• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 634
  • Last Modified:

How does a 7000+ good Cert prompt not trusted to 10 users ...

I have had a problem with 10 people now out of 7,000+ that seem to be prompted to trust the same active cert from the Verisign CA .

Though I know it is installed and not near expiration, could there still be some config Im missing? Could it simply be that these 10 users have not updated their CA trust digest from microsoft.com updates to list verisign, could it be because they were using a browser on a proprietary device such as an iPhone or could it be something server side...

I am trying to remedy ANY chance they would receive the prompt so https should be a seamless user experience.
0
JAaron Anderson
Asked:
JAaron Anderson
  • 10
  • 5
  • 3
6 Solutions
 
RovastarCommented:
I think it is likely to be a client based setup.

Often phones and more unusual browsers can have some issues.

Work out the user agents of all the phones from the logs and see what any other error information in the logs.

See if you can get a pattern collate the useragents with the failures and success.

That way you can tell with more confidence that a phone and its browser fails.
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
yeah exactly youre right on target...
 in all situations especially hangs when details are scare unlike when an service crashes establishing a pattern is an excellent approach...

Ill post more if I make a further determination for readers to make this post a valuable resource.
0
 
ParanormasticCryptographic EngineerCommented:
You could have the server returned error prompt be replaced with a custom form looking for information, or just have them call you as it sounds like.

Probably a different browser on a phone, agreed, but just for fun I'll through out a couple other possibilities:

- Outdated OS like Win2k that hasn't been patched in too long with a newer Verisign root.  Okay not that different but not a phone - just expanding horizons on similar concept.  Could just be some other non-standard browser that doesn't have an intermediate cert installed

- Time is off - check time & full date in both windows and in bios.

- If less than .2% of your users are entering the site part of the URL in wrong (server1 instead of server1.domain.com) - consider yourself lucky :p


To narrow it down appropriately, you should really try to get the error message being returned to the client and ask them a generic list of browser troubleshooting questions.


You can refer to my little article if you want the main things to look for so you can dig deeper into the primary issues.

http://beta.experts-exchange.com/articles/Networking/Protocols/Application_Protocols/SSL/Troubleshooting-Certificate-Error-Messages-on-Clients.html
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>have the server returned error prompt be replaced with a custom form

how would I do that ???
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>browser troubleshooting questions
XP system, IE 8  didnt work from home last night BUT DID work from here within our network on the same laptop ? any ideas there ?... Could it be authenticating the Domain locally but since we dont have any Cert Lists or Domains set up could that be why the same laptop doesnt work on a Verizon Fios connection from outside the firewall/network ?

just curious thx
0
 
RovastarCommented:
SO to summarise

Client = xp, IE8 location =home server = no change outcome = failed
Client = xp, ie8  location = office server = no change outcome = success

TO me then as they are both the same it is to do with the network/firewall/proxy setup

You said 7000 people are ok and only 10  failed. Are they all the 7000 people external  or internal? Are the failure all internal or external? I presumed everyone was external.

look at the logs (IIS, even networking and firewall) get a better idea of what is happening.  What do the IIS logs say? how do success and failure occurrences differ.

0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
no not exactly

Client=xp, IE8 location=home NETWORK=Verizon, Same CA trust,
Cert prompt outcome= failed/it showed to the user experience

Client=xp, IE8  location=office NETWORK=OnCampus, Same CA trust,
Cert prompt outcome= success/seamlessly trusted the CA with NO Prompt

All 7000 some are at home outside the Campus Network...

The only failures reported are external.

IIS logs ? Nothing is reported I can tell  - will investigate, any direction as to what to hunt for ?

thx
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
this is the cert error prompt I am referring to for clarification.
cert-error.jpg
0
 
RovastarCommented:
Is your SSL cert all valid and installed correctly.

Use SSLDiag tool to help with this.

http://www.microsoft.com/downloads/details.aspx?familyid=cabea1d0-5a10-41bc-83d4-06c814265282&displaylang=en
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
can you check remotely www.widener.edu ... I do not have permission to load that yet.
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
could it be the bit depth of the cert is conflicting with a browser experience of a lower or higher bit based computer ?
0
 
ParanormasticCryptographic EngineerCommented:
error page 403.4 could be replaced to redirect to https would redirect a failed attempt.  Your cert is in place and seems  to be working okay though.

This is an SGC cert, the crypto strength should not matter as much - it should "step up" to the best the server can support, even if the client does not support it in most cases (that is the purpose of this type of cert).

The screenshot points to a name mismatch.  I would wonder if they are entering https://widener.edu (without the www.) as the cert is only issued for www.widener.edu (which is fine).  Or maybe they are using an old link from google or something that points to some other site prefix besides www - something along those lines where the site name is just wrong anyways, regardless of the theorized reasons I'm offering.  You non-ssl page will redirect to include the www if they aren't there, but this cannot happen if they are using https since it needs to resolve that before it can redirect.  They are either typing it in wrong or got a bad link from somewhere (an email or referring page).
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
yes you are right on target.
the CA cert is www.widener.edu ; it was unfortunately not left as a wildcard (*.widener.edu) for future expansion and utilization with vanity subdomains.

I have made a 301 redirect for the http://widener.edu/* to resolve to http://www.widener.edu/* but cannot get https:// to steer because it would require an additional IP on the server so encrypted host headers could reach their destinations. I know they cannot be read because the host headers are scrambled.

So the only thing I can do without getting another cert is to trim all 80 access to http://www.widener.edu - this should rectify 99% of the experiences.

thanks
0
 
ParanormasticCryptographic EngineerCommented:
You could redirect 403.4 traffic back to the home page and have a 'there was a problem with the address you entered' or something while it redirects back to the home page.  If they accept the certificate name mismatch warning then it will go forward to the correct URL as it does on 80, and if they don't they you have the redirect from 403.4.

If you have the ability to set up another port and use a load balancer or something for the non-www then you could get a startssl free cert (in most browsers cert store now, unlike other freebies) and populate that there without spending anything more.  You could host both certs on that and redirect to the appropriate port on the web server or something.

There are a few different ways to tweak this stuff around, some of them are kind of annoying and some work better than others.  What you have sounds pretty good to me.
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
thx Paranormastic for your thoughts, please consider this plight.

Getting users to accept the certificate name mismatch warning is a hurdle I want to circumvent. Our user target audience is 18yr old users who by evidence of supporting their user experience, stop dead in their tracks when prompted because they see the cert notification as a complete error that prevents them from preceding.

I am tasked with doing all I can to NOT let that cert mismatch notification appear at all in the critical path of the user experience.

>>startssl free cert
neat approach, Although I had been turned down for a fully trusted CA, I will present this as an option.

>>pretty good
I appreciate that - its true we are supporting estimated 98% of our contingency, however I am aspiring to not leave one fledgling student behind frustrated with their web experience with out Brand... I do endeavor to correctly appropriately rectify the issue. thanks for your suggestions... keep em' coming. ;)
0
 
ParanormasticCryptographic EngineerCommented:
The 'best' method I'm thinking of is using a multi-domain cert (aka SAN, UC/Unified Communications) where you can have it issued to domain.com and www.domain.com as both being valid.  If they are willing to spring for the verisign SGC cert then I don't see what the deal is here - a SAN for the cert here is worth much more than the rest of the hassle.  See if they'll trade that for a 3 year cert discount to offset the cost:)  Btw, its about time to renew the certificate anyways.

I'm guessing Microsoft does not have a better solution for this either - this isn't pulling up for me at all :)
https://microsoft.com/



0
 
ParanormasticCryptographic EngineerCommented:
If having Verisign isn't as big of an issue, you can get a SAN cert from GoDaddy for under 100 bucks/year.  They're not Verisign, but they do have extremely good integration.  Its an option...
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
Yeah we had been trying everything and we believe it is because we had a HOST Record for the Server Common Name which the cert is assigned for in our DNS Server and NOT a physical  "A" Record entry.

although host records mimic the functionality of A and CNames, and typically perform their duties accordingly, they evidently get sticky and combative when dealing with certs if/when ONLY a hostrecord has entries in DNS.

In all, it was a good "hard-earned" learning thanks to Panaormatic & Rovastar for their provoking input to flush out what the solution was by process of elimination. :)
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

  • 10
  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now