Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Windows 2008 Computer Cert Authentication Troubleshooting

Posted on 2014-01-31
15
Medium Priority
?
395 Views
Last Modified: 2014-02-05
I am in the process of setting up a McAfee agent handler in our DMZ which is not joined to the domain.

On our internal CA I have create a new computer template and create add applied the new template cert to my DMZ host and internal McAfee ePo and DB servers.

Durning the DMZ agent handler install the app is not able to authenticate to the DB server using the domain credential but can work fine using the SQL sa account which I do not want.

I am not 100% certain that I have setup my cert correctly.

Is requesting a new cert based off my new cert template and saving the cert to the machines personal Cert store correct?  Does the certificate authention work because all servers are using a cert based off the same template? Is there anyway to make sure my certs are working correctly.

I have ruled out the windows and our network firewalls
0
Comment
Question by:compdigit44
13 Comments
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 39825656
the non domain joined machine does not have the CA root certificate in its trusted root store therefor it will choke because when it traverses up the certificate chain it will fail.  Most people don't set up the CA properly .. how many tiers are in your CA? Did you setup the OCSP properly? How about your primary and delta CRL's and their responder?

suggest you watch this http://vimeo.com/35053082  and the other nicconf videos by brian komar
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39826613
Thank you for your reply..

I created the CA on my internal subordinate CA . The first thing on did on my non-domain joined server is download the complete CA chain and placed it in the Trusted Root Store...

I did not do anything with the OSCP or CRL's.. I just made a copy of the Computer Certificate template then selected this template type when requesting a Cert for all of my servers my non-domain join server need to talk to.
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39830540
Ok, I have been giving this a lot of thought not to mention testing and have a theory as to why I am not able to log into my app using a domain account on a workgroup server.

1) My workgroup / DMZ server have a computer cert applied to it and the CA chain installed in the Trusted local CA.

2) during the install process the apps wants the domain credentials of a account to authenticate with against the DB. How this work fine with SQL authentication...

Here is my theory I have a computer cert to authenticate the workstations but the user account is a domain account and may need a cert. But since I am logged into a workstation with a local account there is not way for me to associate a cert for domain user...

Does this make sense????

Also what is the best why to test if certificate authentication "is" working? Are there any tools I should use?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 38

Expert Comment

by:Mahesh
ID: 39834968
unable to understand what is exact issue \ question related to certificate?

You are unable to access DB from workgroup server with domain account ? and if you use SA account, you will be able to access ?

Any specific reason for not using SA account for authentication ?

If you could please shade some light here ?

Mahesh
0
 
LVL 16

Expert Comment

by:gurutc
ID: 39835353
Hi,

Try putting all the Certs in the Domain chain into the Trusted Third Party Root Certification Authorities Store.  The Domain Certs are 'third-party' to your non-domain server.

- gurutc
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 39836368
Upon further reading I don't think that certificates are coming into play here at all.  You state that for your application to login to the sql server it cannot use windows authentication and only SA authentication.  have you tried using domain\user or user@domain.xxx for the login with the appropriate password?
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39836620
Thanks for the reply yes I did try both user log in format suggested and they did not work.

I was also informed by the vendor they do not support user logins via certificate but for my own knowledge..

If a workstation is  not joined to a domain but needs to connect to a remote server via a domain account there a no way to import the user domain cert into the non-domain computer becuase there is no way to associate the user cert with the correct use account..

It this statement correct?

For example, I know in Microsoft DPM protect you can run a powershell script to assocate a user cert with a specific user
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 39836789
You are correct since there will be no user profile on that computer
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39836822
Great thanks for validating my theory...

Are they any tools / command that would help me to test the computer and/or user certificate are working correctly?
0
 
LVL 84

Expert Comment

by:David Johnson, CD, MVP
ID: 39837454
If the certificate imports then it is of the proper format. you can manually traverse up the chain to ensure that every certificate is within its validity period.. you can test a websites cert on various online places i.e. http://www.sslshopper.com/ssl-checker.html
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39837486
So there if no real " tool" persay to test a computer or user cert that is not tied to a website correct?
0
 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 39837510
only because it has to also check revocation lists and online responders ...  you could use certutil -verifystore -user
certutil -verifystore
0
 
LVL 20

Author Comment

by:compdigit44
ID: 39837528
thanks for the great tips and guidance...
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question