Last post Oct 14, 2012 05:52 PM by ReVeLaTeD
Oct 14, 2012 05:52 PM|ReVeLaTeD|LINK
Not a question - thought to submit a possible solution for people.
From what I can tell this error is thrown by .NET in three instances.
I can't help with #1 except to ask why you're referencing HTTPS on a server that doesn't seem to need it (i.e. no cert).
I can't help with #3. It'd have to be fixed at the source (certificate has to match server name, common problem when using CNAMES or alternate domains).
#2, I found some funky behavior on Server 2008 R2 and thought to share my findings.
Previously, XP/2000/2003/NT world, and maybe my memory is failing, I seem to recall that when a workstation administrator installed a certificate, said certificate was automatically available to any user or account on that box unless you explicitly installed
it in a personal store.
In a recent exercise, I noticed that 2008 R2 kept putting my CA cert into "Intermediate Certification Authorities", whatever that means. I would literally select "Trusted Root Certification Authorities" and it would give the confirmation message and tell
me it put it there, but the code still wouldn't work. If I viewed the store in Internet Explorer, it showed in Trusted Root Certification Authorities.
Opening Management Console (mmc.exe) and adding the Certificates snap-in for both the Computer and Local User revealed that Internet Explorer was essentially lying to me. In my local user hierarchy in MMC, the certificate was not in Trust Root Certification
Authorities, but in Intermediate Certification Authorities. Even though IE still showed the cert in Trusted Root Certification Authorities. The Computer hierarchy didn't even show the cert. Fortunately the interface supports drag-and-drop, so it was a simple
matter to drag the CA cert to the Computer Trusted Root Certification Authorities store. Once done, the code no longer threw this error.
So either my memory of old times is faulty, or 2008 R2 has changed this behavior, possibly causing a bunch of inquiries that could have been avoided. UAC might also be a culprit since my environment has it cranked to the max for some reason. Either way,
I guess my expectation is that if I'm an admin on a box, the simple act of installing a certificate should either prompt me for the Computer stores, or automatically assume I want it done for every user of the computer. Otherwise what's the point of "trusted"
if it doesn't apply at the computer level?