none
Does IAG needs to talk to CA for Certified Endpoint?

    Pregunta

  • Hi Guys,

    I have a remote CA. Copied the Certificate Chain from the CA using USB and copied the same in IAG (SP2 U3) trusted root certificates.

    Now is it mandatory for IAG to talk to CA after this?

    The issue i am facing is When i check the Use Endpoint Certification check box in Advanced Configuration--> session tab, I am getting an error pageg in IE stating "Internet Explorer cannot display the webpage". When i see the HTTP Watch There is an Error "ERROR_HTTP_INVALID_SERVER_RESPONSE" for the GET request to the URL "https://remote.marksandspencercate.com/InternalSite/cert.asp?site_name=remote"


    Regards, R@j
    viernes, 26 de marzo de 2010 16:51

Respuestas

Todas las respuestas

  • You mentioned the certificate chain but not the Certificate Revocation List, perhaps it is trying to retrieve the CRLs from an internal only URL?

    I also notice that https://remote.marksandspencercate.com/ uses a self signed certificate so you will get errors because of that.

    Normally in a properly configured public facing PKI things validating the certificate do not talk to the CA but they do talk to the AIA (CA certificates) and CDP (CRLs) locations which are normally public URLs. In poorly designed or internal only PKIs things validating the certificate will try to talk to an internal LDAP server or URL.

    (note some designs use OCSP instead of, or as well as CRLs but basically you have the same issue).

    viernes, 26 de marzo de 2010 23:40
  • Is it mandatory that the IAG Server should be a part of the domain for End Point Certification?
    Regards, R@j
    lunes, 29 de marzo de 2010 16:33
  • Is it mandatory that the IAG Server should be a part of the domain for End Point Certification?
    Regards, R@j
    lunes, 29 de marzo de 2010 16:33
  • No, it is not.
    Ben Ari
    Microsoft CSS IAG Support
    Sammamish, WA
    miércoles, 31 de marzo de 2010 19:18
    Propietario