locked
UAG DirectAccess Issuing CA (two level CA) warning message RRS feed

  • Question

  • Hi,

    I've got a problem with a two level CA construct (Issuing CA --> root CA) at my customer.

    The following warning message appears during DA Wizard:

    No Computer Certificate issued By "CA=RootCA.... ....." was found.

    That's right, because the computer certificate was issued by the IssuingCA.

    Why does this message appear?

    Is is just a warning message and everythings ok or may i get problems with Ipsec authentication?

    When i start the DA Wizard without UAG then this message not appears!!!!

    Please clarify and help me.

    Thanks.

    Regards,

    Christian Kuever

    Monday, November 8, 2010 9:14 AM

Answers

  • Hi,

    it's fixed. Thanks everyone.

    My customer did some strange settings and mistakes for the revocation list.

    I didn't see this on my first view.

    Regards,

    Christian

    Saturday, November 13, 2010 6:10 PM

All replies

  • Does the UAG server trust the Root CA? Is it listed in the Trusted Root Certificate Authorities cert store? If you look at the certificate on the UAG server, does the trust chain look ok?

    Based upon the error, I would assume you PKI may not be configured quite right...

    The output from the Certutil -store my  command would be useful.

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, November 8, 2010 9:27 AM
  • Yes UAG Server trusts the Root CA and it's listed in Trusted Root Certificate Authorities.

    Trust Chain is ok.

    As is said, when i start the DirectAccess Wizard directly from servermanager (without UAG) the warning message not appears?

    I know how certificates work and i don't think that I have a problem with the CA.

    Any ideas?

    Regards,

    Christian Kuever

    Monday, November 8, 2010 9:31 AM
  • The certs don't have to be issued by the Root CA (I have deployed UAG DA with both two and three-tier PKIs) so the error is maybe a little confusing. Maybe the certs have not been created correctly or are not in the local computer certificate store? Do the certs contain valid CDP and AIA references? If you run pkiview.msc on your Enterprise CA, is all ok? 

    I would double check you meet all the requirements defined here: http://technet.microsoft.com/en-us/library/ee406213.aspx

    The UAG wizard is designed to simplify DA deployemnt, so maybe the cert checks included are more thorough...

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Monday, November 8, 2010 9:40 AM
  • I will check deeper and let you know.

    Thanks.

    Regards,

    Christian Kuever

    Monday, November 8, 2010 9:51 AM
  • Is the Root CA's CA certificate included in the Trusted Root Certification Authorities store on the UAG server?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, November 8, 2010 2:08 PM
  • Hi Thomas,

    sure, it is!

    Regards,

    Christian Kuever

    Monday, November 8, 2010 2:09 PM
  • Great!

    How about the certificate of the issuing CA?

    Thanks!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, November 8, 2010 3:16 PM
  • Hi,

    the Issuing CA is in the personal computer store and the root CA under  Trusted Root Certification Authorities

    For testing, i also added the Issuing CA to  Trusted Root Certification Authorities

    I will look deeper with certutil and pkiview.msc and let you know the results.

    Thanks for help.

    Regards,

    Christian

    Monday, November 8, 2010 3:23 PM
  • Hi Christian,

    I don't think there should be a problem with this validation (unless you're still using a pre-released version of UAG 2010)

    Let me explain what the validation checks exactly, and maybe then you could find the problem:

    • In the wizard you picked the root certificate for IPsec authentication. Lets call the subject name of this certificate: RootCert
    • UAG iterates over the certificate in the Personal store of the Local computer
    • It looks only for certificates with the "Client Authentication" intended purpose
    • for each one of these, it looks at its certificate chain and looks for a certificate with the same subject name as RootCert
    • If none are found, this warning is issued

    Hope this helps.

    You can also contact Microsoft support, and they will help you gather traces to better understand the root cause of this.

    Thanks,

    Yaniv

     

     

     

    Tuesday, November 9, 2010 4:11 PM
  • Hi,

    it's fixed. Thanks everyone.

    My customer did some strange settings and mistakes for the revocation list.

    I didn't see this on my first view.

    Regards,

    Christian

    Saturday, November 13, 2010 6:10 PM
  • Hi Christian,

    Good to hear you figured it out and thanks for the follow up!

    Tom


    MS ISDUA/UAG DA Anywhere Access Team Get yourself some Test Lab Guides! http://blogs.technet.com/b/tomshinder/archive/2010/07/30/test-lab-guides-lead-the-way-to-solution-mastery.aspx
    Monday, November 15, 2010 8:43 PM