none
HIS 2010 server certificate not found in store stops TN3270 process RRS feed

  • Question

  • Despite the fact we have imported the proper P12 cert in the personal store of the user running the TN3270 process, we still have the following message in the sna trace viewer:

    Find Certificate in Store failed, error 0x80092004

    Failed to get certificate from the store

    Cert chain is complete including imtermediate and root CA certs. 

    Also the CN in the cert corresponds with TN3270 properties.

    I would like to have more information on what might cause this problem and why we can't get the TN3270 process running.

    If we remove the 992 port setting and set the TN3270 properties to the default port 23 the telnet process runs fine.

    Any input is welcome to fix this problem.


    Thanks in advance,


    Adri 

    Thursday, August 8, 2013 3:02 PM

Answers

  • Just as an update, it appears that the issue was caused because the certificate was using UTF-8 encoding and the TN3270 service is expecting the certificate to use ANSI encoding.

    Stephen Jackson - MSFT

    Friday, December 27, 2013 10:04 PM

All replies

  • Adri,

    Just to verify, when you were adding the certificate to the personal store, you logged onto the HIS Server system using the service account that the TN3270 Service is configured to run under, correct?

    The certificate has to be in the personal store of the user account that the TN3270 Service is configured to run under.

    Thanks...


    Stephen Jackson - MSFT

    Friday, August 9, 2013 2:04 PM
  • Hi Stephen,

    That is correct, we also checked with Process Monitor Logging that it actually is accessing the certificate store with the correct user and is reading the three certs (Server, Intermediate and Root CA certs).

    But somehow still reporting the same error in the event log and sna trace, failed to get certificate from store.

    Also the CN is the FQDN and the same as the TN3270 properties, it's only in lowercase in the certificate.

    Is there a way to get more debug information out of this?

    Hope this helps,


    Adri

    Monday, August 12, 2013 11:54 AM
  • Adri,

    The TN3270 Internal traces that you ran are the debug information that we use. You didn't include the trace statements prior to the "Find Certificate in Store failed, error 0x80092004" statement. You might want to include those here just so I can verify against some traces I captured when I generated the same error using a Certificate with a CN name in the TN3270 Properties that didn't match the CN in the certificate.

    Also, you might want to test with a different certificate in case there is something in the certificate that is causing the error.

    For example, if IIS is on the system, you could create a self-signed certificate to test with, which is what I did. The following link describes how to do this in IIS 7.0: http://technet.microsoft.com/en-us/library/cc753127(v=WS.10).aspx

    Outside of this, you may need to open a support case with HIS Support in order to do further troubleshooting.

    Thanks...


    Stephen Jackson - MSFT

    Monday, August 12, 2013 6:27 PM
  • Hi Stephen,

    Ok, I will open a support case for further troubleshooting.

    Are there any other certificate checks listed beside the CN, e.g. CRL or DN?

    Thanks,


    Adri

    Tuesday, August 13, 2013 7:46 AM
  • When the TN3270 service goes into the code to find the certificate, it loops through the certificates in the Personal Store (for the TN3270 service account) looking for certificates that have a subject that contains the configured common name (CN). When it finds a CERT that is a match on the CN, it then checks to see if the certificate is setup for server authentication.

    The trace excerpts you listed originally show that the TN3270 service was in this function, but it doesn't appear that you included all the trace statements that are logged by this code so I can't see everything that it might have tried before returning the error.

    Also, will you be able to try creating a self-signed certificate using IIS to see if that has the same problem?

    Thanks...


    Stephen Jackson - MSFT

    Tuesday, August 13, 2013 4:40 PM
  • Hi Stephen,

    It's working with a self-signed certificate, so the error is related to the certificate itself.

    We have opened a support case to figured what information in the certificate is causing this.

    Thanks for your help,

    Adri

    Wednesday, August 14, 2013 2:58 PM
  • Just as an update, it appears that the issue was caused because the certificate was using UTF-8 encoding and the TN3270 service is expecting the certificate to use ANSI encoding.

    Stephen Jackson - MSFT

    Friday, December 27, 2013 10:04 PM