none
how to prevent "There is a problem with this website's security certificate" error

    Question

  • Hi all,

    so this is related to accessing internal website when logged in to RDS servers. RDS servers don't have access to the internet, and so when users open the internal websites, this get this error message, because the server is not able to access the internet and validate the certificate presented by the web server.

    I have the certificate and the intermediate certificate that the web server uses, but I am not sure in which store should I import them to, even though I tried all stores and of course for the intermediate I copied it to the intermetdiate store.

    any ideas?

    Thanks


    Mohsen Almassud

    Wednesday, October 31, 2012 11:26 PM

Answers

  • Hi,

    Thanks for your update.

    The error there is a problem with this website’s security certificate can cause by the SSL certificate for the website was not issued by a rusted CA on client side. To work around this issue, you need to install the Issuer CA installed on the Trusted Root Certification Authority container.

    1. In Windows Internet Explorer, click Continue to this website (not recommended)

    2. Click the Certificate Error button to open the information window.

    3. Click View Certificates, and then verify the Issuer CA. Ensure it was trusted on all clients.

    Best Regards,

    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    Tuesday, November 06, 2012 5:18 AM
  • Hello,

    To get rid of the error, you can either (1) get a trusted certificate from a trusted CA (godaddy, VeriSign) or (2) trust  the certificate issued by your server.

    To do the latter:

    1. In Explorer Options, add the URL to your trusted sites. Exit Explorer.

    2. Open Explorer again and navigate to the site and click continue to this Web site.

    3. Click on the certificate error then select view certificates.

    4. Click install certificate and place it in your trusted certificates authority.

    5. Exit Explorer then open the page again. Error should be gone.

    Note: There cannot be a mismatch. i.e. you cannot trust an issued cert for sharepoint.domain.com if the site you are visiting is www.domain.com. If that's the case, you will still get the error.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog



    Tuesday, November 06, 2012 5:34 AM
  • it's a pleasure.

    to be honest the only thing that bug me is that you got that error with a verisign's ca.

    just to be sure, the certificate name in it is like *.domain.local ? as it's a wildcard's one. does the user connect to webserver.domain.local, or they use like webserver.domain.com ? and did you put the correct binding in your iis ? (to fit the ssl cert if it's webserver.domain.local in exemple)  (good link to double checkl http://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Friday, November 09, 2012 4:01 AM

All replies

  • Hi,

    From the screenshot, I assume that you are trying to access RD Web Access site. Please make sure the subject name of certificate used match the name of the web site. In addition, on IIS manager Binding Dialog of the RD Web Access Server, you need to binding port 443 with the certificate. On all clients, ensure the Issuer of the certificate was trusted.

    For more detailed information, you may refer to the following article.

    Add or Edit Site Binding Dialog Box

    http://technet.microsoft.com/en-us/library/cc771629.aspx

    Minimum Certificate Requirements for Typical RDS implementation

    http://blog.kristinlgriffin.com/2010/08/minimum-certificate-requirements-for.html


    Best Regards,

    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support


    Friday, November 02, 2012 5:16 AM
  • Aden,

    we do not use re web and we get the page when a user who's connected to a session hosts trys to access share point page from the session host. as I mentioned that all session hosts do not have access to the internet and access to Intranet is only allowed.

    Thanks


    Mohsen Almassud

    Friday, November 02, 2012 11:04 AM
  • Hi,

    Thanks for your update.

    The error there is a problem with this website’s security certificate can cause by the SSL certificate for the website was not issued by a rusted CA on client side. To work around this issue, you need to install the Issuer CA installed on the Trusted Root Certification Authority container.

    1. In Windows Internet Explorer, click Continue to this website (not recommended)

    2. Click the Certificate Error button to open the information window.

    3. Click View Certificates, and then verify the Issuer CA. Ensure it was trusted on all clients.

    Best Regards,

    Aiden

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Aiden Cao

    TechNet Community Support

    Tuesday, November 06, 2012 5:18 AM
  • Hello,

    To get rid of the error, you can either (1) get a trusted certificate from a trusted CA (godaddy, VeriSign) or (2) trust  the certificate issued by your server.

    To do the latter:

    1. In Explorer Options, add the URL to your trusted sites. Exit Explorer.

    2. Open Explorer again and navigate to the site and click continue to this Web site.

    3. Click on the certificate error then select view certificates.

    4. Click install certificate and place it in your trusted certificates authority.

    5. Exit Explorer then open the page again. Error should be gone.

    Note: There cannot be a mismatch. i.e. you cannot trust an issued cert for sharepoint.domain.com if the site you are visiting is www.domain.com. If that's the case, you will still get the error.


    Miguel Fra | Falcon IT Services, Miami, FL
    www.falconitservices.com | www.falconits.com | Blog



    Tuesday, November 06, 2012 5:34 AM
  • the error message is being seen on RDS servers when accessing IntraNet sites. those IntraNet sites have VeriSign certificates and the only reason that RDS servers are not able to validate those certificates is that RDS servers don't have access to the internet due security compliance and therefore RDS servers will not be able to query a CA or check Revocation lists.

    there got to be a way to force IE not check on certificates and just accept them as they are, because we know and trust those IntraNet web servers.

    any ideas?


    Mohsen Almassud

    Wednesday, November 07, 2012 4:11 AM
  • HI

    yes, you can change setting in IE 8

    in the internet option / Advance

    and uncheck

    the "check for server certificate revocation "

    Stef71

    Wednesday, November 07, 2012 4:25 AM
  • I have that one unchecked already but for whatever reason the error is still displayed.

    is there anything that I can change in registry to make those settings work for all users?


    Mohsen Almassud

    Wednesday, November 07, 2012 4:30 AM
  • it not a good idea, because this will make impossible to revoke a certificates and make security issued .

    the best thing is resolve you issued.

    first, export the certificate in trouble on your desktop,

    run cmd certutil -urlfectch -verify> output.txt

    look the file to see if you have any  DwErrorStatus <> 0

    and this will tell you where in the chain is the problem

    Can you post the potion in trouble ?

    Stef71

    Wednesday, November 07, 2012 5:27 AM
  • On Wed, 7 Nov 2012 04:25:15 +0000, Stef71 wrote:

    in the internet option / Advance

    and uncheck

    the "check for server certificate revocation "

    Ok, we need to back up a bit here back to the original post that details
    the error message.

    Sorry Stef71 but this has nothing at all to do with revocation checking.
    There are 2 problems here:

    1. The clients do not trust the certificate chain.
    2. The URL being used to access the SharePoint site(s) does not match
    either the Subject or Subject Alternate name in the issued certificate.

    Turning off revocation checking will have zero impact on either of these
    errors.

    If the computers on which the browser session is being run do not have the
    root CA certificate in the root store of the computer account, it needs to
    be added to that store. If the computers on which the browser session is
    being run do not have access to the AIA location(s) in the certificate then
    the intermediate certificate(s) need to be added to the computer account's
    intermediate store. That should solve error #1.

    For error #2 you need to compare the URL being used to access the web sites
    in question with the Subject and Subject Alternate name in the certificate.
    The error clearly indicates that you're not going to find a match there. To
    resolve this error you're going to have to do one of the following:

    1. Request a new certificate from Verisign with the correct Subject/SAN.
    2. Rename the servers to match the Subject/SAN in the current certificate.
    3. Educate your users to use the correct URL to access the server(s).

    Again, at least for now, you need to forget about revocation checking and
    concentrate on resolving the real errors.


    Paul Adare
    MVP - Forefront Identity Manager
    http://www.identit.ca
    All computers run at the same speed...  with the power off.

    Wednesday, November 07, 2012 7:14 AM
  • Paul,

    the certificate that we have is a wildcard certificate so it does not really need any alternative names. what I'd like to make sure that is clear is that all servers do not have access to the internet so regardless of how good or bad the certificate is an error will be displayed.

    that's why we are talking about disabling checking on the certificate all together. I also have the cerficate so I can install it on any of the servers if that helps.

    Thanks


    Mohsen Almassud

    Thursday, November 08, 2012 1:47 AM
  • Adding the site in the thrusted site could help, and manually install the certificate in the server store.

    As Verisign is a thruted CA in Windows, like Paul mean, the error will come if the certificate name does not match the server FQDN that the user type to acces your ressource. Does that certificate is installed in your root CA store ? http://technet.microsoft.com/en-us/library/cc772491.aspx 


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Thursday, November 08, 2012 2:03 AM
  • yes the certificate is fully supported so that's not the problem.

    I'll add the site to trusted sites. would mind telling me which store should I install the certificate in?

    Thanks


    Mohsen Almassud

    Thursday, November 08, 2012 2:10 AM
  • i would try in the computer store in the RDS' server,

    Enterprise Trust

    A container for certificate trust lists. A certificate trust list provides a mechanism for trusting self-signed root certificates from other organizations and limiting the purposes for which these certificates are trusted.

    (edited, for the thrusted site path, you must set the security to medium low too to make it work)


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/


    Thursday, November 08, 2012 2:28 AM
  • Yagmoth555,

    would you mind naming the store from the image below?


    Mohsen Almassud

    Thursday, November 08, 2012 2:33 AM
  • Put it in the computer object to affect everyone, you have openned the mmc as the current user's store

    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Thursday, November 08, 2012 3:19 AM
  • Got it. I had that window opened on my worksation just to display the stores, but I understand that I'll open mmc and then add the certificates snap-in for the computer account.

    I'll try this again, because I tried it before and it didn't seem to do the trick but I am willing to try it again.

    Thanks a lot for your help.


    Mohsen Almassud

    Friday, November 09, 2012 3:29 AM
  • it's a pleasure.

    to be honest the only thing that bug me is that you got that error with a verisign's ca.

    just to be sure, the certificate name in it is like *.domain.local ? as it's a wildcard's one. does the user connect to webserver.domain.local, or they use like webserver.domain.com ? and did you put the correct binding in your iis ? (to fit the ssl cert if it's webserver.domain.local in exemple)  (good link to double checkl http://www.digicert.com/ssl-certificate-installation-microsoft-iis-7.htm


    MCP | MCTS 70-236: Exchange Server 2007, Configuring

    Want to follow me ?  |  Blog: http://www.jabea.net | http://blogs.technet.com/b/wikininjas/

    Friday, November 09, 2012 4:01 AM