none
Remote Web Access Security / Signing Issue

    Question

  • Hi. We have a Windows Server 2012 R2 Essentials server that is configured for Remote Web Access, and it has been working fine for a number of years.  We are a home / small business customer, and just use a Microsoft-suppled ourname.remotewebaccess.com domain name. 

    Recently, we have begun receiving "site not secure" warnings from our browsers when attempting to connect to our server remotely.  In Microsoft Edge, we receive the error:

    The website’s security certificate has a weak signature and is not secure.

    Error Code: DLG_FLAGS_WEAK_SIGNATURE

    In Firefox, we see: 

    ourname.remotewebaccess.com uses an invalid security certificate. The certificate is not trusted because it was signed using a signature algorithm that was disabled because that algorithm is not secure. Error code: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

    Any thoughts on how we should correct this? There is no certificate renewal process for Microsoft supplied domain names that I am aware of, and the RWA domain name wizard only provides options to procure a new domain name or release the existing one, not an option to renew an existing one.

    I spent some time searching the forum but could not find a good match for our issue. Thank you in advance.


    • Edited by Gary Voth Friday, August 11, 2017 5:18 AM
    Friday, August 11, 2017 5:10 AM

Answers

All replies

  • Bump.

    For what it's worth, these symptoms bear a striking resemblance to the recent SHA-1 block that is rolling out to all mainstream browsers. More here:. https://www.bleepingcomputer.com/news/security/microsoft-bans-sha-1-certificates-in-edge-and-internet-explorer/

    The timing seems too close of a coincidence to be unrelated. If this is indeed what is going on, I'm not sure why Windows Server 2012 R2 should be affected, and why, if it is, Microsoft has not provided an update.

    Can anyone wirh knowledge of this issue chime in?


    • Edited by Gary Voth Tuesday, August 15, 2017 12:00 AM
    Sunday, August 13, 2017 7:27 PM
  • Hi,

    I had found relate information about SHA-1 deprecation.

    Microsoft security advisory: Deprecation of SHA-1 hashing algorithm for Microsoft root certificate program: January 12, 2016:
    https://support.microsoft.com/en-us/help/3123479/microsoft-security-advisory-deprecation-of-sha-1-hashing-algorithm-for

    Microsoft security advisory: SHA-1 deprecation for SSL/TLS certificates: May 9, 2017:
    https://support.microsoft.com/en-us/help/4010323/title

    Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2:
    https://blogs.technet.microsoft.com/askds/2015/04/01/migrating-your-certification-authority-hashing-algorithm-from-sha1-to-sha2/

    In general, we can check the hashing algorithm of certificate:
    Access the website using browser, right-click on the lock icon(if there is), click the option to view the certificate details, find option "Certificate Signature Algorithm" to confirm the certificate algorithm.

    If the certificate used for RWA is obtained automatically when enabling/configuring RWA, in order to re-obtain a new certificate for RWA on Windows Server Essentials, I would recommend you to dis-able RWA and re-enable it to confirm the result.

    If the certificate is purchased/obtained manually, you may reference - Renew SSL Certificate for 2012 R2 Essentials:
    http://kwsupport.com/2017/02/renew-ssl-certificate-for-2012-r2-essentials/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Gary Voth Monday, August 14, 2017 10:24 PM
    Monday, August 14, 2017 7:36 AM
    Moderator
  • Thank you Eve. This information would have been helpful, but having discovered the root cause (the SHA-1 signing issue) I found a related thread here:

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/e16cb4f3-9c75-433e-a787-75fe66726fda/sha1-how-to-get-a-sha2-cert-update?forum=winserveressentials

    The basic solution recommended here was to re-run the domain name setup wizard reusing the Microsoft-supplied domain name you already own (the language of the wizard does not suggest this is possible). 

    Interestingly enough, I had already thought of that, but it failed in my case. For some reason, the old certificate was not deleted and replaced by the new one; rather it remained on my system, and was taking precedence during authentication. Disabling it was not enough to fix the problem.  In fact, I ran the wizard a couple of times and ended up with 3 certificates.

    I finally resolved the issue by deleting all Remote Web Access certificates and then running the wizard a last time.

    This might be a good topic to add to the Server 2012 Essentials Wiki, if that is still being maintained.





    • Edited by Gary Voth Thursday, August 17, 2017 2:52 PM
    Monday, August 14, 2017 10:31 PM
  • Hi,

    I am glad to hear that your issue was successfully resolved. Also, thank you for taking the time to have an update about the details. It might be helpful for other people who has the similar problem.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 15, 2017 1:37 AM
    Moderator