none
Certificate issue using Netbios/FQDN against Subject/SAN certificate RRS feed

  • Question

  • Hi,

    Really confusing one here. Since this weekend (16/17 July) we have started getting Certificate errors on some sites and applications. This seems to be due to the structure of the URL compared to the "advertised" name IIS is presenting. I'll try to explain.

    I have a site, Website. This is in my domain, domain.com. Therefore the FQDN is website.domain.com. IIS is running and I can access this site through FQDN,NetBIOS or IP address. Good news.

    I create a certificate for the server using the FQDN as the subject, I add the Netbios and IP addresses in the Subject Alternate Names and Bind this to port 443 on the server.

    I browse to https://website and all is good. I browse to https://website.domain.com I get a certificate error. Checking the certificate, everything is fine, no errors, chain is trusted. open Chrome and do the same, I get that the certificate website.domain.com is being presented by Website and may not be the site I want.

    Using either URL has never been a problem until this weekend, but it seems that IE/Windows/IIS is not liking any URL that is not EXACTLY what IIS is presenting. so my questions are:-

    Is anyone else finding this?

    Can we issue a certificate that covers all possible DNS resolutions for a site?

    How do I control WHAT IIS advertises itself as?

    SO far this has affected two major systems on our network and I can see that more will arise, so any help would be appreciated.

    Wednesday, July 20, 2016 8:56 AM

All replies

  • Hi,

    I found an article may help you.

    Why am I getting security certificate errors?

    https://askleo.com/why-am-i-getting-security-certificate-errors/

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Tao


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Thursday, July 21, 2016 9:32 AM
    Moderator
  • Thanks Tao, but this isn't our issue. It seems that IIS presents a header for the website (Lets say the NetBIOS name of the server, Website). When you access that site using a different name (for example the FQDN, website.domain.com) you get a certificate error. However the certificate is issued to "website.domain.com" and has "website" listed in the SAN. It seems as though if you access the site using a different name from the IIS header (even if that name is the Subject of the Certificate) you get a certificate name mis-match. This has only really started appearing since Monday (18th July) and is affecting sites that have been certifcated and working OK for years.
    Thursday, July 21, 2016 9:49 AM
  • Hi, you turn off certificate name mismatch errors from Tools>Internet Options>Advanced tab, uncheck "Warn of certificate name mismatches" Probably the update has turned it back on...(default)...check your GPO settings for the Advanced tab of Internet Options. Please include the full text or screen shots of any error messages with your questions. Regards.

    Rob^_^

    • Proposed as answer by Tony_TaoModerator Wednesday, July 27, 2016 8:10 AM
    • Unproposed as answer by NewbieNik73 Wednesday, July 27, 2016 8:27 AM
    Friday, July 22, 2016 2:10 AM
  • Thanks Rob,

    This would work, however I'd  rather fix the issue than hide it. I think turning off the warning would open us to risk from actual fraudulent sites. It also doesn't explain why this has suddenly started happening.

    Any other thoughts or ideas?

    Friday, July 22, 2016 8:36 AM
  • Hi,

    We haven’t heard from you in a couple of days, have you solved the problem? We are looking forward to your good news.

    Best Regards,

    Tao


    Please mark the reply as an answer if you find it is helpful.

    If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Wednesday, July 27, 2016 8:10 AM
    Moderator
  • I'm afraid you'll be disappointed.

    Issue is still there. Seems like the browsers complain if the certificate is issued to a server (or you use a URL) that isn't named identically to the IIS header being presented.

    This is quite obviously an issue if you're hosting mutli-tenanted sites on the same server, even more so if the site is presented from the application installed rather than IIS. (Symantec, LANGuard, Anixis and many others) THis seems to be an issue with a new security update on Windows similar to the TLS increase with update KB3161608

    Once I get my new RootCA built, I will raise a case with MS, but I don't think I'll get much joy.



    • Edited by NewbieNik73 Wednesday, July 27, 2016 8:26 AM
    Wednesday, July 27, 2016 8:23 AM