Coffeehouse Thread

9 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Vista / IE 7 and Certificate Server problem

Back to Forum: Coffeehouse
  • User profile image
    figuerres

    Hi all, just wanted to try and get this out and see if any MSFT folks can speak about this one:


    IE7 on Vista RC1 / 5600

    I have had this same problem with IE7 on XP before but seems gone now (Ithink) on XP.


    try and go to a server running 2003 and CertSrv on IIS, try and download the CA chain or request a Cert - browser / User ID cert.

    it fails to finish the "Loading ActiveX" step.

    so to me this is a show-stopping failure!

    I manage a private system that uses private certs to allow only a few pc's to use the admin functions... till this is fixed I can not use Vista to manage that site or test Vista / IE7 on that site.

    the CertSrv web app is "out of the box" microsoft install - no code changes done locally to that server /  vdir.

    I have looked in the past for info on this but found no KB / published bug info / workaround etc... to deal with it.

    thanks for your time, perhaps somneone at MSFT can comment on this??

  • User profile image
    RamblingGeek​UK

    I've been having the same issue with SBS certs with Vista, my workaround thus far is saving the cert from a working xp PC and iimporting it in IE/Vista, far from ideal. It was a Pain in the (I need to watch my language) to get IE7 to import it as well....

  • User profile image
    Ericlaw

    Installing a certificate from the CertServ page will not work for Vista clients until the server is updated with the latest service pack.  Please see http://support.microsoft.com/?kbid=922706 for more details.

  • User profile image
    Ericlaw

    To install a certificate when visiting a self-signed OWA server on Vista, you need to perform the following steps:

    1> Run IE as an administrator (Right-click the desktop icon)
    2> Visit the site.
    3> Click through the certificate error
    4> Click the "Certificate Error" button in the address bar.
    5> Click View Certificate
    6> Click Install Certificate
    7>  Unlike on XP, you must click the “Place all certificates in the following store” radio button, and choose the “Trusted Root Certification Authorities” store.  If you don’t do this, the certificate goes in your personal store, and it isn’t trusted by IE.

    Yes, this is cumbersome, but for good reason: Self-signed certificates are quite dangerous, because unless you manually compare the thumbprint/hash via secure or out-of-band communication, you have no assurance that your connection isn't being man-in-the-middle attacked.

    Eric Lawrence
    Program Manager
    IE Networking

  • User profile image
    figuerres

    Ericlaw wrote:
    Installing a certificate from the CertServ page will not work for Vista clients until the server is updated with the latest service pack.  Please see http://support.microsoft.com/?kbid=922706 for more details.


    that link and kb # seem to be wrong, please check that kb#

  • User profile image
    youritguru

    Good info I got from this post. My only problem is that I do not have access to the Longhorn beta.

    Is it possible to get the Certificate Web Pages from the Longhorn Beta2 server or later somewhere?

    Then I will be able to follow the KB article. Because I have to install the root certificate on a Vista PC because I want to use RPCoverHTTP with Outlook.

    Does someone know?

    Thank you in advance.

     

    /Lars @ Youritguru

  • User profile image
    tmarman

    Ericlaw wrote:
    

    To install a certificate when visiting a self-signed OWA server on Vista, you need to perform the following steps:

    1> Run IE as an administrator (Right-click the desktop icon)
    2> Visit the site.
    3> Click through the certificate error
    4> Click the "Certificate Error" button in the address bar.
    5> Click View Certificate
    6> Click Install Certificate
    7>  Unlike on XP, you must click the “Place all certificates in the following store” radio button, and choose the “Trusted Root Certification Authorities” store.  If you don’t do this, the certificate goes in your personal store, and it isn’t trusted by IE.

    Yes, this is cumbersome, but for good reason: Self-signed certificates are quite dangerous, because unless you manually compare the thumbprint/hash via secure or out-of-band communication, you have no assurance that your connection isn't being man-in-the-middle attacked.



    Eric, I randomly find that Vista "loses" any certificates I have to add. It's quite frustrating - any ideas?

  • User profile image
    WilliamG

    Eric said,
    >Yes, this is cumbersome, but for good reason: Self-signed certificates are quite dangerous, because unless you manually compare the thumbprint/hash via secure or out-of-band communication, you have no assurance that your connection isn't being man-in-the-middle attacked.

    That's fine for the average user but as a tester, navigating to the actual IE app 25 to 30 times a day on a private, internal network is a real time waster (and a pain in the butt).

    Additionally, doesn't this totally negate one of Windows main features...  Creating a shortcut on the desktop to a application in order to save time and effort. If we contine on this path, we will finally return to DOS command line!

    How did this slip through usability testing?

  • User profile image
    thebitguru

    Hi,

    I have written a short tutorial on importing certificates in Vista.  I thought I would post a link here since this is one of the results that comes up when you search on Google.

    You can find the article here.  Like Eric mentioned above, make sure you know the consequences of doing this. Smiley


    - Farhan

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.