locked
RC1 and Server Certificate RRS feed

  • Question

  • I am having trouble getting the Management Console to recognize an installed server certificate.  I found some information in the blog from the Beta here:

     

    http://blogs.technet.com/softgrid/archive/2007/11/20/setting-up-an-application-virtualization-in-secure-mode.aspx

     

    So I know I have the FDQN set correctly and the cert is installed and trusted.  I am not sure about the OID being in the cert.  I used OpenSSL to generate the cert and asked it to include the serverAuth OID, but I'm not sure it is there.  I don't normally deal with server certs (just code signing certs), so I guess I need more help than is in the article.

     

    Does anyone have a recipe for generating the server cert and installing it?

     

     

    Wednesday, July 23, 2008 10:02 PM
    Moderator

Answers

  • Hello fellows,

     

    Nice to hear from you.

     

    On Tims question,  I have not used OpenSSL to generate the certs, just MS CA and have had no problems.  One note I will add is that in the blog entry that you mention it states to use FindPrivateKey to ACL the private key.  Problem is FindPrivateKey requires opening the project file in Visual Studio and then compiling it or a heavy search of the internet, I found it posted a couple of places.

     

    The Windows 2003 RK has a tool called winhttpcertcfg.exe which is much easier to use and more readily available.


    If you are running setup and it doesn't appear as a cert when selecting secure, then it doesn't meet the minimum requirements that are described in the blog post you listed.  That means it probably doesn't have the appropriate OID.

     

    I would try installing an MS CA for giving out your certs.  I have mine always set up for autoenrollment so when I join a server it automatically gets a computer cert which does support App-V.  This isn't a production recommendation but great for test and for teaching.

     

    Ruben

     

    If you could provide a little more detail on the event log message.  It could be that you haven't changed the ACL on the private key to allow for the Network Service to access it.  Also, I haven't used a wildcard cert in testing as of yet.  I don't know if this will work or not as in a NLB situation you have to use Subject Alternate Names to specify the actual name of each server in the cluster or the communication will fail.  I will try and verify this and post again.

     

    mattmcdermott

     

     

     

     

    Thursday, July 24, 2008 4:00 PM
    Moderator

All replies

  • Hi Tim,

     

    I also find it difficult to setup the Management Server with the correct certificates.

    I installed a wildcard certificate, the console recognizes but secure connections it won't work, an eventlog error message is generated that the certificate files can't be found.

    @ MS: Is there more information about this topic available?

     

    Ruben

     

    Thursday, July 24, 2008 6:55 AM
    Moderator
  • Hello fellows,

     

    Nice to hear from you.

     

    On Tims question,  I have not used OpenSSL to generate the certs, just MS CA and have had no problems.  One note I will add is that in the blog entry that you mention it states to use FindPrivateKey to ACL the private key.  Problem is FindPrivateKey requires opening the project file in Visual Studio and then compiling it or a heavy search of the internet, I found it posted a couple of places.

     

    The Windows 2003 RK has a tool called winhttpcertcfg.exe which is much easier to use and more readily available.


    If you are running setup and it doesn't appear as a cert when selecting secure, then it doesn't meet the minimum requirements that are described in the blog post you listed.  That means it probably doesn't have the appropriate OID.

     

    I would try installing an MS CA for giving out your certs.  I have mine always set up for autoenrollment so when I join a server it automatically gets a computer cert which does support App-V.  This isn't a production recommendation but great for test and for teaching.

     

    Ruben

     

    If you could provide a little more detail on the event log message.  It could be that you haven't changed the ACL on the private key to allow for the Network Service to access it.  Also, I haven't used a wildcard cert in testing as of yet.  I don't know if this will work or not as in a NLB situation you have to use Subject Alternate Names to specify the actual name of each server in the cluster or the communication will fail.  I will try and verify this and post again.

     

    mattmcdermott

     

     

     

     

    Thursday, July 24, 2008 4:00 PM
    Moderator
  • Thank you Matt.

     

    I'm not 100% yet, but working on it.  The following detail might help others...

     

    I installed the Microsoft Certificate Authority (on server 2003 this is a Add/Remove Programs option for Windows Components; you need your DVD or ISO for the OS).  [NOTE: I did this on the MAV Management Server.  I am suspecting I could have put it on another machne, but am not sure].  I made no changes to the CA.

     

    I opened the MMC on the MAV Management Server and added the Certificates snap-in and selected Local Computer.  RIght click on Personal, select All Tasks, Request New Certificate.  Fill out the detail in the wizard which was pretty straight forward.  It seems that this generated a request and sent it to the (selected) CA, received the cert and placed it in the certificate store of this machine for me.

     

    I could now select the certificate in the server properties (and I assume origininal install also) and enable RTSP.  Since this is post install I need to restart the Management Server service.

     

    Still to come is the permissions thing and actually testing this out.

     

    Thanks again!

    Thursday, July 24, 2008 6:16 PM
    Moderator
  • You should also be able to use OpenSSL, cert has to be PKCS#10 format.

     

    mattmcdermott

     

    Thursday, July 24, 2008 6:31 PM
    Moderator
  • Just a followup on using the MS CA.

     

    If you fail to put in the permissions, you will get a very specific error in the server log.  I used the winhttpcertcfg tool that Matt referenced and have rtsps working like a charm now.

     

    Thanks Matt!

     

    Thursday, July 24, 2008 9:57 PM
    Moderator
  • Tim

     

    Glad it worked out. 

     

    Hope to see you soon

     

    mattmcdermott

     

    Thursday, July 24, 2008 10:00 PM
    Moderator
  • Guys,

     

    be carefull during troubleshooting not to mix different services that should be secured:

    Tim's original posts tells about trouble establishing a secure connection to the Web Service. This is not what is described in the TeamBlog (with the ACL and OID. TeamBlog describes how to secure the RTSP service.

     

    In addition to have a secure connection to the Web Services, a (or: the) Server Certificate has to be used by IIS hosting the web service. To do that, the properties of the IIS Default WebSite have to be modified.

     

    I also used a Win2003 certificate authority in my lab and after setting the ACL on the certificate file on that strange location mentioned in the blog it worked it worked for me.

     

    During Certificate creation with MS CA, make sure you select the right template (when prompted): Web Server (the default is Administrator). Also, for MS based services I always user DER (and not base64) for encryption.

     

    Do not forget the clients (i.e the App-V client for streaming and and the machine hosting the MMC for WebService connection). They should trust the CA. Therefor the Root certificate should be placed in the Machine's Trusted Root CAs store. This step often can be ignored in MS based scenarios when the CA is part of an AD domain: Then the root Certificate gets deployed during machine startup automatically (want to have have: just look into the trusted root ca list of a domain member that is part of a not-to-strict-managed AD ;-) )  

     

    If the ACL to the Server Certificate is the issue, the EventLog states:

     

    Event Type:  Error

    Event Source: Application Virtualization Server

    Event Category:     Devices

    Event ID:    44955

    Date:        8/4/2008

    Time:        5:00:33 PM

    User:        N/A

    Computer:    APPVMANAGEMENT

    Description:

    Certificate could not be loaded. Error code [-2146893043]. Make sure that the Network Service account has proper access to the certificate and its corresponding private key file.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

     

    If the certificate can't be found, I think there are two/three corresponding messages, one saying

    Event Type:  Error

    Event Source: Application Virtualization Server

    Event Category:     Devices

    Event ID:    41587

    Date:        8/4/2008

    Time:        5:09:36 PM

    User:        N/A

    Computer:    APPVMANAGEMENT

    Description:

    The server could not start the RTSPS service on port 322, because no SSL certificate was available. Installing the appropriate SSL certificate may fix this problem.

    For more information, see Help and Support Center at

     

    And the other looks almost the same like the one with the ACL issue (with differen Description error code).

     

     

     

     

    Tuesday, August 5, 2008 8:31 PM
  • Tim's original posts tells about trouble establishing a secure connection to the Web Service. This is not what is described in the TeamBlog (with the ACL and OID. TeamBlog describes how to secure the RTSP service.

     

    Not really.  My original post was involving using the management console (and web service)  only to configure the management server to take a certificate so that I could use RTSPS.  Matt was helpful and I was able to sucessfully create a cert using the Microsoft CA, as long as I did the step to allow the user context that the management service service (dispatcher) access to the cert including the private key.

     

    While I might want RTSPS enhanced security, I see very little need for HTTPS security on the web service.  The web service is needed only by app-v administrators who must authenticate using SSPI.  That service does not need to route out the firewall.

    Tuesday, August 5, 2008 9:17 PM
    Moderator
  •  Tim Mangan wrote:

    Not really.  My original post was involving using the management console (and web service)  only to configure the management server to take a certificate so that I could use RTSPS.  Matt was helpful and I was able to sucessfully create a cert using the Microsoft CA, as long as I did the step to allow the user context that the management service service (dispatcher) access to the cert including the private key.

     

    While I might want RTSPS enhanced security, I see very little need for HTTPS security on the web service.  The web service is needed only by app-v administrators who must authenticate using SSPI.  That service does not need to route out the firewall.

     

    - Confirmed that I got it wrong

    - agreed that Securing the WebService wouldn't be required to often

    Wednesday, August 6, 2008 7:02 AM