locked
SSL certificate not visible for install in APP-V Management server RRS feed

  • Question

  • Hello,

     

    I am trying to configure an existing APP-V Management server for secure connection:

    - This is a single server. No NLB configuration.

    - Server is currently working fine using HTTP and RTSP protocols.

    - I used my corporate CA to get a SSL certificate. This certificate matches all requirements for APP-V server.

    - I installed the certificate in local computer store and have been able to properly install and test it for HTTPS traffic

    - I grant read access to "Network Service" account for this certificate (as my APP-V server is running under this account).

     

    However when I execute certificate wizard from the APP-V console, I got the following:

    - First window: This Application Virtualization Management Server does not have a certificate installed. Certificate wizard will help you to attach to an existing certificate."

    - I click on next.

    - On the available certificates window, no certificate is listed in the "Select a certificate" list.

     

    Any idea ?

     

     

    Tuesday, June 14, 2011 11:14 AM

Answers

  • Check whether the certificate is selectable in IIS as well. It sould like the certificate still doesn't have the correct properties.

     

    From the documentation: Installing App-V Management Server or Streaming Server Securely: http://technet.microsoft.com/en-us/library/ee662341.aspx

    "The certificate must contain the correct Enhanced Key Usage (EKU)—Server Authentication (OID 1.3.6.1.5.5.7.3.1). If the certificate does not contain this EKU, the client ends the connection."


    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
    Tuesday, June 14, 2011 1:15 PM
    Moderator

All replies

  • Tuesday, June 14, 2011 11:28 AM
  • It may be that your certificate it not the correct type - the cert needs to be enabled for Server Authentication.

    Also see these links:

    http://blogs.technet.com/b/appv/archive/2007/11/20/setting-up-an-application-virtualization-in-secure-mode.aspx

    http://blogs.technet.com/b/appv/archive/2010/03/09/troubleshooting-common-rtsps-issues-with-app-v.aspx



    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
    Tuesday, June 14, 2011 12:07 PM
    Moderator
  • Hello Znack, Aaron,

     

    Thanks for your quick feedback.

     

    I used Znack's procedure and I confirm read/execute permissions has been granted to "Network Service" for the related certificate. I can cross-check it editing NTFS permissions for the file in: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys

     

    I can only assume my SSL certificate has the required EKU as I have no control on the corporate CA and the template that is used to generate the certificate. Is there way to check it ? At least, I don't see any error / warning in the event viewer.

     

    Regards.

    Tuesday, June 14, 2011 12:13 PM
  • By the way, I have temporary used Local System account for APP-V Server service to detect any right permission issue related to Network service account. 

     

    With local system account, certificate is still not listed.

     

    Regards.

    Tuesday, June 14, 2011 12:25 PM
    1. Load MMC.exe
    2. Add the Certificates snap-in
    3. Use Computer Account and connect to the Local Computer (assuming you are doing this at the console)
    4. Drill down to Personal
    5. On the properties of the certificate view the Certificate Purposes on the General tab


    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
    Tuesday, June 14, 2011 12:55 PM
    Moderator
  • I can see the following...

     

    "This certificate is intended for the following purpose(s):"

    - All application policies

     

    Tuesday, June 14, 2011 12:57 PM
  • Check whether the certificate is selectable in IIS as well. It sould like the certificate still doesn't have the correct properties.

     

    From the documentation: Installing App-V Management Server or Streaming Server Securely: http://technet.microsoft.com/en-us/library/ee662341.aspx

    "The certificate must contain the correct Enhanced Key Usage (EKU)—Server Authentication (OID 1.3.6.1.5.5.7.3.1). If the certificate does not contain this EKU, the client ends the connection."


    This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.
    Tuesday, June 14, 2011 1:15 PM
    Moderator
  • Same certificate works fine in IIS. I have been able to setup an HTTPS binding without any issue.

     

    Tuesday, June 14, 2011 1:32 PM
  • Aaron,

     

    I think you are right. It sounds like the certificate is missing the required EKU. I confirmed it using certutil.

    I will see if I can get such a certificate from corporate CA.

     

    Regards.

     

     

    Tuesday, June 14, 2011 1:41 PM