Whilst attempting to get a certificate from a Windows server running certificate services, I got the following error:
The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE) Denied by policy module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute.
Solution 0x800094801 Error
Well that’s a descriptive error, as this is a certificate request I’ve created on third party piece of hardware, I’m not surprised there’s no template information. The only way to specify which template you want to use for the certificate issued is to resubmit the command via command line.
I was setting up some HTTPS/SSL inspection this week and while testing it, I ran into this problem;
Firefox Certificate Settings
So the machine I’m using DOES trust the CA that issued that certificate, (it’s a FortiGate firewall) But the BROWSER does not. (Firefox maintains its own list of certificates, and more importantly which CA certificates it will trust). Essentially the browser is trying to protect you from a MITM attack.
Browse to about:prefernces#privacy > Certificates > View Certificates.
Import.
Navigate to the CA certificate for the authority that signed the certificate(s) you are having a problem with, and import it > Select ‘Trust this CA to identify websites” > OK
Related Articles, References, Credits, or External Links
We mac users always get overlooked. If I had a pound for every time I’ve heard ‘Yeah we don’t support macs?” I would be a rich man. But thankfully this makes us work things out for ourselves usually!
Firstly you will want to download the VPN package (and have a valid client/user certificate, [see the link above]).
Obviously the installer is for Windows, but within the ZIP file you download, it has a copy of the XML file with the settings in it, and a copy of the Root CA certificate you used.
So your first job is to ‘import‘ the client certificate, it will be in PFX format, (if you followed my instructions), so you will need to supply the password you specified when creating the PFX file (not the mac password), when prompted to install it (double click on it).
The engineer in me isn’t quite sure why the client needs the Root CA certificate on it, (because that’s not how certificates work!) But Microsoft insist it’s necessary, so also double click and install the Root CA Certificate, (it’s inside the VPN Package).
You don’t need to install VPN software onto the mac, (it has its own built in). Click the Apple Logo > System Preferences > Network > Add > Interface = VPN > VPN Type = IKEv2 > Service Name = Azure-Client-VPN > Create.
Now open the XML file from within you VPN client software ZIP file, and locate the FQDN of the ‘Gateway’ address in Azure > Copy it to the clipboard.
Paste the server address into BOTH Server Address AND Remote ID > (Leave Local ID blank for now) > Authentication Settings
WARNING: I’m using mac OS Catalina, so I choose ‘None’ (NOT CERTIFICATE). But for mac OS Mojave (and older) CHOOSE CERTIFICATE). It’s a bug that causes an error (see below) if you don’t.
Select > Choose the CLIENT certificate you imported earlier, (Take note of the name in brackets, this is the common nameon the certificate). You will need this in a minute! > Continue > OK.
Put the Common Name from the certificate into the Local ID section > Apply > Connect.
All being well it should connect, (though it may prompt for you to enter your user password). BY DEFAULT the option ‘Show VPN Status in Menu Bar‘ should be ticked, if it isn’t then tick it.
With that option ticked, you can connect and disconnect the VPN quickly without needing to go back into System Preferences like so;
While trying to connect Outlook (2016) to an Office 365 email account;
We can’t connect you
It looks like we can’t connect you to one of our services the moment. Please try again later, or contact your helpdesk if the issue persists.
0xCAA70010
{ADFS-URL}
Solution
This was happening because my ADFS server was using a ‘self-signed’ certificate (i.e. not a purchased one). This should NEVER be done in a production environment, but this is my test network, (so I refuse to spend money on certificates for testing etc!)
I cured the problem by simply importing/trusting the CA Certificate from my internal Certificate Services CA server, (that issued the ADFS servers certificate).
If you see this on a production server, with a publicly signed certificate, check that the ‘problem’ client does not need a Windows Update, to update its trusted CA Certificates, or that your certificate simply hasn’t expired, and you ‘forgot’ to renew it. If so;
When attempting to connect to a vCenter or ESXi host, you see the following error;
[box]
Connect-VIServer : {Date} {Time} Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration
to set the value for the InvalidCertificateAction option to Prompt if you'd like to connect once or to add a
permanent exception for this server.
Additional Information: Could not establish trust relationship for the SSL/TLS secure channel with authority
'{Server-Name}'.
At line:1 char:1
+ Connect-VIServer
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [Connect-VIServer], ViSecurityNegotiationException
+ FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_CertificateError,VMware.VimAutomation.ViCore.
Cmdlets.Commands.ConnectVIServer
The actual configuration of ADFS depends largely on what you intend to do with it. Here I’m using it to broker connections from my Microsoft Web Application Proxy. This article is just to ‘join the dots’ and covers just the installation of the role itself.
Solution
Before you Start: Make sure you have a certificate ready to use for ADFS. I typically use a wildcard cert for this, it’s better if you have purchased one, or if you use certificate services, here’s how to create a wildcard certificate.
Note: You can add adfs.{your-domain} to your wildcard as a SAN, (Subject Alternative Name), Also add certauth.adfs.{your-domain}. Yes, even on a wildcard certificate!
For example: adfs.petenetlive.com and certauth.adfs.petenetlive.com.
You can either create a service account for ADFS to run under, or use a GROUP MANAGED SERVICE ACCOUNT.
What’s a Group Managed Service Account?
It’s an AD object that acts as a service account, and you don’t need to worry about entering a password for it.
Create a Group Managed Service Account
Before you can have a GSMA account you need a KDS Root Key in active Directory, to set that up, execute the following command;
[box]
If you have only one domain controller;
Add-KdsRootKey –EffectiveTime ((get-date).addhours(-10))
If you have more than one domain controllers;
Add-KdsRootKey –EffectiveImmediately
If you use the second option you must then WAIT 10 HOURS!
[/box]
Then go to a Domain Controller, and issue the following command;
In case you are interested, you will then see it appear in Active Directory.
Then ON the ADFS Server, run the following command;
[box]
setspn -a host/localhost {GSMA-Account-Name}
[/box]
Deploying Active Directory Federation Services
Server Manager > Manage > Add Roles and Features > Next > Next > Select the server > Next > Server Roles > Select Active Directory Federation Services > Accept all the defaults and install the role.
Launch the configuration wizard > Create the first federation server in a federation farm > Next.
I’m setting this up while logged on as the domain administrator, so I’ll use that account to connect to AD > Next.
WARNING: If you use a wildcard cert like me it will choose the name of *.{domain-name}. THIS IS BAD! Change the federation service name to something sensible, like adfs.domain.com. The ‘Federation Service Display Name‘ is what will be shown to the users as they authenticate. > Next.
Make sure the federation server DNS name can be resolved in DNS! Remember if your Web Application Proxy server is in your DMZ, or outside the firewall, it will also need to be able to resolve this name, (I put them in the ‘hosts‘ file on my DMZ servers for this reason).
Enter your Group Managed Service Account, (created above) > Next.
Create a database. (Note; If you are reinstalling it will discover any existing databases, and ask if you want to overwrite them) > Next.
Next
Configure.
Close. (Note: I’ve got some warnings but all is well, trust me!)
To test, open a web browser and go to https://{FQDN-Of FS-Service}/adfs/ls/idpinitiatedsignon and log in.
Note: If using Server 2016 or Server 2019, you have to enable this, or it will error! See the link below.
At this point, how you proceed depends on what you are using Active Directory Federation Services for. You would set up either a relying or a claims provider trust next.
As said above I’m using this for Web Application Proxy. When that article is complete, I’ll put the link at the bottom of this article.
Related Articles, References, Credits, or External Links
After a colleague deployed Citrix for a customer the other day, they complained that they had a mac user that was getting certificate errors. They had a publicly signed wildcard certificate, but this user was still having problems.
After I heard a few “tell him to stop using a mac” comments, I said, “I’m using a MacBook here, would you like me to test it?” The URL opened fine in Safari, and the certificate looked good (all green), I was prompted to install the Citrix receiver, and was presented with a session to open, when I did so, I got this;
You have chosen not to trust {Certificate-Name} the issuer of the servers security certificate.
Solution
Head over to https://www.sslchecker.com and put your Citrix URL in and check it, I found this. So I downloaded the two certificates it said I was missing.
Note: For someone who works with certificates, this makes no sense, (as I got to the portal without an error). I had to trust the root CA, and its intermediate CA, (what’s being called a Chain Cert below). But I thought I’d play along to see what happened.
‘Double Click’ each downloaded certificate, then choose ‘Add’, (repeat for each certificate in the chain).
Close any open Citrix receiver sessions, restart you browser, and try again.
Related Articles, References, Credits, or External Links
If you secure your AnyConnect with certificates, you may see something like this;
When you simply want it to connect without prompting.
Solution
This tripped me up last week, luckily I’d seen it before, and knew how to fix it. You need to edit the profile for your AnyConnect so that, you ‘UNTICK‘ Disable Automatic Certificate Selection. I know that sounds like the opposite of what you want to do, but hey!
Related Articles, References, Credits, or External Links
Sometimes this happens after applying updates to Exchange! Firstly make sure all your services a running! From an administrative Powershell window run the following command;
[box]
Get-Service *Exchange* | Start-Service
[/box]
After making some certificate changes in Exchange 2016 this week, I found that the Outlook Web Access and Exchange Management websites would not work? I was presented with the normal login dialog, but after a successful authentication this happened.
ECP Blank Page: Solution
This happens because the website that runs the ‘Exchange Backend’ has lost the certificate for its https binding.
Open the Internet Information Services Management snap-in > Server-name > Sites > Exchange Back End > Edit Bindings > https (444) > Edit > Select the correct certificate for Exchange.
Then restart the site, or run ‘iisreset’, or simply reboot the server.
Related Articles, References, Credits, or External Links
I wonder how many hours Ive lost trying to get browsers to connect to things, and the browser has not been happy? This week I needed to connect to a vCenter (6.5) web console with Firefox and was greeted with this.
Your connection is not secure
The owner of {site} has configured their web site improperly. To protect information being stolen, Firefox has not connected to this website.
Error Code: , SEC_ERROR_UNKNOWN_ISSUER
Normally I use Firefox, because if there’s a problem I can simply add an exception and all is well, but this time there was no way to connect at all.
Solution
Browse to about:config, and then search for security.enterprise, set it to true.
Now it will work
Related Articles, References, Credits, or External Links