none
Certificate path as a user is different than the path seen on the computer.

    질문

  • We have a number of certificate authorities that we trust outside of our environment. The root certificates and intermediate CA certificates are propagated to all clients through the enterprise container (saved into the configuration container in AD -dspublish). Recently a small number of users have reported problems accessing web sites that require certificate based logon. When we look at root / issuing CA certificates as a administrator (MMC \ Certificates Snap-in \ Local Computer) the certificates show the expected path (Root Certificate \ Intermediate CA). When we look at the same certificates through IE as the user, the path looks completely different, and a lot more CAs are visible. If we delete the user profile completely, they get the right view of the certificates and they can again log on to web sites with their issued certificates.

    A few questions:

    Is there anyway to reset the users configuration so that they drop the certificates in the users profile and use the ones pushed by active directory?

    Does anyone have a theory on how this might have happened so that we can prevent it from reoccurring?


    • 편집됨 Oldguard 2013년 9월 24일 화요일 오후 8:38
    2013년 9월 24일 화요일 오후 8:37

답변

  • Hi,

    As far as I know, each user has a personal certificate store that contains certificates that are issued to that user. User certificates reside in Documents and Settings\< username> \ApplicationData\Microsoft\SystemCertificates\My\Certificates for each user profile. These certificates in the user profile are written to the user's personal store in the system registry each time the user logs on to the computer. For roaming profiles, the user's certificates are located on the domain controller so the certificates follow users when they log on to different computers in the domain.

    We could run certmgr.msc command, open the console and then expand personal certificate, and then delete them.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Cataleya Li
    TechNet Community Support

    • 답변으로 표시됨 Oldguard 2013년 9월 27일 금요일 오후 1:13
    2013년 9월 26일 목요일 오전 6:41
    중재자

모든 응답

  • Hi,

    How about removing certificates manually from IE? Hope the below links could be helpful:

    How do I remove a certificate with Internet Explorer (IE)?

    https://support.comodo.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=1255

    How to Remove, Import, and Export Digital Certificates

    http://support.microsoft.com/kb/179380

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Cataleya Li
    TechNet Community Support

    2013년 9월 25일 수요일 오전 7:14
    중재자
  • I was able to delete them from IE as the user. We have been trying to find a way to script it so that we can find the users that have the problem (so we can track who this is happening to) and can fix a user that is broken by just having them log out and log back on.  We get close to 10 certificates that get pulled into the users Intermediate Certification Authorities tab. I can see all of the certificates through powershell by using the cert:\currentuser\CA part of powershell, but when I try to remove-item it doesn't work.

    Is it possible to:

    1. identify which certificates are local to the users profile using a script?
    2. Remove them from the user profile using a script?
    2013년 9월 25일 수요일 오후 4:13
  • Hi,

    As far as I know, each user has a personal certificate store that contains certificates that are issued to that user. User certificates reside in Documents and Settings\< username> \ApplicationData\Microsoft\SystemCertificates\My\Certificates for each user profile. These certificates in the user profile are written to the user's personal store in the system registry each time the user logs on to the computer. For roaming profiles, the user's certificates are located on the domain controller so the certificates follow users when they log on to different computers in the domain.

    We could run certmgr.msc command, open the console and then expand personal certificate, and then delete them.

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Cataleya Li
    TechNet Community Support

    • 답변으로 표시됨 Oldguard 2013년 9월 27일 금요일 오후 1:13
    2013년 9월 26일 목요일 오전 6:41
    중재자
  • The registry key seems to be the key on this. We found the certificates where you said they would be. We can use the key name (which turns out to be the same as the thumbprint) to check to see if the certificate is in the computer certificate store.

    Greatly appreciate the help.

    2013년 9월 27일 금요일 오후 1:14