Solved

Windows 2008 Computer Cert Authentication Troubleshooting

Posted on 2014-01-31
15
377 Views
Last Modified: 2014-02-05
I am in the process of setting up a McAfee agent handler in our DMZ which is not joined to the domain.

On our internal CA I have create a new computer template and create add applied the new template cert to my DMZ host and internal McAfee ePo and DB servers.

Durning the DMZ agent handler install the app is not able to authenticate to the DB server using the domain credential but can work fine using the SQL sa account which I do not want.

I am not 100% certain that I have setup my cert correctly.

Is requesting a new cert based off my new cert template and saving the cert to the machines personal Cert store correct?  Does the certificate authention work because all servers are using a cert based off the same template? Is there anyway to make sure my certs are working correctly.

I have ruled out the windows and our network firewalls
0
Comment
Question by:compdigit44
15 Comments
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39825656
the non domain joined machine does not have the CA root certificate in its trusted root store therefor it will choke because when it traverses up the certificate chain it will fail.  Most people don't set up the CA properly .. how many tiers are in your CA? Did you setup the OCSP properly? How about your primary and delta CRL's and their responder?

suggest you watch this http://vimeo.com/35053082  and the other nicconf videos by brian komar
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39826613
Thank you for your reply..

I created the CA on my internal subordinate CA . The first thing on did on my non-domain joined server is download the complete CA chain and placed it in the Trusted Root Store...

I did not do anything with the OSCP or CRL's.. I just made a copy of the Computer Certificate template then selected this template type when requesting a Cert for all of my servers my non-domain join server need to talk to.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39830540
Ok, I have been giving this a lot of thought not to mention testing and have a theory as to why I am not able to log into my app using a domain account on a workgroup server.

1) My workgroup / DMZ server have a computer cert applied to it and the CA chain installed in the Trusted local CA.

2) during the install process the apps wants the domain credentials of a account to authenticate with against the DB. How this work fine with SQL authentication...

Here is my theory I have a computer cert to authenticate the workstations but the user account is a domain account and may need a cert. But since I am logged into a workstation with a local account there is not way for me to associate a cert for domain user...

Does this make sense????

Also what is the best why to test if certificate authentication "is" working? Are there any tools I should use?
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39834968
unable to understand what is exact issue \ question related to certificate?

You are unable to access DB from workgroup server with domain account ? and if you use SA account, you will be able to access ?

Any specific reason for not using SA account for authentication ?

If you could please shade some light here ?

Mahesh
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39835353
Hi,

Try putting all the Certs in the Domain chain into the Trusted Third Party Root Certification Authorities Store.  The Domain Certs are 'third-party' to your non-domain server.

- gurutc
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39836368
Upon further reading I don't think that certificates are coming into play here at all.  You state that for your application to login to the sql server it cannot use windows authentication and only SA authentication.  have you tried using domain\user or user@domain.xxx for the login with the appropriate password?
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 19

Author Comment

by:compdigit44
ID: 39836620
Thanks for the reply yes I did try both user log in format suggested and they did not work.

I was also informed by the vendor they do not support user logins via certificate but for my own knowledge..

If a workstation is  not joined to a domain but needs to connect to a remote server via a domain account there a no way to import the user domain cert into the non-domain computer becuase there is no way to associate the user cert with the correct use account..

It this statement correct?

For example, I know in Microsoft DPM protect you can run a powershell script to assocate a user cert with a specific user
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39836789
You are correct since there will be no user profile on that computer
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39836822
Great thanks for validating my theory...

Are they any tools / command that would help me to test the computer and/or user certificate are working correctly?
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39837454
If the certificate imports then it is of the proper format. you can manually traverse up the chain to ensure that every certificate is within its validity period.. you can test a websites cert on various online places i.e. http://www.sslshopper.com/ssl-checker.html
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39837486
So there if no real " tool" persay to test a computer or user cert that is not tied to a website correct?
0
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 39837510
only because it has to also check revocation lists and online responders ...  you could use certutil -verifystore -user
certutil -verifystore
0
 
LVL 19

Author Comment

by:compdigit44
ID: 39837528
thanks for the great tips and guidance...
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Know what services you can and cannot, should and should not combine on your server.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now