Having some trouble with a generalized single certificate (wanting to use as part of user/pass authentication) across multiple machines. Wanting to require this certificate be on a machine and the user enter their user/pass combination for authentication to portal/gateway (not user/machine specific cert). Not doing prelogon at this point. I can add this exported certificate into the Certificates (Local Computer) /Personal AND Trusted Root store ....all day long....and it makes no difference.
I can even specify in the portal agent config to use 22.214.171.124.126.96.36.199.2 for an OID- and also ensure that both Client certificate store look up - both "user and machine" is set on the portal...still nothing.
The only way I can get this to successfully work, is by placing the exported certificate into the Certificates -Current User - personal - store. ...then everything works perfectly. It's almost as if windows clients have issues accessing the machine store when a user is logged in? Anyone have experience with this, or something along these lines?
Maybe @MickBall answered part of this already below:
MS seems to hint at the fact that any machine store cert in the trusted root will be mirrored to the current user store trusted root- but NOT the Current User Personal:
"Be aware that all current user certificate stores except the Current User/Personal store inherit the contents of the local machine certificate stores."
Does a generic certificate have to be installed for every user under their current user personal certificate store?
Ok glad its working but you should still see the computer store from your browser.
the rules are as follows.
Local machine certificate store
This type of certificate store is local to the computer and is global to all users on the computer. This certificate store is located in the registry under the HKEY_LOCAL_MACHINE root.
Current user certificate store
This type of certificate store is local to a user account on the computer. This certificate store is located in the registry under the HKEY_CURRENT_USER root.
as a test why not open regedit as the user and see if you can view the local machine store... if you cannot then something strange is going on. If you can then it must be the browser. What browser are you using.
i always test my certs with IE. As much as i hate it it is still the most popular.
Ok catch up tomorrow but not sure where the intermediate cert is required for this.
could it also be that as you have been messing with certs that ie is using one that it thinks it should use but its the wrong one.
yes i would have a play on a fresh device and remove all personal certs from user store.
OK worth a check..
I use certs in the computer store and it works fine for when users are logged into the device.
I also do not use pre-logon.
with the certificate located in the computer/personal/certificates area have you tried browsing vi IE to your portal.
this may throw up a more helpful error than the portal.
Browsing to the Portal will throw the same error- "client certificate required"- it's like it doesn't see the cert at all....but the second I move it to the current user store---everything works....
I'm hearing that people have these certs in their machine stores, but I have yet to get this to successfully work
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!