We have encountered an issue with R2 Edge and the Windows Server 2008 feature called “Update Root Certificates feature” which is enabled by default (and apparently not used by R2). Below is a detailed description of the problem provided by my colleague Lars Sørensen from Inceptio A/S.
First a little update on on the “Update Root Certificates feature” in Windows Server 2008
The feature is designed to automatically check the list of trusted authorities on the Windows Update Web site when this check is needed by an application on the server. Specifically, if the application is presented with a certificate issued by a certification authority in a PKI that is not directly trusted, the Update Root Certificates feature will contact the Windows Update Web site to see if Microsoft has added the certificate of the root CA to its list of trusted root certificates. If the CA has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the set of trusted root certificates on the server.
Why am I telling you this, well recently I did an Office Communications Server 2007 R2 implementation with the Edge role. The certificates on the external interfaces on the Edge server is from Digicert, which are member of the Microsoft root certificate program KB931125.
Everything is working fine, except for federation. So I did a little troubleshooting and found out that the reason for the federation not working was a certificate issue, not on the customer installation, but on the federated partners Edge server. In this case our own Edge server. In the Event Log I found the following errors :
So I checked the Certificate Store on our Edge server and could conclude that the root certificate for Digicert wasn’t there. I downloaded and installed the root certificate from http://www.digicert.com/digicert-root-certificates.htm and tested the federation again, and the federation between the customer Edge server and our Edge server was now working as expected.
So why wasn’t the root certificate for Digicert downloaded by the “Update Root Certificates feature”. So I deleted the root certificate from Digicert from our Edge server and did a test from http://www.digicert.com/digicert-root-certificates.htm. This is a link where you can test the browser for the root certificate.
When doing this test the following appears in the Event Log as expected.
This confirms that the Update Root Certificates feature has downloaded and installed the Digicert root certificate from Windows Update. To make sure that the Digicert certificate I used on the customers edge server, was working correctly, I created a web site and assigned the Digicert certificate to that web site. Created a host entry on our own Edge server, that pointed to that website, and then tried to access this web site to see if the root certificate for Digicert was downloaded, and it was.
So far my conclusion is, it seems that the Office Communications Server 2007 R2 Edge role doesn’t trigger the Update Root Certificates feature to download the root certificate.
All testing has been done on Windows Server 2008 SP2 and fully updated from Windows Update, and OCS 2007 R2 also fully updated from Windows Update. I don’t know if the problem also occur on Windows Server 2003.
If anyone has seen similar issues please leave your comments here.
No comments:
Post a Comment