Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Pushing Cert via AD
Pushing Cert via AD [message #300105] Tue, 27 October 2009 13:44 Go to next message
DPOWER  is currently offline DPOWER
Messages: 6
Registered: October 2009
Junior Member
Running Windows 2003 Domain

We've setup an internal website that contains a certificate that IE flags.

I've tried pushing the cert out via AD using group policy, but most of our
users are still being prompted about the certificate. I've imported the
certifcate under Computer Config - Windows Settings - Security Settings -
Public Key Policies - Trusted Root Certificates. I have pushed this out
weeks ago.

Is there some reason why most of our workstations are still not liking this
cert? They're all using XP SP3.

Thanks!
Re: Pushing Cert via AD [message #300210 is a reply to message #300105] Tue, 27 October 2009 15:38 Go to previous messageGo to next message
R Shah  is currently offline R Shah  United States
Messages: 8
Registered: September 2009
Junior Member
Hi,
Can you see if the root certificate is installed correctly on workstation?
I have done so much root certificate installation via GPO but never had such
issue on XP SP3


"DPOWER" <DPOWER@discussions.microsoft.com> wrote in message
news:041C8675-E16D-408B-A1E9-90EEA1646672@microsoft.com...
> Running Windows 2003 Domain
>
> We've setup an internal website that contains a certificate that IE flags.
>
> I've tried pushing the cert out via AD using group policy, but most of our
> users are still being prompted about the certificate. I've imported the
> certifcate under Computer Config - Windows Settings - Security Settings -
> Public Key Policies - Trusted Root Certificates. I have pushed this out
> weeks ago.
>
> Is there some reason why most of our workstations are still not liking
> this
> cert? They're all using XP SP3.
>
> Thanks!
Re: Pushing Cert via AD [message #300329 is a reply to message #300210] Tue, 27 October 2009 18:02 Go to previous message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
Is the certificate self signed or issued by a CA? You would only want it as
a trusted root if it was self signed. If it was issued by a CA, you'd want
to ensure that:

- The machines in your org have the root as a trusted root
- If there is an intermediate (issuing) certificate in the chain (root ->
issuing -> SSL cert), the issuing certificate is configured on the WEB
SERVER in the local machine intermediate certs container as it is the
responsibility of the web server to present all the intermediate certs in
the chain to the browser. The browser is just supposed to have the root.

You can also make the intermediate cert(s) be configured on individual
machines via GPO or domain policy, but that isn't the right way to solve
that problem.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"R Shah" <rahisuddin.shah@discussions.microsoft.com> wrote in message
news:%23Aw0b30VKHA.3696@TK2MSFTNGP02.phx.gbl...
> Hi,
> Can you see if the root certificate is installed correctly on workstation?
> I have done so much root certificate installation via GPO but never had
> such issue on XP SP3
>
>
> "DPOWER" <DPOWER@discussions.microsoft.com> wrote in message
> news:041C8675-E16D-408B-A1E9-90EEA1646672@microsoft.com...
>> Running Windows 2003 Domain
>>
>> We've setup an internal website that contains a certificate that IE
>> flags.
>>
>> I've tried pushing the cert out via AD using group policy, but most of
>> our
>> users are still being prompted about the certificate. I've imported the
>> certifcate under Computer Config - Windows Settings - Security Settings -
>> Public Key Policies - Trusted Root Certificates. I have pushed this out
>> weeks ago.
>>
>> Is there some reason why most of our workstations are still not liking
>> this
>> cert? They're all using XP SP3.
>>
>> Thanks!
>
Previous Topic:AD Brute Force Prevention System?
Next Topic:copying users form one group to a new group
Goto Forum:
  


Current Time: Wed Jan 17 04:12:05 MST 2018

Total time taken to generate the page: 0.02720 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software