locked
problem with oc 2007 connecting to the ocs 2007 for pcs that are not members of the domain. RRS feed

  • Question

  • I am having a problem with oc 2007 connecting to the ocs 2007 for pc's that are not members of the domain.

     

    Everything works fine for clients on the domain, but for clients that are not members of the domain I get the following error "there was a probelm verifying the certificate from the server.please contact your system administrator"

     

    I also tried  the :/certsrv web site on the certificate server and clicked "Download a CA certificate, certificate chain, or CRL" and then "install this CA certificate chain". But i still get the error message.

     

    any suggestions???

     

    Thanks

    Thursday, June 19, 2008 8:00 PM

Answers

  • This should be a ROOT CA issue.  Typically when you install the root ca from the server it sticks it in the local user's personal root store rather that the local computers.

     

    Open an MMC snapin on both the server and the non-domain workstations.

     

    Add

    certificates - Current User

    certificates - loca computer account

     

    Open the local computer --> personal --> certificates on the server. 

    Double click the certificate and click on the last tab.  This will show who issues the cert.  If there are more than 1 certificate authorities above it, you will need all these. 

     

    NOTE:  Only the top one goes in the trusted root store, all other go in the internediate store.  You will need this later.

     

     

    Now on the workstation, open the local computer's trusted root store.  Search for the top level root ca (top most on on the last tab cert you opened earlier).  It should be in there.  If it isn't, check the current logged on user.  If it is in there, export it to a cer file on your desktop and delete it.  Import it into the local computer's trusted root store.  Do the same for any intermediates but use the intermediate certificate store instead of the trusted root store. 

     

    A SIDE NOTE:  There really should't be any in the currently logged on user's trusted & intermeddiate computer stores.  However, it is difficult to tell if one is in there or not as the current logged on user shares the local computer's trusted/intermediate store (did you get that?).  So this is what I like to do.  I like to delete all instances of the root ca and any intermediate ca's from both the current logged on user and the local computer's cert stores.  Then import in the root ca into the local computer's root store and any intermediates into the local computer's intermediate root store.  If you really want to know which certificate is in what store, right click on the current logged on user's Certificates - Current User and select view --> Options.  Check the show physical stores.  When you do that, it will seperate out the current logged on users store (registry) from the local computers (Local Computer).  Make sure they exist in the local computer and not the registry. 

     

    The only other issue this could be is a DNS issue.  However, if they are all using the same DNS server, this shouldn't be a problem.

    Thursday, June 19, 2008 9:09 PM