server use in WLC wireless Client

  I want to use ASA to be a DHCP Server for Wireless Client not it can't.
  I check the debug log in WLC, I confirm the WLC have send the request to ASA.
  In the ASA, it don't have any hits in the rule when the WLC send the DHCP relay request.
  I have try don't use dhcp relay in WLC but don't success. Anybody have the same case with me? And Is the ASA can't support DHCP relay agent to request to get the IP Addr.
  P.S. In the Network Design limitation so I can't use WLC to be DHCP Server.
  Equipment:
  ASA5510
  WLC4402
  How can I fix it.
  Thank you very much

  The issue is that the ASA doesn't accept DHCP requests from a relay agent, only broadcast DHCP requests. In the 4.2 version for the controllers there is now an option so you can change the way the controller forwards DHCP requests so that it is sent as a broadcast and not from a relay agent.

• WRT600N Doesn't show any entries in the Wireless Client List

  Hi, my WRT600N is on firmware 1.01.35 build 3. When I check the wireless client list from the Wireless MAC Filter page, it is empty, even though I know I have 3 clients connected. They are all using 802.11g, as I don't have any N devices yet. When I go to the Status page and check the DHCP Client Table, both of my wired clients are there, but only 1 wireless client appears. The DHCP Client Log file is useless, as it only appears to log the ip address it receives from my isp. There are no entries of the ip addresses it has given out. Is my WRT600N defective, or is there firmware in the works to correct this?

  Another thing I've notice, is that the DHCP client table is showing the 2.4 wireless devices as LAN interfaces. Shouldn't it show the frequency, like it does my one 5GHz device? Things have changed, because the Wii is now showing in both the Wireless Client List, as well as the DHCP Client table. It shows as a LAN interface though, which is wrong, it should be 2.4GHz. My one pc that is a 5GHz N device, is also showing in both the Wireless Client List, & the DHCP Client table. Neither the wireless 2.4 gaming adapter, or the HR20 connected to it show up in either list. Neither does a laptop which is 2.4GHz. This is really a concern, because I've caught 2 neighbors stealing my bandwidth in the past, and I can't stop them if I can't see them.

• HTTP Error 403.16 - Forbidden, Your client certificate is either not trusted or is invalid.

  Dear Experts,
  I have tried mutual authentication with sample website as per below link:
  http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/#comment-19427
  1. Created a Root certificate, client and server certificate based on this root certificate by using Makecert command as per below link:
  2. Import these certificates in Trusted Root Certification authority of both the stores (Local and Current user)
  3. Created a sample website with HTML page
  4.Hosted this website in IIS with HTTPS binding and selected the above server certifcate
  5. Enabled "Require SSL" and selected "Require" under SSL settings of website
  6. Exported the client certificate in base64 format --> Edited in notepad --> made the key into single line
  7. Placed the above key under Configuration editor --> system.webServer/security/authentication/iisClientCertificateMappingAuthentication --> one to one mapping with user credentials.
  8. I tried to access the website
  But, I ended with below error :(
  HTTP Error 403.16 - Forbidden
  Your client certificate is either not trusted or is invalid.
  Detailed Error Information:
  Module    IIS Web Core
  Notification    BeginRequest
  Handler    ExtensionlessUrlHandler-Integrated-4.0
  Error Code    0x800b0109
  Requested URL    https://localhost:443/
  Physical Path    E:\SampleRoot
  Logon Method    Not yet determined
  Logon User    Not yet determined
  Could you please let me know what I missed here.
  Note:
  I am using windows8, IIS8.0.
  Thanks in advance.
  Regards,
  M. Prasad Reddy.

  Hi Prasad,
    As per this case, I have been shared the corresponding details below
    1.First of all,make sure that you import the certificate whether it belongs to Trusted RootCertification or not .
      If that is the case ,Goto Microsoft Management Console (MMC), open the Certificates snap-in. 
      For instance, the certificate store that WCF is configured to retrieve X.509 certificates from, select the Trusted RootCertification Authoritiesfolder. Under the Trusted Root Certification Authorities folder, right-click the Certificatesfolder,
  point to All Tasks, and then click Import.
    2.you configured the server certificate as well, But check the client certificate whether have root certificate or not by following command?
  makecert -pe -n "CN=SSLClientAuthClient"
           -eku 1.3.6.1.5.5.7.3.2 -is root -ir localmachine -in WebSSLTestRoot
           -ss my -sr currentuser -len 2048
    3. Also check the Service Certificate whether its configured on the WCF Service side
    4.Make sure that you followed all the steps are done correctly from your given referred link below
  http://itq.nl/testing-with-client-certificate-authentication-in-a-development-environment-on-iis-8-5/#comment-19427
    5.Besides, please try to set the require SSL as ignore to see if you can access the website.
  If the above details cannot able to resolve this issue, please post your config file here.

• ISE Certificate Chain Not Trusted By WLAN Clients

  We are running ISE 1.1.3 using Entrust cert signed by Entrust sub CA L1C, which is signed by Entrust.net 2048, which is in all major OS stores as trusted (Windows, Android, iOS).
  We have installed a concatenated PEM file with all of the certificates from the chain, as described in the ISE User Guides. The ISE GUI shows all of the certs in the chain individually after the import (i.e. the chain works and is good). However, we are not sure if the ISE is sending the entire chain to the WLAN clients during EAP authentication or just the ISE cert because of the error message we get on ALL client types which state that the certifiicate is not trusted.
  So the question is if the ISE is really sending the whole chain or just its own cert with out the rest of the certs in the chain (which would explain why the WLAN clients complain about the certificate trust.)
  Anyone out there know if the ISE code is not up to sending the cert chain in version 1.1.3 yet or if there is some other explanation? Screenshot attached of iPhone prompting for cert verification.

  Thanks hardiklodhia, your post confirms what we are seeing - the Windows clients have no issue as long as they are set to either NOT validate the EAP server cert or they are set to trust the signing CA cert from the local store by specifically selecting the signing CA (i.e. tick next to "Validate Serverr Certificate" and then another tick next to the signing CA cert in the box below.)
  The iOS clients ALWAYS prompt for verification (thanks Apple.)
  Note: we are using 1.1.3 and the cert chain import using a concatenated PEM file with ALL of the certs in the chain works fine. We are seeing the whole chain on the clients and the ISE extracts each PEM file into its local store.
  The PEM file format is not adequately described in the user guides rather a vague description of cert order is provided.
  The file should look like this:
  -------------------------Top of page-----------------------------
  Root CA PEM FILE
  Intermediate CA 1 PEM FILE
  Intermediate CA 2 PEM FILE
  ETC
  ISE CERT PEM FILE
  ------------------------Bottom of page-------------------------
  By "PEM FILE" I mean the actual base64 encoded PEM output from openssl when you convert a .crt or .der file to PEM, including the words "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" for each PEM FILE above,
  e.g.
  -----BEGIN CERTIFICATE-----
  MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
  VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
  ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
  KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
  ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
  MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
  ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
  MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
  hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
  95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
  2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIEnzCCBAigAwIBAgIERp6RGjANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
  VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
  ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
  VeSB0RGAvtiJuQijMfmhJAkWuXAwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX
  8+1i0BowGQYJKoZIhvZ9B0EABAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQAD
  gYEAj2WiMI4mq4rsNRaY6QPwjRdfvExsAvZ0UuDCxh/O8qYRDKixDk2Ei3E277M1
  RfPB+JbFi1WkzGuDFiAy2r77r5u3n+F+hJ+ePFCnP1zCvouGuAiS7vhCKw0T43aF
  SApKv9ClOwqwVLht4wj5NI0LjosSzBcaM4eVyJ4K3FBTF3s=
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIE9TCCA92gAwIBAgIETA6MOTANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
  RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
  bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
  IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
  EN551lZqpHgUSdl87TBeaeptJEZaiDQ9JifPaUGEHATaGTgu24lBOX5lH51aOszh
  DEw3oc5gk6i1jMo/uitdTBuBiXrKNjCc/4Tj/jrx93lxybXTMwPKd86wuinSNF1z
  /6T98iW4NUV5eh+Xrsm+CmiEmXQ5qE56JvXN3iXiN4VlB6fKxQW3EzgNLfBtGc7e
  mWEn7kVuxzn/9sWL4Mt8ih7VegcxKlJcOlAZOKlE+jyoz+95nWrZ5S6hjyko1+yq
  wfsm5p9GJKaxB825DOgNghYAHZaS/KYIoA==
  -----END CERTIFICATE-----
  -----BEGIN CERTIFICATE-----
  MIIFKjCCBBKgAwIBAgIETB9GEzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
  VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
  Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
  KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
  yhHR/hYfdVM88hBXXypACgrxBv/JFlKzSEDwKydJeT1tcP//nG4jv1WWgLk6O2Mi
  0oE0fnGmuf9fTX4+CdapG2gTDFJ29Chv3kavJDNtB85A7CK8oWI8Qav78Rvaz7nA
  LiRMLBQ1RkqUrQFL2WHx4mJkCddPXzOeOVJlUTGJ
  -----END CERTIFICATE-----
  The last PEM output (the one directly above) is the ISE cert in PEM format. The first PEM output (the one at the top) is the Root CA cert in PEM format. The ones in the middle are intermediate signing CAs in order (from root to leaf).

• Error code 265: The certificate chain was issued by an authority that is not trusted.

  We are in the process of trying to set up a wireless network that uses NPS servers to authenticate domain users with computers that are not on our domain (BYOD).
  We are using a valid, wildcard SSL (with intermediate certificates) to authenticate via PEAP.  The certificate was issued by Godaddy.
  When trying to connect, we are getting the authentication request.
  The result of a connection attempt is no connection with an event log error code of - “265: The certificate chain was issued by an authority that is not trusted.”
  We have tried ensuring that the certificates are in the correct containers on the respective NPS servers: “Certificates\Personal\Certificates” With the intermediate certificates located: “Certificates/Intermediate Certification Authorities”
  All these attempts have proven fruitless.  Any assistance or direction would be very much appreciated.

  Hi,
  Do you import the intermediate certificate in the right account? It should be imported in the Computer Account.
  Have you imported the intermediate certificate in your client? Client need it to validate the certificate of your NPS server.
  Here is a similar thread in which Greg has explained this issue in detail.
  http://social.technet.microsoft.com/Forums/en-US/b770fcf6-d1e9-4aac-9005-62cb5ff6d485/the-certificate-chain-was-issued-by-an-authority-that-is-not-trusted?forum=winserverNAP
  Hope this helps.
  Steven Lee
  TechNet Community Support