Solved

Windows 2008 Computer Cert Authentication Troubleshooting

Posted on 2014-01-31
15
389 Views
Last Modified: 2014-02-05
I am in the process of setting up a McAfee agent handler in our DMZ which is not joined to the domain.

On our internal CA I have create a new computer template and create add applied the new template cert to my DMZ host and internal McAfee ePo and DB servers.

Durning the DMZ agent handler install the app is not able to authenticate to the DB server using the domain credential but can work fine using the SQL sa account which I do not want.

I am not 100% certain that I have setup my cert correctly.

Is requesting a new cert based off my new cert template and saving the cert to the machines personal Cert store correct?  Does the certificate authention work because all servers are using a cert based off the same template? Is there anyway to make sure my certs are working correctly.

I have ruled out the windows and our network firewalls
0
Comment
Question by:compdigit44
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 39825656
the non domain joined machine does not have the CA root certificate in its trusted root store therefor it will choke because when it traverses up the certificate chain it will fail.  Most people don't set up the CA properly .. how many tiers are in your CA? Did you setup the OCSP properly? How about your primary and delta CRL's and their responder?

suggest you watch this http://vimeo.com/35053082  and the other nicconf videos by brian komar
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39826613
Thank you for your reply..

I created the CA on my internal subordinate CA . The first thing on did on my non-domain joined server is download the complete CA chain and placed it in the Trusted Root Store...

I did not do anything with the OSCP or CRL's.. I just made a copy of the Computer Certificate template then selected this template type when requesting a Cert for all of my servers my non-domain join server need to talk to.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39830540
Ok, I have been giving this a lot of thought not to mention testing and have a theory as to why I am not able to log into my app using a domain account on a workgroup server.

1) My workgroup / DMZ server have a computer cert applied to it and the CA chain installed in the Trusted local CA.

2) during the install process the apps wants the domain credentials of a account to authenticate with against the DB. How this work fine with SQL authentication...

Here is my theory I have a computer cert to authenticate the workstations but the user account is a domain account and may need a cert. But since I am logged into a workstation with a local account there is not way for me to associate a cert for domain user...

Does this make sense????

Also what is the best why to test if certificate authentication "is" working? Are there any tools I should use?
0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 37

Expert Comment

by:Mahesh
ID: 39834968
unable to understand what is exact issue \ question related to certificate?

You are unable to access DB from workgroup server with domain account ? and if you use SA account, you will be able to access ?

Any specific reason for not using SA account for authentication ?

If you could please shade some light here ?

Mahesh
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39835353
Hi,

Try putting all the Certs in the Domain chain into the Trusted Third Party Root Certification Authorities Store.  The Domain Certs are 'third-party' to your non-domain server.

- gurutc
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 39836368
Upon further reading I don't think that certificates are coming into play here at all.  You state that for your application to login to the sql server it cannot use windows authentication and only SA authentication.  have you tried using domain\user or user@domain.xxx for the login with the appropriate password?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39836620
Thanks for the reply yes I did try both user log in format suggested and they did not work.

I was also informed by the vendor they do not support user logins via certificate but for my own knowledge..

If a workstation is  not joined to a domain but needs to connect to a remote server via a domain account there a no way to import the user domain cert into the non-domain computer becuase there is no way to associate the user cert with the correct use account..

It this statement correct?

For example, I know in Microsoft DPM protect you can run a powershell script to assocate a user cert with a specific user
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 39836789
You are correct since there will be no user profile on that computer
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39836822
Great thanks for validating my theory...

Are they any tools / command that would help me to test the computer and/or user certificate are working correctly?
0
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 39837454
If the certificate imports then it is of the proper format. you can manually traverse up the chain to ensure that every certificate is within its validity period.. you can test a websites cert on various online places i.e. http://www.sslshopper.com/ssl-checker.html
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39837486
So there if no real " tool" persay to test a computer or user cert that is not tied to a website correct?
0
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 39837510
only because it has to also check revocation lists and online responders ...  you could use certutil -verifystore -user
certutil -verifystore
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39837528
thanks for the great tips and guidance...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question