cancel
Showing results for 
Search instead for 
Did you mean: 

Problems with new Certificate, NetworkConnect blocks

rdit_
Regular Contributor

Problems with new Certificate, NetworkConnect blocks

Hi there,

I ordered a new official certificate for our IVE, cause the old one was about to expire.

When importing the new certificate some IE users got the securityalert: "The security certificate was issued by a company you have chosen not to trust...".

To solve that I added lots of (sub-)rootcertificates to the trusted-server-ca's at the IVE.
now the securityalert does not appear anymore, but some users are experiencing the nc.error.23791 (securegateway denied the request from this client), which normally appears when a firewall is blocking the NC. means a user can log in, hostchecker passes but when NC is about to start, the errormessage appears.

to test if this has sth todo with the certificate, i put the old one back in (still valid for 10 days) and the error was not occuring anymore. so what can I do to install the new certificate without having errormessages?

the user uploaded his clientlogs, there i found this:

2009/07/06 08:29:13.828 dsNcService: t7F0 "DebugId" 'ncp' [Debug] ncp: ncpEstablish
for IVE www.company.com with context 003371CC
[b]2009/07/06 08:29:13.828 dsNcService: tD78 "DebugId" 'main' [Debug] main: Using DSSSL to
connect to IVE
2009/07/06 08:29:13.828 dsNcService: tD78 "DebugId" 'connect' [Debug] connect: creating
a new HTTP connection...
2009/07/06 08:29:44.468 dsNcService: tD78 "DebugId" 'dsssl' [Debug] dsssl: ive_cert_hash
= BLA, computed_hash = BLA 2009/07/06 08:29:44.468 dsNcService: tD78 "DebugId"
'connect' [Debug] connect: DSSSL_recv for sock 548 failed. Error 10061
2009/07/06 08:29:44.468 dsNcService: tD78 "DebugId" 'main' [Debug] main: SSL connect
failed. Error 10061[/b]
2009/07/06 08:29:44.468 dsNcService: tD78 "DebugId" 'conn' [Debug] conn: cleanup 0
[b]2009/07/06 08:29:44.468 dsNcService: t7F0 "DebugId" 'ncphandler' [Debug] ncphandler:
Unable to connect IVE. Error 274d
2009/07/06 08:29:44.468 dsNcService: t7F0 "DebugId" 'session' [Debug] session:
disconnecting from ive www.company.com with reason 5[/b]
2009/07/06 08:29:44.468 dsNcService: t7F0 "DebugId" 'adapter' [Debug] adapter: closing
tun adapter FFFFFFFF
2009/07/06 08:29:44.468 dsNcService: t7F0 "DebugId" 'adapter' [Debug] adapter:
unregistering the adapter IO handler

Some notebooks work, others do not and i dont have an idea why.

i was able to solve that problem on those notebooks by importing the official certificate to the browserstore of the notebook manually. then it's at the store "other people" and the networkconnect is not blocking anymore, everything works fine. but why do i have to install an official certificate on the client to get it working, the server-side should automatically give the certificate to the client.

our windows-team tried to deploy this file to all notebook via GPO, but this isnt working for some reason, the certificate is not present at the browserstore of the notebook.

at this time i used a self-sigend certificate, which works for all users.

thanks for any help!

Message Edited by rdit on 08-06-2009 12:48 AM
4 REPLIES 4
stine_
Super Contributor

Re: Problems with new Certificate, NetworkConnect blocks

If you have a working and a non-working laptop, can you compare their Trusted root certificates? If they both include the CA that signed your new cert, I'm not sure what the problem might be. One other question is: are all of your users using the same browser? Safari is supposed to use IE's certificate store, but I have seen this not work 100% of the time, and of course, Firefox maintains its own certificate store. Another thing to check is the certificate revocation checking settings.

Hope this helps.

rdit_
Regular Contributor

Re: Problems with new Certificate, NetworkConnect blocks

the browser store is identical, the browser [email protected]. what are the revocation settings and where can I find them?

i solved the problem by sending the certificate to all users, so that they import it manually to their browserstore. that seems to work, the certificate shows up at the "other persons" tab of the browserstore then.

yalferd_
Not applicable

Re: Problems with new Certificate, NetworkConnect blocks

I've seen this with certificate providers that use an intermediate cert such as Go Daddy. If that is the case, open the central manager, go to certificates, intermediate certificates and import the one that your cert supplier provides.
stine_
Super Contributor

Re: Problems with new Certificate, NetworkConnect blocks

You're right. I did have to download the GoDaddy cert chain file....IIRC, their CA is signed by Star...something...., so their CA is actually an intermediate CA. again, IIRC.