none
Win10 Test Machine on Domain using Win8.1 GPOs. SSL Certificate Errors. RRS feed

  • Question

  • We are in the process of designing a new build based on Windows 10 Enterprise x64, however we always get SSL Certificate errors in web browsers and also an SSL error 47 for Citrix Receiver. The Group Policies that govern SSL etc on our Windows 8.1 computers do appear to have successfully taken hold on the new Windows 10 test machine. 

    We have not yet updated the ADML and ADMX files on our Server 2012R2 domain controllers as we didn't believe this was needed during the most basic of tests, literally web browser and Citrix Receiver usage testing (can it open, can we access internal and external websites).

    I have read that it could be something to do with System Time, however our time is synced with our DC's and are perfectly accurate with the rest of our estate. Also, this SSL issue is occurring no matter how many times we rebuild this test machine even from the Source DVDs for all of 1511, 1607 and 1703 via our MDT 8443 server.

    I understand that this looks like a definite domain based issue with the new operating system as these errors do not occur when the PC is built directly from the DVD and placed directly into the stand alone internet line.

    Has anyone else had this issue and can you advise if this is a something to do with a change in how Windows 10 deals with certificates or encryption, or if this is a common issue with Windows 10 getting rules from GPOM templates for Windows 8.1?

    Thanks.

    Wednesday, August 16, 2017 1:31 PM

All replies

  • Hi ProjectVRD,

    Based on my search, some people met the SSL error 47. You could try to disable TLS1.2 to check.

    Also the group policy may be related to the issue. You could try to disable it.

    Computer Configuration>Security Settings>Local Policies>Security Options>System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing

    You may also want to look at other System cryptography variables to see if it fixes the problem.

    As I understand it, if it is possible that the ICA client does not support the below set of ciphers.

    https://support.microsoft.com/en-us/help/3161639

    Hope it will be helpful to you


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, August 17, 2017 6:23 AM
    Moderator
  • Okay this appears to be a mix of two problems. The first is that the certificates were not allowed to be updated via Windows Update, our previous senior contractor appears to have copied the certs from an old build to a new one and never enabled the option for WSUS to update the CTL and CRL. So internet explorer is now fixed.

    The 47 error with Citrix Reciever (version 4.8) may be due to the Citrix NetScalers needing an update as there are reporting issues with particular cyphers being present in the list. The error may have first appeared in 4.7 which we haven't tested but our NetScalers are due an update.

    Thank you for help though.

    Tuesday, August 29, 2017 10:02 AM