none
Could not establish trust relationship for the SSL/TLS secure channel

    Question

  • This happens when trying to connect to the remote SCE server. This is the only component that does not seem to be working for us...

     

    1) From the OpsManager console I can see the remote site & computers, as well as execute OpsMgr related tasks no problem at all.

     

    2) When trying to connect to the SCE console, I get the following error. I have double checked that certs from the \SCE\Certifications are installed on the local machine, and on the SCE server the OpsMgr event log does show a successfull connection from my account (that is part of local admin etc etc).

     

    3) My workstation is Vista, behind an ISA box, though from the logs I can see there are no denies or dropped packets.

     

     

    Any ideas? This is seriously bugging me! What/where can I check?

     

    Date: 2007/09/25 03:18:47 PM

    Application: System Center Essentials

    Application Version: 6.0.1251.0

    Severity: Error

    Message: Error connecting to Update server 'gemini.balltronpark.com'

     

    System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)

       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)

       at System.Net.TlsStream.CallProcessAuthentication(Object state)

       at System.Threading.ExecutionContext.runTryCode(Object userData)

       at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)

       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)

       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

       at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)

       at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)

       at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)

       at System.Net.ConnectStream.WriteHeaders(Boolean async)

       --- End of inner exception stack trace ---

       at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)

       at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer(String serverName, Boolean useSecureConnection, Int32 portNumber)

       at Microsoft.EnterpriseManagement.SCE.Internal.UI.Console.UpdateServerService.TryConnect(String serverName, Boolean connectSecurely, Int32 socketNumber)

       at Microsoft.EnterpriseManagement.SCE.Internal.UI.Console.UpdateServerService.TryConnect(String serverName)

       at Microsoft.EnterpriseManagement.SCE.Internal.UI.Console.EssentialsConsoleWindow.ChangeConnection(String serverName)

    System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

       at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)

       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)

       at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)

       at System.Net.TlsStream.CallProcessAuthentication(Object state)

       at System.Threading.ExecutionContext.runTryCode(Object userData)

       at System.Runtime.CompilerServices.RuntimeHelpers.ExecuteCodeWithGuaranteedCleanup(TryCode code, CleanupCode backoutCode, Object userData)

       at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state)

       at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

       at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)

       at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)

       at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)

       at System.Net.ConnectStream.WriteHeaders(Boolean async)

     

    Tuesday, September 25, 2007 6:31 PM

Answers

  • Hi Eugene,

     

    Is that workstation in the same domain with SCOM server, as it should be?

     

    If it still doesn't work, I'd suggest that you reinstall a new workstation and import the certificates by the steps I posted earlier. This will help us dispelling any potential software conflict in the workstation. And I think the configuration should be sufficient for the remote Essentials console to connect to the Essentials server at the customer site.

     

    Thanks.


    __________________________

    Sincerely,

    Yog Li

    Microsoft Online Community Support

    Monday, October 01, 2007 10:20 AM
    Moderator
  •  

    Hello Eugene,

     

    I had the same error today and I found the cause for it in configuring Internet Explorer using PAC scripts:

    because the PAC script didn't contain a rule for directly accessing the SCE machine SCE console obviously tried to connect via the proxy server that answered with this own self-created certificate (that's the 'remote certificate is invalid according to the validation procedure.').

     

    Are you using a proxy (that is breaking up SSL connections with it's own certificate)?

     

    Perhaps this hint is helpfull for you...

    Tuesday, October 02, 2007 10:03 AM

All replies

  • Hi,

     

    You must have the Essentials 2007 Management Server's certificates installed on the Operations Manager 2007 Server to successfully allow it to connect to the remote Essentials 2007 server. I'm not sure if you did that. If not, please follow the steps below.

     

    1.  On the System Center Essentials 2007 Server, export the personal certificate as a PFX file with the private key and the trusted root certificate as a .CER file to be used by running the Configure Service Provider Mode tool.

     

    For more information about this tool, click the link below.

    How to Configure System Center Essentials to Support the Managed Services Provider
    http://technet.microsoft.com/en-us/library/bb437383.aspx

     

    2. On the Operations Manager 2007 Management Server that the Essentials 2007 Management Servers communicate with, run the command line below to import the certificate you obtained in the previous step:


    MOMCertImport.exe <full path to Operations Management certificate PFX file> /Password <password of PFX certificate>

     

    You can find the tool MOMCertImport.exe in the SupportTools\i386 or SupportTools\amd64 directory on the Operations Manager 2007 installation media. And no output is the expected successful import.

     

    3. Stop and restart the OpsMgr Health Service on the Management Server.

     

    Hope it helps. Thanks.
     

    __________________________

    Sincerely,

    Yog Li

    Microsoft Online Community Support

    Thursday, September 27, 2007 8:57 AM
    Moderator
  • Hi,

    Thanks for the response!
    It has unfortunately not helped:

    1) If the certs (pfx) were not imported correctly, surely I would not be able to see and work with the SCE server from the SCOM console? {I may have misunderstood your instructions here, but either way, I have done the import already}
    2) I do not see how I can import the [SCE] pfx into the [SCOM] console. Trying to do this in any event causes the cert mismatch error to occur.
    3) Just to re-iterate:
        a. I have installed the scomsrver.x.y.z using the MOMCertImport command, and this works.
        b. I have events on SCOMsrvr that certs are working
        c. I have configired SPMode on Scesrvr and this seems to be working (well, I assume if I can see the sce srvr and alerts and can run tasks against the SCEsrvr and its agent from the [SCOM]            server,that the certs must be OK?
        d. The *only* issue I have is connecting to the remote SCE console from a workstation where I have both the SCOM and SCE consoles installed.
            -> I can connect to the SCOM server fine from the workstation and perform same actions as in (c).


    Regards,

    Eugene

    Thursday, September 27, 2007 11:30 AM
  • Hi Eugene,

     

    Thanks for your updating the information, which makes me understand your situation more clearly. I think the following steps may help you to configure the workstation to use the remote console.


    In order for the remote Essentials console to connect to the Essentials server at the customer site,  the SSL and WSUS Code Signing certificate used by the Essentials server must be imported on the remote console computer.  To do so:

     

    1. On the Essential 2007 server, browse to the System Center Essentials 2007\Certificate directory and copy the two certificates (WSUSCodeSigningCert.cer and WSUSSSLCert.cer) to the console computer.

     

    2. Open the Certificates MMC on the workstation for the Computer account.

     

    3. Import both certificates into to the Trusted Root Certification Authority Store. Import only the WSUSCodeSigningCert.cer into the Third Party Publishers and Trusted Publishers stores.

     

    4. Also, for each account that will launch the Essentials console from the service provider site, an account with a matching logon name and password must be created as a local user on the Essentials 2007 server and be added to the local Administrators group on the Essentials 2007 server.

     

    5. On the Essentials 2007 server, open the Local Users and Groups MMC.

     

    6. Create a new user with an account and password that is the same as the one that is used when using the Operations Manager console on the Operations Manager server.

     

    7. Add this account to the local Administrator group on the Essentials 2007 server.


    Hope this helps.
     

    _________________________

    Sincerely,

    Yog Li

    Microsoft Online Community Support

    Friday, September 28, 2007 10:08 AM
    Moderator
  • Hi Yog Li,

    Thanks for the response.
    I had already done these steps as per the documentation. I double checked this as well. Would this at all make a difference if WSUS was installed before SCE was installed I wonder?...

    Anyway I followed the instructions of the installation to the letter.

    Any other ideas?

    Thanks,

    Eugene
    Friday, September 28, 2007 6:40 PM
  • It definitely looks like we're failing to make an SSL connection to WSUS.  One more thing to do is verify that the SSL cert you copied from the SCE server is in fact the same one that it is using.  To check this, first do the following on the SCE server:

     

    1. Open IIS Manager
    2. Navigate to Web Sites\WSUS Administration
    3. Right click on the WSUS Administration web site and select Properties
    4. Select the Directory Security tab
    5. In the Secure Communications section, click on View Certificate.
    6. On the Details tab of the certificate, the “Issuer”property should be the name of the System Center Essentials server. The “Thumbprint” property should match what is in the SSLCertHash value in HKLM\Software\Microsoft\System Center Essentials\1.0\PolicySettings.

     

    Now look at the cert that you imported on the remote console computer and verify that the thumprint is the same as the one noted above.

     

    If all of this is correct, the next thing I would do is temporarily eliminate the ISA server, if possible, and see if we still have the problem.

    Monday, October 01, 2007 3:17 AM
  • Hi Eugene,

     

    Is that workstation in the same domain with SCOM server, as it should be?

     

    If it still doesn't work, I'd suggest that you reinstall a new workstation and import the certificates by the steps I posted earlier. This will help us dispelling any potential software conflict in the workstation. And I think the configuration should be sufficient for the remote Essentials console to connect to the Essentials server at the customer site.

     

    Thanks.


    __________________________

    Sincerely,

    Yog Li

    Microsoft Online Community Support

    Monday, October 01, 2007 10:20 AM
    Moderator
  •  

    Hello Eugene,

     

    I had the same error today and I found the cause for it in configuring Internet Explorer using PAC scripts:

    because the PAC script didn't contain a rule for directly accessing the SCE machine SCE console obviously tried to connect via the proxy server that answered with this own self-created certificate (that's the 'remote certificate is invalid according to the validation procedure.').

     

    Are you using a proxy (that is breaking up SSL connections with it's own certificate)?

     

    Perhaps this hint is helpfull for you...

    Tuesday, October 02, 2007 10:03 AM
  • Hi,

    1) Yes, it is in the same domain
    2) I am out of the office until Friday, will then try to install it on a different machine. I did however have exactly the same issue working on a member server before I tried it on my workstation.

    Will revert and thanks again!

    Eugene
    Tuesday, October 02, 2007 7:09 PM
  • Hi Peter,

    This sounds promising, I will check it out. By default we use auto-configuration is IE via ISA. If I have the tick on, I get another error, but yes, I will try adding the destination host directly in ISA. I am only back in the office on Friday, will let you know.

    Thanks!

    Eugene
    Tuesday, October 02, 2007 7:16 PM
  • Hi Eugene,

     

    How are things coming along over there? Hope you can share some experience with us if the issue has already been resolved.

     

    Thanks.

     

                                              

    Sincerely,

    Yog Li

    Microsoft Online Community Support

    Monday, October 08, 2007 8:10 AM
    Moderator
  • Hi Eugene,

     

    As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as 'Answered' as the previous steps should be helpful for many similar scenarios.

     

    If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish.

     

    In addition, we'd love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems.

     

    Thanks!

     

                                              
    Sincerely,
    Yog Li
    Microsoft Online Community Support

    Friday, October 12, 2007 10:10 AM
    Moderator