Certificates in Outlook/IE with redirected appdata folder on a MS Terminalserver

erisch
erisch used Ask the Experts™
on
Hi@all,

we looking for a good idea, how to solve the following problem:

Windows 2003 Terminal Server Farm (20).
Roaming Profiles and %appdata% is redirected to a server share.
Users work with Outlook 2003 and now a cuple of users need to use personal certificates for communication.
When admin logs in, he can import and use certificates. If a normal user want to do the same, he gets an error: "An error occurred while trying to import security information."
1. Step we made:
We check the apdata folders, that the necessary cryptografic folders are present for the users. They are. We  checked the security rights, Users have fiull access.

2. Step (Test):
If he works without redirection, the error does not occur. That means, it is not a profile problem.

3. Step (Change):
We redirect per GPO on a permanently mounted drive letter, so the software don't need a unc path.

But nothing helped ..

So we hope on a good advice on this site ..

Best regards

M. Schlett
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Awarded 2009
Top Expert 2010

Commented:
Do you gave all the latest outlook service packs installed? There was an outlook certificate import problem in earlier versions which may effect redirected as well.

Author

Commented:
Outlook is up2date with all updates, which come from Microsoft Update. Was this a special update from MS?
Hmn, more information? Ok I will try to say it more detailed.
There is a Microsoft Terminal Server (Windows 2003 with SP2 and all MS Updates).
There are some GPO's like Folder Redirection for Appdata (we need this for Citrix Application Sharing).
There you can only use UNC-Paths.
With this constallation it's not possible for users to import successful personal certificates.  Not in Outlook nor IE8.
We have looking for a solution  a along time and the first I red was, that Micrtosoft's Certification Store have problems to use UNC-Paths.
Now we changed the way to submit the appdata path and created a mandatory profile. Per GPO comes only a batchfile, which connect the appdata path with a local drive letter. The Reg keys in the mandatory profile point now on this drive letter.
For other Applications like Adobe Acrobat, which have also such problems, it work fine.
Only the the MS Cert Store don't work. Of course we looked into the paths. The necessary cryto path was created, the user have full access on this share.
The procedure looks normal until the finish. Then comes the error, I attached as a Jpeg.

So, I can't describe the problem better. Hope this clear the situation a little bit more.

Best regards
cert-import-error.JPG
Subash SundharanIT Infrastructure Architect

Commented:
Check the permissions for the MachineKeys folder, refer the MS KB for permission details.
http://support.microsoft.com/kb/278381/ 
http://support.microsoft.com/default.aspx/kb/919074 
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thx for comment, yes these kb's I red in the past.
But unfortunately nothing there is applicable.
Security settings checked again and they are setting as intend.
I didn't find any third-party registry subkeys to delete.
Last but not least the 3. method isn't possible, yes it works, but not for us.

Is it maybe per Design?
Subash SundharanIT Infrastructure Architect

Commented:
Does the MachineKeys folder permission for everyone is correct?

List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Read Permissions
 

Author

Commented:
Yes, absolutly sure, these permissions are set.
Subash SundharanIT Infrastructure Architect

Commented:
Is it because of cached copies of roaming profiles?

Author

Commented:
There are no caches of roaming profiles, I can't see the influence. It's a separated from user profiles redirection of the %appdata% folder to a separate network share for each user.
Subash SundharanIT Infrastructure Architect

Commented:
Can you try by recreating the user profile?

Author

Commented:
I tried it with different accounts and profiles (5-6), it's always the same.
Only the domain admin can do it, any other user (also with local admin rights) not. For one of these users the profile was multiple recreated in an other context. It always don't work.

We also made a  test in the last days. We want to transfer  the target path of %appdata% from the NetApp San to a simple Windows Server .. Maybe there a some hidden security settings in the file server os, which not I do manage. But there is no change: %appdata%-folder is local, you can, %appdata%-folder remote, you can not.

Subash SundharanIT Infrastructure Architect

Commented:
Will you be able to check the remote %appdata% permissions?
If yes check the effective permission for user and everyone on this folder and see if it is getting inherited to the child folders.
99% i would say this is a folder permission issue.

Author

Commented:
On Windows Server (Windows 2003 with SP2 etc.) user have full access to all folders in %appdata%.
I checked it again and again. Sure.
Subash SundharanIT Infrastructure Architect

Commented:
What about permission of everyone?
Check both NTFS and share permissions.
If everything is OK then I am not finding any other reasons-- Sorry, you may have to contact MS PSS or wait for any other Expert comment.
Commented:
So, I checked it again. User have local admin rights on the server and full access to all needed shares, no limits. No result, but I had a other idea.
At last I run regmon and filemon on a special separate server, where no other user was present at this time. So not so many entries were created.
And there I found one interesting entry, which show that the testuser use a mandatory profile, the admin not. This is the difference between domain admin and the local admin.
With this Keyword it was easy to find a solution or better a workaround.
We now set the special user right "Set value" for registry-key HKLM\Software\Microsoft\Windows NT\Currentversion\Profilelist like it is described on http://www.brianmadden.com/forums/t/30903.aspx and then user or  better a vb-script can update the entry HKLM\Software\Microsoft\Windows NT\CurrentVersion\Profilelist\User-SID\State from 5 to 256 (and back after work is done).
So it works fine.
Sorry, that I forget, that our normal users work with a mandatory profile.  

Thank you all for your attention.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial