none
Device does not trust the certificate. iPhone RRS feed

  • Question

  • I downloaded and installed the Microsoft Authentication app on my iPhone 7 Plus (IOS 10.3.3).

    I login to the server(running Multi-Factor Authentication Server 7.0.0.9) and generate an activation code for my user.
    I type that code and URL into the device and I get the error:
    "Device does not trust the certificate configured on the server. Contact your local IT administrator to resolve the problem."

    I did the same thing on my Android device and it works without any issues.
    I also downloaded all certificates in the chain onto the iPhone and manually trusted them... still no luck.

    The logs on the server don't seem to have any useful information...
    We are using Windows Authentication, not ADFS or anything else.
    We are not using any web application proxy.
    I have confirmed the correct certificate is in IIS.

    If I browse to the URL on the iPhone web browser... the certificate appears to be trusted  (no warnings)


    Any ideas in troubleshooting this issue?

    Thanks,
    -Brandon


    Wednesday, September 6, 2017 6:59 PM

Answers

  • Hi Brandon Inabinet and Scott HM

    Our developers are rolling out the hotfix for this particular issue (v5.4.3 – currently in store review).

    Please note that the hotfix is a ‘short term solution’.

    For long term solution, update SSL version to TLS1.2(This is required by Apple, and they might start enforcing it anytime.).

    Regards,

    Walter


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Scott HM Friday, September 15, 2017 6:29 PM
    • Marked as answer by Brandon Inabinet Friday, September 15, 2017 7:52 PM
    Friday, September 15, 2017 6:17 AM

All replies

  • Hi

    What is the version of your Microsoft Authenticator APP on your iPhone. The latest version is 5.4.2. If possible, you could re-install the latest version App and re-add your accounts.

    Your certificates are pubic Internet certificate or self-signed certificate? Based on my knowledge, self-signed certificate could be trusted on your iPhone.

    Regards,

    Walter


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 7, 2017 6:23 AM
  • Sorry, when I first posted, I was only talking about myself, but we are having this issue with many iPhones.
    All the phones that are not working are using version 5.4.2
    Also all of the phones that are not working appear to be on IOS 10+

    we found an older iPhone running IOS 7.1.2
    We installed the Authenticator (Azure Authenticator 3.2.5 is the highest version allowed for this IOS)  and it works fine.

    We have one confirmed user on IOS 10+, who already had the app installed, and his continues to work properly. there may be more like this... but right now us in IT are just trying to troubleshoot adding NEW devices (freshly installed APP, first setup of this device)

    It is only when we go to Users>Mobile App Devices> Generate Activation Code
    Enter that info into an iPhone with IOS 10+, we get the certificate error.

    The certificate we use for MFA is a valid public GoDaddy certificate.
    Just in case though,
    I manually copied/installed all of the internal and godadddy certificates on the iPhone and trusted them.

    We also upgraded the server side software to 7.3.0.3, still no luck.






    Thursday, September 7, 2017 6:13 PM
  • We are having the same exact issues in our environment with a very similar setup. Has anyone found the answer to this? is this just a bug in the iOS app?

    Edit. In my own testing, I have determined that it looks like this issue may be specific to servers running IIS 7 (Server 2008 r2). On servers running IIS 8.5 (Server 2012 r2), this doesn't appear to be an issue despite having a nearly identical config as on IIS 7.


    • Edited by Scott HM Thursday, September 7, 2017 7:52 PM
    Thursday, September 7, 2017 7:33 PM
  • Hi Brandon Inabinet

    To troubleshoot this issue more efficiently, cloud you please send logs through the settings page? The newest version has send logs option.

    After we send the log, we will get an event ID, please remember it and post it here.

    Regards,

    Walter


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 8, 2017 5:56 AM
  • Walter, if Brandon is unable to send the logs for any reason, I will be able to do so on Monday 9/11. We are having literally the same exact issues is very similar environments. 

    Thank you.

    Friday, September 8, 2017 8:36 PM
  • Sorry for the lack of response.
    I've been waiting to gain access to our Azure Portal as I don't see any send logs option in the Multi-Factor Authentication Server settings.

    
    Friday, September 8, 2017 10:46 PM
  • Hi Brandon Inabinet

    You could send the log on Microsoft Authenticator app. App--> Help --> Send logs

    Regards, 

    Walter


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 11, 2017 5:58 AM
  • lol.. silly me...
    Thanks Walter

    Incident ID: 32XPW76U
    Monday, September 11, 2017 4:06 PM
  • We got the exact same issue.

    We have a valid wildcard certificate from Symantec.

    In addition to what is mentioned in the opening post our server is a Windows Server 2008 R2 server running IIS 7.5.

    We also checked if the right certificate was assigned and verified the certificate was valid if you browsed it with Safari.

    Our incident-id = J3JGFWCN 

    Tuesday, September 12, 2017 9:11 AM
  • We have sent logs from an iOS device as well, here is the incident ID: Q28FZ

    We are not using a wildcard cert but rather using a UCC SAN cert. We have no problems with Android devices or older iOS devices. 

    I have also performed checks on the SSL certificate and there are no issues with it or the chain reported by Safari or any other SSL certificate checking tool available.


    • Edited by Scott HM Tuesday, September 12, 2017 11:23 PM
    Tuesday, September 12, 2017 4:07 PM
  • Hello Walter,

    Do you have any updates regarding this issue? 

    Wednesday, September 13, 2017 5:58 PM
  • Hi Brandon Inabinet and Scott HM

    Our developers are rolling out the hotfix for this particular issue (v5.4.3 – currently in store review).

    Please note that the hotfix is a ‘short term solution’.

    For long term solution, update SSL version to TLS1.2(This is required by Apple, and they might start enforcing it anytime.).

    Regards,

    Walter


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Proposed as answer by Scott HM Friday, September 15, 2017 6:29 PM
    • Marked as answer by Brandon Inabinet Friday, September 15, 2017 7:52 PM
    Friday, September 15, 2017 6:17 AM
  • Hi Walter,

    1. So, IOS users need to update their Microsoft authenticator from the apple app store, right?

    2. For SSL version to TLS1.2 upgrade, do you have a Microsoft documentation or admin guide? If so, can you please provide the link?

    Thank you,

    Jeff Kim



    Friday, September 15, 2017 5:44 PM
  • Thank you. I can confirm the update did resolve the issue for our users. We will also look into updating the SSL version to TLS 1.2. Do you have any technet documentation on the update to TLS 1.2?

    Thank you.

    Friday, September 15, 2017 6:28 PM
  • Hi Brandon Inabinet and Scott HM

    Our developers are rolling out the hotfix for this particular issue (v5.4.3 – currently in store review).

    Please note that the hotfix is a ‘short term solution’.

    For long term solution, update SSL version to TLS1.2(This is required by Apple, and they might start enforcing it anytime.).

    Regards,

    Walter


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Thank you very much for the quick response/release!
    Friday, September 15, 2017 8:28 PM
  • Walter thank you for your effort!

    The fix for Windows server 2008 R2 servers is very simple. Follow these instructions:

    https://support.quovadisglobal.com/kb/a433/how-to-enable-tls-1_2-on-windows-server-2008-r2.aspx

    The portal is now running on TLS 1.2

    Monday, September 18, 2017 5:18 AM
  • Hello

    This issue is occuring again for iPhone users that are trying to set up the Multi-factor app version 5.5.2 with iOS 11.2.2.  Please confirm if this is a bug that is back for this new version.

    Thank you

    Derek

    Monday, January 22, 2018 4:07 PM
  • +1 I am also getting this issue with a the latest iOS. Is there a fix ? 
    Monday, April 9, 2018 4:25 PM