Windows

Windows 7 appears to select inconsistent anchor during wireless connection

  • February 24, 2012

We have a wireless authentication server (Windows 2003 SP2 with IAS). It is configured with a DigiCert certificate. The certificate chain looks like this:

Entrust.net Secure Server Certification Authority
 DigiCert High Assurance EV Root CA
   DigiCert High Assurance CA-3
     ourserver.ourdomain.com

When a Windows 7 client connects to the wireless for the first time, they get a warning about the certificate. It will look like this:

伺服器“ourserver.ourdomain.com”提供了由**“Entrust.net 安全伺服器證書頒發機構”**頒發的有效證書,但 **“Entrust.net 安全伺服器證書頒發機構”**未配置為此配置文件的有效信任錨。

這沒什麼大不了的,因為它應該是一次性的。但它抱怨的根證書不一致。有一半的時間,他們得到了這個:

**伺服器“ourserver.ourdomain.com”提供了由“DigiCert High Assurance EV Root CA”**頒發的有效證書,但 **“DigiCert High Assurance EV Root CA”**未配置為此配置文件的有效信任錨。

The reason this is an issue is that it means the client is prompted a second time at some later point when they reconnect to the wireless network, where the connection seems to arbitrarily choose the “other” certificate in the chain as the missing anchor, rather than the first. The selection appears to be random.

To be clear, this has been reproduced where:

  • 2 Windows 7 laptops are in the same physical location (on same AP).
  • One, when initially configured, prompted with the Entrust root cert.
  • The other, when initially configured, prompted with the EV root cert.
  • Both were connecting to the same IAS server, which only has one certificate installed.

Any ideas as to the cause of this inconsistency, and how I can stop it?

I had exactly this problem and solved it by downloading the DigiCert SSL Certificate Checker and running it on my IAS servers. The tool stated that one of the intermediary certificates, was incorrect and offered to install a new one. Looking at the certificate store, the tool installed a new DigiCert High Assurance CA-3, even though an apparently valid certificate was present. I checked the new certificate against the one it replaced, both had the same version number and expiry date, just a different serial number. Not sure what was wrong with the previous but it all worked with the new one.

引用自:https://serverfault.com/questions/251659