[isapros] Re: RPC over Http

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: <isapros@xxxxxxxxxxxxx>
• Date: Mon, 7 May 2007 16:33:09 -0700

She was alluding to my "local machine personal store" phrase regarding
the trusted cert.
I did truly misspeaketh and was resoundingly corrected by yon fair maid.

The rules as we've defined them unfold thusly:
1. Use only the cert manglement MMC (or approved CAPICOM scripts) to
handle cert manglement
2. Server- or user-auth certs go in the appropriate "Personal" store
(user, local machine, service, yomama)
3. Issuing-entity (AKA trusted) certs go *only* in the local machine
trusted roots store

Granddad

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Monday, May 07, 2007 4:11 PM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: RPC over Http

NOT contrary. I said to put the certificate in the machine certificate
store, and the CA certificate in the Trusted Root Certification
Authorities store. It's always been that way and is always that way
still.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- Microsoft Firewalls (ISA)

 

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> Sent: Monday, May 07, 2007 12:42 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: RPC over Http
> 
> That's contrary to Tom's advice of putting the cert into the local
> machine trust root. In this case the cert is in the correct location.
> It's in local machine trust root; same place it is on my laptop. I'll
> place another one in the local machine personal but (sorry Jim) I have
> my doubts that this is going to fix the problem. I'd love to be wrong
> though.
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jim Harrison
> Sent: Monday, May 07, 2007 12:44 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: RPC over Http
> 
> Tom's right; never use the IE mechanism - it always uses the current
> user store and often buggers the process.
> 
> Want another hint?
> *always*, but *FREAKIN' ALWAYS* place the trust certs in the local
> machine personal store.
> Why, you ask?
> Go ahead - ask.
> Seriously; I won't bit (hard) unless you want me to...
> Really...
> Ok, ok...
> 
> When CAPI goes a-hunting for trust certs, it will use the following
> search logic:
> 1. "Current User" (user account, network_service, localsystem, etc.)
> store associated with the thread making the request.
> 2. "Local Machine" store
> 
> If you always place them in the local system store, you only have one
> place to seek them out.
> 
> ..just a thought...
> 
> JimmyJoeBobAlooba
> 
> 
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx 
> [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Thomas W Shinder
> Sent: Monday, May 07, 2007 9:42 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: RPC over Http
> 
> Use the MMC and put the certificates in the right places. In 
> this case,
> put it in the machine store and in the Trusted Root Cert authorities.
> 
> HTH,
> Tom
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://blogs.isaserver.org/shinder/
> Book: http://tinyurl.com/3xqb7
> MVP -- Microsoft Firewalls (ISA)
> 
>  
> 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx 
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> > Sent: Monday, May 07, 2007 11:34 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: RPC over Http
> > 
> > IT's a self-signed certificate generated by SBS. In IE7 you 
> > have to jump
> > through some hoops to install one. Click on the Certificate 
> Error next
> > to the address bar. View cert. Click install. Click yes, I want to
> > install it anyway. Normally the cert is then installed 
> > correctly. In the
> > case of these laptops, you still see the cert error near the address
> > bar. If you select more information, it pops up a box that 
> > says there is
> > an address mismatch. I would believe it except I have this 
> same cert,
> > following the same procedure installed on my laptop. 
> > 
> > Just had a thought. Could this be a admin rights issue? Hmmm
> > 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx 
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Monday, May 07, 2007 11:39 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: RPC over Http
> > 
> > What he said, plus can you elaborate on "..address mismatch 
> error when
> > they attempt to install the certificate.."?
> > This sounds more like a connection, not an installation error?
> > 
> > 
> > -----Original Message-----
> > From: isapros-bounce@xxxxxxxxxxxxx 
> > [mailto:isapros-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Thomas W Shinder
> > Sent: Monday, May 07, 2007 7:58 AM
> > To: isapros@xxxxxxxxxxxxx
> > Subject: [isapros] Re: RPC over Http
> > 
> > Hi Amy,
> >  
> > Are you installing the certificates via the MMC and into the machine
> > certificate store?
> >  
> > Also, make sure the CA certificate is installed in the Trusted Root
> > Certification Authorities.
> >  
> > Tom
> >  
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org <http://www.isaserver.org/> 
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
> > MVP -- Microsoft Firewalls (ISA)
> > 
> >  
> > 
> > 
> > ________________________________
> > 
> >     From: isapros-bounce@xxxxxxxxxxxxx
> > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
> >     Sent: Monday, May 07, 2007 9:26 AM
> >     To: isapros@xxxxxxxxxxxxx
> >     Subject: [isapros] RPC over Http
> >     
> >     
> > 
> >     I'm having an issue with a client's laptops. We're setting up
> > RPC over HTTP so I need to install the certificate on the 
> laptops. The
> > cert installs fine onto my Vista IE7 laptop but does not install on
> > their XP IE7 laptops. They are getting an address mismatch 
> error when
> > they attempt to install the certificate. Since they same certificate
> > installed without error for me, I'm not sure where to look for the
> > problem. It seems like it has to be something on the laptop 
> > rather than
> > an issue with the cert. I have looked for old certificates on the
> > laptops. Didn't see any. Any other ideas on where or what I 
> > should look
> > for?
> > 
> >      
> > 
> >     Thanks,
> > 
> >      
> > 
> >     Amy
> > 
> > 
> >     ExchangeDefender Message Security: Check Authenticity
> > <http://www.exchangedefender.com/verify.asp?id=l47EIfqU012225&;
> > from=amy@h
> > arborcomputerservices.net>  
> > 
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > 
> > --
> > ExchangeDefender Message Security: Click below to verify 
> authenticity
> > http://www.exchangedefender.com/verify.asp?id=l47GQHsb014426&f
> rom=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > 
> > 
> > 
> > 
> 
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> 
> --
> ExchangeDefender Message Security: Click below to verify authenticity
> http://www.exchangedefender.com/verify.asp?id=l47HYtri022758&f
rom=amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> 
> 
> 
> 


All mail to and from this domain is GFI-scanned.

• References:
  • [isapros] Re: RPC over Http
    • From: Thomas W Shinder

Other related posts:

• » [isapros] RPC over Http
• » [isapros] Re: RPC over Http
• » [isapros] Re: RPC over Http
• » [isapros] Re: RPC over Http
• » [isapros] Re: RPC over Http
• » [isapros] Re: RPC over Http
• » [isapros] Re: RPC over Http
• » [isapros] Re: RPC over Http
• » [isapros] Re: RPC over Http
• » [isapros] Re: RPC over Http
• » [isapros] Re: RPC over Http

1. Home
2. isapros
3. Archive
4. 05-2007

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---