Answered by:
CX-700 certificate problem : cannot validate server certificate

Question
-
I have receive my new CX-700 phones
Here are some infos:
I have setup the Software Update Server
I have an NTP in place
I have an Entreprise CA up and running
Autoenrollment is working fine.
CPE is connected in the same subnet has the servers
I have verified the Certificate is availabe :
http://<dNSHostname>/certsrv/certnew.p7b?ReqID=CACert&Renewal=-1&Enc=b64
I boot up the phone. It then goes into a loop and finish up with : "Cannot validate server certificate"
This is really anyoing.
I have read almost every simple post.
And yes I am trying to log-in with domain\username and not userame@domain
Thanks for any help...
Friday, August 15, 2008 12:04 PM
Answers
-
I know that you mentioned that you are already using domain\username. But have you tried the domain's FQDN?
I posted a blog about this when I had the same issue.
https://blogs.pointbridge.com/Blogs/mcgillen_matt/Pages/Post.aspx?_ID=34
so you would need to log in with "my.domain.com\jdoe" not just domain\jdoe.
Regards,
Matt
Tuesday, September 2, 2008 7:07 PM
All replies
-
Maybe you have outdated firmware - in that case you may be able to exit into Windows CE and import your root CA cert using an USB stick. Afterwards you could sign in and get a firmware update.
There are other possibilities. Have a look at the deplyment guide:
Johann
Friday, August 15, 2008 1:31 PM -
I know that since Tanjay went RTM, WINS server is no longer required, but... you never know...
I have your setup with WINS implemented and my phone updated within the first 10 min.
Drago
Friday, August 15, 2008 4:07 PM -
I'm having the exact same problem and I know all the required infrastructure components are in place.
I'm running version 1.0.522.101 firmware and yeah, no dice.Tuesday, August 26, 2008 11:59 PM -
I know that you mentioned that you are already using domain\username. But have you tried the domain's FQDN?
I posted a blog about this when I had the same issue.
https://blogs.pointbridge.com/Blogs/mcgillen_matt/Pages/Post.aspx?_ID=34
so you would need to log in with "my.domain.com\jdoe" not just domain\jdoe.
Regards,
Matt
Tuesday, September 2, 2008 7:07 PM -
LOL
It did solve the problem....
That is hilarious..
Thanks ...
Tuesday, September 2, 2008 7:09 PM -
Sweet! Yah, that "feature" drove me nuts for a couple days. Glad it's working now
Regards,
Matt
Tuesday, September 2, 2008 7:11 PM -
Yeah I had the exact same problem, it was doing my head in.It was only till I did a packet trace of traffic coming in and out of the Tanjay that I discovered it was trying to find the SRV records for a DC based on the domain prefix (e.g. DOMAIN\username) and failing because there was no DNS zone of just "domain".After I changed the login username to domain.com\username, the phone found the DC, downloaded the cert chain to the trusted root and signed in successfully.Even adding a domain suffix search list to DHCP didn't fix this up. It's a bit of an issue I think because most people are familar with the NetBIOS name of the domain followed by the username e.g. domain\username in most scenarios when authenticating.Wednesday, September 10, 2008 5:58 AM