Windows 2008 Computer Cert Authentication Troubleshooting

I am in the process of setting up a McAfee agent handler in our DMZ which is not joined to the domain.

On our internal CA I have create a new computer template and create add applied the new template cert to my DMZ host and internal McAfee ePo and DB servers.

Durning the DMZ agent handler install the app is not able to authenticate to the DB server using the domain credential but can work fine using the SQL sa account which I do not want.

I am not 100% certain that I have setup my cert correctly.

Is requesting a new cert based off my new cert template and saving the cert to the machines personal Cert store correct?  Does the certificate authention work because all servers are using a cert based off the same template? Is there anyway to make sure my certs are working correctly.

I have ruled out the windows and our network firewalls
LVL 20
Who is Participating?

Improve company productivity with a Business Account.Sign Up

David Johnson, CD, MVPConnect With a Mentor OwnerCommented:
only because it has to also check revocation lists and online responders ...  you could use certutil -verifystore -user
certutil -verifystore
David Johnson, CD, MVPOwnerCommented:
the non domain joined machine does not have the CA root certificate in its trusted root store therefor it will choke because when it traverses up the certificate chain it will fail.  Most people don't set up the CA properly .. how many tiers are in your CA? Did you setup the OCSP properly? How about your primary and delta CRL's and their responder?

suggest you watch this  and the other nicconf videos by brian komar
compdigit44Author Commented:
Thank you for your reply..

I created the CA on my internal subordinate CA . The first thing on did on my non-domain joined server is download the complete CA chain and placed it in the Trusted Root Store...

I did not do anything with the OSCP or CRL's.. I just made a copy of the Computer Certificate template then selected this template type when requesting a Cert for all of my servers my non-domain join server need to talk to.
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

compdigit44Author Commented:
Ok, I have been giving this a lot of thought not to mention testing and have a theory as to why I am not able to log into my app using a domain account on a workgroup server.

1) My workgroup / DMZ server have a computer cert applied to it and the CA chain installed in the Trusted local CA.

2) during the install process the apps wants the domain credentials of a account to authenticate with against the DB. How this work fine with SQL authentication...

Here is my theory I have a computer cert to authenticate the workstations but the user account is a domain account and may need a cert. But since I am logged into a workstation with a local account there is not way for me to associate a cert for domain user...

Does this make sense????

Also what is the best why to test if certificate authentication "is" working? Are there any tools I should use?
unable to understand what is exact issue \ question related to certificate?

You are unable to access DB from workgroup server with domain account ? and if you use SA account, you will be able to access ?

Any specific reason for not using SA account for authentication ?

If you could please shade some light here ?


Try putting all the Certs in the Domain chain into the Trusted Third Party Root Certification Authorities Store.  The Domain Certs are 'third-party' to your non-domain server.

- gurutc
David Johnson, CD, MVPOwnerCommented:
Upon further reading I don't think that certificates are coming into play here at all.  You state that for your application to login to the sql server it cannot use windows authentication and only SA authentication.  have you tried using domain\user or for the login with the appropriate password?
compdigit44Author Commented:
Thanks for the reply yes I did try both user log in format suggested and they did not work.

I was also informed by the vendor they do not support user logins via certificate but for my own knowledge..

If a workstation is  not joined to a domain but needs to connect to a remote server via a domain account there a no way to import the user domain cert into the non-domain computer becuase there is no way to associate the user cert with the correct use account..

It this statement correct?

For example, I know in Microsoft DPM protect you can run a powershell script to assocate a user cert with a specific user
David Johnson, CD, MVPOwnerCommented:
You are correct since there will be no user profile on that computer
compdigit44Author Commented:
Great thanks for validating my theory...

Are they any tools / command that would help me to test the computer and/or user certificate are working correctly?
David Johnson, CD, MVPOwnerCommented:
If the certificate imports then it is of the proper format. you can manually traverse up the chain to ensure that every certificate is within its validity period.. you can test a websites cert on various online places i.e.
compdigit44Author Commented:
So there if no real " tool" persay to test a computer or user cert that is not tied to a website correct?
compdigit44Author Commented:
thanks for the great tips and guidance...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.