[THIN] Re: Certificates and profiles

  • From: Greg Reese <gareese@xxxxxxxxx>
  • To: Thin <thin@xxxxxxxxxxxxx>
  • Date: Fri, 16 Jan 2009 08:59:01 -0600

To pile on to this, you can distribute certs, trusted ca etc via a gpo to your machines.


Sent from my iPhone

On Jan 16, 2009, at 8:25 AM, "Jeremy Saunders" <Jeremy.Saunders@xxxxxxxxxxxxxx > wrote:

And maybe it won’t be trusted because you don’t have the root cert. Vista may contain something different to your Citrix (Windows 2003?) servers.

There are two MS tools I use for automating the certificate import so that users never need to deal with this stuff. Certmgr.exe and winhttpcertcfg.exe.


I hope that goes someway to helping.



From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Kevin Stewart
Sent: Friday, January 16, 2009 10:48 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Certificates and profiles

Its likely that the certificate isn't "trusted" by the system. Open up the certificate details when you get the prompt, go to the last tab, I think its "Certification Path", and look at the trust chain. You'll see the certificate that's being presented and potentially another certificate above it that is the parent, or root of this one. One or both of those will probably have a red X next to them. If so download and install that/these certificates in the computers trusted or intermediate trust stores. The prompt essentially means "Hey, the server you're talking to is passing a server certificate that I don't trust. Are you sure you want to start a dialog?" If you install the certificates the computer will then implicitly trust the server. Additionally, I believe each user has their own certificate store, so you may need to install in the computer's store for them to be global. Otherwise I don't believe it has anything to do with roaming profiles and Vista probably remembers the user's first response to the prompt.

Give that a try.


On Fri, Jan 16, 2009 at 7:44 AM, Hamilton, Ronnie <ronnie.hamilton@xxxxxxx > wrote:

I think it's a cert that was set up for the applications by the company that wrote it…but its not a veri sign or anything like that.

I have users running Vista and they have a local profile and when they accept the cert they only do it once.

-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Braebaum, Neil
Sent: 16 January 2009 11:41
To: thin@xxxxxxxxxxxxx

Subject: RE: [THIN] Certificates and profiles

Why do they have to accept the cert?

Is there something wrong with it?


From: thin-bounce@xxxxxxxxxxxxx on behalf of Hamilton, Ronnie
Sent: Fri 1/16/2009 11:24 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Certificates and profiles


We have recently implemented a new web application which requires you to accept a certificate when you open the web page to access the site.

My question is when the user has accepted this and logs out and then back in they have to accept it again.

We currently use roaming profiles and I was under the impression that this setting should be held.



Visit our website : www.ltai.ie


Lufthansa Technik Airmotive Ireland Limited. Registered in Ireland. Reg. No. 45999. Registered Office: Naas Road, Rathcoole, Co.Dublin.

Lufthansa Technik Airmotive Ireland Leasing Limited. Registered in Ireland. Reg. No. 140891. Registered Office: Naas Road, Rathcoole, Co.Dublin.


This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please advise by return email and delete all copies of the message.

Kevin G. Stewart

Confidentiality and Privilege Notice
This document is intended solely for the named addressee. The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you.

Other related posts: