Solved

Entrust Entelligence 9 on Win 7 could not find Certification Authority

Posted on 2013-12-31
7
2,472 Views
Last Modified: 2014-01-10
All Entrust Entelligence 9 installation on WinXP are running well. However, not all installed on Win 7. They all have same message "The mandatory policy for your Entrust security store is unavailable". There is another message prompted right after PC bootup, "Unable to find Certification Authority(CA) and Directory configuration information".

I was told to test the connection to some specific CA server. However, I do not know how to verify the connection to CA, other than using "ping". How to check if there is any setting on Win 7 blocks it?

Thanks
0
Comment
Question by:ChihChieh
  • 4
  • 3
7 Comments
 

Author Comment

by:ChihChieh
ID: 39748515
Same epf is working on WinXP, but not on Win 7, and both PCs are in the same network segment
0
 
LVL 63

Expert Comment

by:btan
ID: 39749526
You may want to see if below help e.g. pkiview
@ http://blogs.technet.com/b/pki/archive/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview.aspx

How to import third-party certification authority (CA) certificates into the Enterprise NTAuth store @ http://support.microsoft.com/kb/295663

Also not the FW rules for Active Directory Certificate Services
@ http://blogs.technet.com/b/pki/archive/2010/06/25/firewall-roles-for-active-directory-certificate-services.aspx

Another means I was thinking is request certificates from a Windows-based certification authority (CA), you use the CA Web enrollment pages (assuming that is running in CA provisioning in your infra). E.g. https://servername/certsrv, where servername is the name of the server hosting the CA Web enrollment pages. We can try servername based on IP direct and its FQDN name. Both should work
@ http://technet.microsoft.com/en-us/library/cc770647.aspx
0
 

Author Comment

by:ChihChieh
ID: 39756241
I located two applications "eesystry" and "eecwatch" generated error message "could not find Certification Authority". Looking into the log file, it said "PKI Configuration Data is missing from the registry".
Is there any reference that I can manually add this PKI configuration data inregistry to show both applications where the Certificate Authority?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 63

Expert Comment

by:btan
ID: 39756743
I was thinking using pkiview to see what is working in the xp based on the necessary ntstore and fields needed. Then run it again in win7 to see what is missing...at least the backend is fine...

http://blogs.technet.com/b/pki/archive/2011/02/28/quick-check-on-adcs-health-using-enterprise-pki-tool-pkiview.aspx

I don't really recommend touching the registry or schema unnecessarily, you should raise the suppory to the entrust folks even initially.  

Coming back, There is also certutil.exe

The certification utility (certutil.exe) command allows you to determine the validity of issued certificates through the use of two switches:

certutil -verify –urlfetch

Using the –verify –urlfetch FileName switch allows you to see the output of the URL for each certificate. If it succeeds, it will display a “verified” output. If it fails, it will display an “error” output.

certutil -viewstore

The –viewstore output allows you to see the contents of a specific Active Directory Domain Services store or object, which lets you choose to view all certificates in that store.

If the certutil command does not function correctly, or you do not have a certificate, you will receive an error message that it failed.
0
 
LVL 63

Expert Comment

by:btan
ID: 39756749
Why I also say support should be better position since this is specific to the product though it uses the Windows Crypto API and has its interface to it. The tools so far (including the one link below) is more of example on the scenario using Windows CA not the Entrust application/CA. Will be good to see if error codes can help from event viewer (application or security) any specific application errors flagged out

http://blogs.msdn.com/b/windowsvistanow/archive/2008/04/08/troubleshooting-certificate-enrollment.aspx

Entrust in Windows
http://entrust.wpengine.netdna-cdn.com/wp-content/uploads/2013/05/esp_overview.pdf

Application Configuration
Security Provider will not use the traditional Entrust technique of storing configuration data in the entrust.ini file. While the entrust.ini file is simple to edit and easily ported to different systems and platforms, it has some limitations. The biggest limitations are that it can only contain data for one PKI and it is not easily managed remotely.

To overcome these limitations Security Provider will not use an “ini” file and configuration data will be stored in the Windows registry. The data will be stored to allow for multiple PKIs and remote management via common registry tools or Group Policy in an environment where Microsoft Active Directory is deployed.

Application configuration data will be stored in the Windows registry in both the machine and user settings. The machine settings will be used to store global configuration data included with the setup package and the user settings will be used to store per user configuration data generated at runtime.

Security Policy
Security Provider supports configuration data that is specified in Entrust policy certificates, which enforce settings such as password rules and inactivity timeout settings. The policy certificates will be stored in the CryptoAPI certificate store and data is customized by the Entrust Administrator in Entrust Authority on a per role basis.


FYI, (sidetracking) Understand that Entrust has a Entrust Solo based on self signed cert and does not communicate with a CA or other Public Key Infrastructure components. May be simpler if is for testing only. Solo has its own registry (pg 5 in link)

http://entrust.wpengine.netdna-cdn.com/wp-content/uploads/2013/05/eesolo_91_FAQs.pdf
0
 

Author Comment

by:ChihChieh
ID: 39760946
The suggestion of Entrust reminded for alternative, and reminded me to check the reliability of installation package. It was solved after locateing the original installation package, and verified. Thanks
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39761203
Glad it helped then in another way.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question