Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Windows 2008 Computer Cert Authentication Troubleshooting

Posted on 2014-01-31
15
Medium Priority
?
391 Views
Last Modified: 2014-02-05
I am in the process of setting up a McAfee agent handler in our DMZ which is not joined to the domain.

On our internal CA I have create a new computer template and create add applied the new template cert to my DMZ host and internal McAfee ePo and DB servers.

Durning the DMZ agent handler install the app is not able to authenticate to the DB server using the domain credential but can work fine using the SQL sa account which I do not want.

I am not 100% certain that I have setup my cert correctly.

Is requesting a new cert based off my new cert template and saving the cert to the machines personal Cert store correct?  Does the certificate authention work because all servers are using a cert based off the same template? Is there anyway to make sure my certs are working correctly.

I have ruled out the windows and our network firewalls
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39825656
the non domain joined machine does not have the CA root certificate in its trusted root store therefor it will choke because when it traverses up the certificate chain it will fail.  Most people don't set up the CA properly .. how many tiers are in your CA? Did you setup the OCSP properly? How about your primary and delta CRL's and their responder?

suggest you watch this http://vimeo.com/35053082  and the other nicconf videos by brian komar
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39826613
Thank you for your reply..

I created the CA on my internal subordinate CA . The first thing on did on my non-domain joined server is download the complete CA chain and placed it in the Trusted Root Store...

I did not do anything with the OSCP or CRL's.. I just made a copy of the Computer Certificate template then selected this template type when requesting a Cert for all of my servers my non-domain join server need to talk to.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39830540
Ok, I have been giving this a lot of thought not to mention testing and have a theory as to why I am not able to log into my app using a domain account on a workgroup server.

1) My workgroup / DMZ server have a computer cert applied to it and the CA chain installed in the Trusted local CA.

2) during the install process the apps wants the domain credentials of a account to authenticate with against the DB. How this work fine with SQL authentication...

Here is my theory I have a computer cert to authenticate the workstations but the user account is a domain account and may need a cert. But since I am logged into a workstation with a local account there is not way for me to associate a cert for domain user...

Does this make sense????

Also what is the best why to test if certificate authentication "is" working? Are there any tools I should use?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 37

Expert Comment

by:Mahesh
ID: 39834968
unable to understand what is exact issue \ question related to certificate?

You are unable to access DB from workgroup server with domain account ? and if you use SA account, you will be able to access ?

Any specific reason for not using SA account for authentication ?

If you could please shade some light here ?

Mahesh
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39835353
Hi,

Try putting all the Certs in the Domain chain into the Trusted Third Party Root Certification Authorities Store.  The Domain Certs are 'third-party' to your non-domain server.

- gurutc
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39836368
Upon further reading I don't think that certificates are coming into play here at all.  You state that for your application to login to the sql server it cannot use windows authentication and only SA authentication.  have you tried using domain\user or user@domain.xxx for the login with the appropriate password?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39836620
Thanks for the reply yes I did try both user log in format suggested and they did not work.

I was also informed by the vendor they do not support user logins via certificate but for my own knowledge..

If a workstation is  not joined to a domain but needs to connect to a remote server via a domain account there a no way to import the user domain cert into the non-domain computer becuase there is no way to associate the user cert with the correct use account..

It this statement correct?

For example, I know in Microsoft DPM protect you can run a powershell script to assocate a user cert with a specific user
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39836789
You are correct since there will be no user profile on that computer
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39836822
Great thanks for validating my theory...

Are they any tools / command that would help me to test the computer and/or user certificate are working correctly?
0
 
LVL 83

Expert Comment

by:David Johnson, CD, MVP
ID: 39837454
If the certificate imports then it is of the proper format. you can manually traverse up the chain to ensure that every certificate is within its validity period.. you can test a websites cert on various online places i.e. http://www.sslshopper.com/ssl-checker.html
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39837486
So there if no real " tool" persay to test a computer or user cert that is not tied to a website correct?
0
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 39837510
only because it has to also check revocation lists and online responders ...  you could use certutil -verifystore -user
certutil -verifystore
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39837528
thanks for the great tips and guidance...
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question