0x800094801 Certificate Issue Error

0x800094801 KB ID 0001843

Problem

Whilst attempting to get a certificate from a Windows server running certificate services, I got the following error:

The request contains no certificate template information. 0x80094801 (-2146875391 CERTSRV_E_NO_CERT_TYPE) Denied by policy module 0x80094801, The request does not contain a certificate template extension or the Certificate Template request attribute.

Solution 0x800094801 Error

Well that’s a descriptive error, as this is a certificate request I’ve created on third party piece of hardware, I’m not surprised there’s no template information. The only way to specify which template you want to use for the certificate issued is to resubmit the command via command line.

[box]

certreq -submit -attrib "CertificateTemplate:TEMPLATE-NAME" "C:\Folder\Request-file.csr"

[/box]

You will be prompted to select a certificate services server, then you will be asked where you want to save the certificate.

You can now use the issued certificate.

Related Articles, References, Credits, or External Links

Microsoft PKI Planning and Deploying Certificate Services

Moving Certificate Services To Another Server

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Software is Preventing Firefox From Safely Connecting to this Site

KB ID 0001727

Problem

I was setting up some HTTPS/SSL inspection this week and while testing it, I ran into this problem;

Firefox Certificate Settings

So the machine I’m using DOES trust the CA that issued that certificate, (it’s a FortiGate firewall) But the BROWSER does not. (Firefox maintains its own list of certificates, and more importantly which CA certificates it will trust). Essentially the browser is trying to protect you from a MITM attack.

Browse to about:prefernces#privacy > Certificates  > View Certificates.

Import.

Navigate to the CA certificate for the authority that signed the certificate(s) you are having a problem with, and import it > Select ‘Trust this CA to identify websites” > OK

Related Articles, References, Credits, or External Links

NA

Azure: Point to Site VPN From mac OS?

KB ID 0001693

Problem

We mac users always get overlooked. If I had a pound for every time I’ve heard ‘Yeah we don’t support macs?” I would be a rich man. But thankfully this makes us work things out for ourselves usually!

So recently I did a article Azure: Point To Site VPN (Remote Access User VPN) but what if you want to use the same solution for a remote mac user?

Solution

Firstly you will want to download the VPN package (and have a valid client/user certificate, [see the link above]).

Obviously the installer is for Windows, but within the ZIP file you download, it has a copy of the XML file with the settings in it, and a copy of the Root CA certificate you used.

So your first job is to ‘import‘ the client certificate, it will be in PFX format, (if you followed my instructions), so you will need to supply the password you specified when creating the PFX file (not the mac password), when prompted to install it (double click on it).

The engineer in me isn’t quite sure why the client needs the Root CA certificate on it, (because that’s not how certificates work!) But Microsoft insist it’s necessary, so also double click and install the Root CA Certificate, (it’s inside the VPN Package).

You don’t need to install VPN software onto the mac, (it has its own built in). Click the Apple Logo > System Preferences > Network > Add > Interface = VPN > VPN Type = IKEv2 > Service Name = Azure-Client-VPN > Create.

Now open the XML file from within you VPN client software ZIP file, and locate the FQDN of the ‘Gateway’ address in Azure > Copy it to the clipboard.

Paste the server address into BOTH Server Address AND Remote ID > (Leave Local ID blank for now) > Authentication Settings

WARNING: I’m using mac OS Catalina, so I choose ‘None’ (NOT CERTIFICATE). But for mac OS Mojave (and older) CHOOSE CERTIFICATE). It’s a bug that causes an error (see below) if you don’t.

Select > Choose the CLIENT certificate you imported earlier, (Take note of the name in brackets, this is the common name on the certificate). You will need this in a minute!  > Continue > OK.

Put the Common Name from the certificate into the Local ID section > Apply > Connect.

All being well it should connect, (though it may prompt for you to enter your user password). BY DEFAULT the option ‘Show VPN Status in Menu Bar‘ should be ticked, if it isn’t then tick it.

With that option ticked, you can connect and disconnect the VPN quickly without needing to go back into System Preferences like so;

Error: VPN Connection, ‘An unexpected error occurred’

Remember above when I said choose ‘None‘ for Catalina, NOT certificate? Well this is what happens if you choose certificate!

Related Articles, References, Credits, or External Links

NA

PowerCLI: Connect-VIServer Certificate Errors

KB ID 0001603

Problem

When attempting to connect to a vCenter or ESXi host, you see the following error;

 

[box]

Connect-VIServer : {Date} {Time}  Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration 
to set the value for the InvalidCertificateAction option to Prompt if you'd like to connect once or to add a 
permanent exception for this server.
Additional Information: Could not establish trust relationship for the SSL/TLS secure channel with authority
'{Server-Name}'.
At line:1 char:1
+ Connect-VIServer
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Connect-VIServer], ViSecurityNegotiationException
    + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_CertificateError,VMware.VimAutomation.ViCore.
   Cmdlets.Commands.ConnectVIServer

[/box]

Solution

Well you can either ‘Sort out your certificates properly, or ‘Drag down the self signed certificate and install it‘, or simply execute the following command;

[box]

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

[/box]

Try again.

Related Articles, References, Credits, or External Links

NA

Citrix: mac OSX ‘You have chosen not to trust…’

KB ID 0001520

Problem

After a colleague deployed Citrix for a customer the other day, they complained that they had a mac user that was getting certificate errors. They had a publicly signed wildcard certificate, but this user was still having problems.

After I  heard a few “tell him to stop using a mac” comments, I said, “I’m using a MacBook here, would you like me to test it?” The URL opened fine in Safari, and the certificate looked good (all green), I was prompted to install the Citrix receiver, and was presented with a session to open, when I did so, I got this;

You have chosen not to trust {Certificate-Name} the issuer of the servers security certificate.

Solution

Head over to https://www.sslchecker.com and put your Citrix URL in and check it, I found this. So I downloaded the two certificates it said I was missing.

Note: For someone who works with certificates, this makes no sense, (as I got to the portal without an error). I had to trust the root CA, and its intermediate CA, (what’s being called a Chain Cert below). But I thought I’d play along to see what happened.

‘Double Click’ each downloaded certificate, then choose ‘Add’, (repeat for each certificate in the chain).

Close any open Citrix receiver sessions, restart you browser, and try again.

Related Articles, References, Credits, or External Links

NA

AnyConnect: Stop Prompting for Certificates

KB ID 0001505

Problem

If you secure your AnyConnect with certificates, you may see something like this;

When you simply want it to connect without prompting.

Solution

This tripped me up last week, luckily I’d seen it before, and knew how to fix it. You need to edit the profile for your AnyConnect so that, you ‘UNTICKDisable Automatic Certificate Selection. I know that sounds like the opposite of what you want to do, but hey!

Related Articles, References, Credits, or External Links

NA

Exchange – OWA and ECP Blank Page After Logon

ECP Blank Page KB ID 0001185

Problem

Note: This article is for Exchange 2013,2016 and 2019, if you are running Exchange 2010 or 2007 see the following article;

Exchange 2010 – Blank OWA Page?

Sometimes this happens after applying updates to Exchange! Firstly make sure all your services a running! From an administrative Powershell window run the following command;

[box]

Get-Service *Exchange* | Start-Service

[/box]

After making some certificate changes in Exchange 2016 this week, I found that the Outlook Web Access and Exchange Management websites would not work? I was presented with the normal login dialog, but after a successful authentication this happened.

ECP Blank Page: Solution

This happens because the website that runs the ‘Exchange Backend’ has lost the certificate for its https binding.

Open the Internet Information Services Management snap-in > Server-name > Sites  > Exchange Back End > Edit Bindings > https (444) > Edit > Select the correct certificate for Exchange.

Then restart the site, or run ‘iisreset’, or simply reboot the server.

Related Articles, References, Credits, or External Links

NA

Firefox: Cannot Open vCenter Web Client

KB ID 0001482

Problem

I wonder how many hours Ive lost trying to get browsers to connect to things, and the browser has not been happy? This week I needed to connect to a vCenter (6.5) web console with Firefox and was greeted with this.

Your connection is not secure
The owner of {site} has configured their web site improperly. To protect information being stolen, Firefox has not connected to this website.
Error Code: , SEC_ERROR_UNKNOWN_ISSUER

Normally I use Firefox, because if there’s a problem I can simply add an exception and all is well, but this time there was no way to connect at all.

Solution

Browse to about:config, and then search for security.enterprise, set it to true.

Now it will work

Related Articles, References, Credits, or External Links

NA