ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Desktop Management
  Active Topics Active Topics
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Vista and certificate

 Post Reply Post Reply
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
PetrB View Drop Down
Newbie
Newbie


Joined: 10 Jun 2009
Online Status: Offline
Posts: 4
  Quote PetrB Quote  Post ReplyReply Direct Link To This Post Topic: Vista and certificate
    Posted: 10 Jun 2009 at 4:50am
After migration Vista client PC from one domain (SBS 2003) to another, we have problems with certificates on client PC.
New correct (I'm really sure Smile) certificate cannot be imported to users profile after profile migration (Profile Wizard 3.0). I cannot add new Trusted Root Certification Authorities from my certificate.
Even - old cerfificate from previous domain cannot be removed (I cen se it, but remove button is gray).
It looks as the problem with some credentials, registry... (?)
 
Can anybody help us?
 
THX,
Petr
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Online Status: Offline
Posts: 1311
  Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 10 Jun 2009 at 8:21am
Hi Petr,
 
User Profile Wizard cannot migrate certificates. Certificate information is encrypted by Windows using the user's logon credentials: when the credentials change, because the user is logging on with their new domain account, Windows cannot decrypt the certificate information. If you need to migrate certificates we recommend that you export the certificates before the migration, and import them again afterwards.
 
We know of no problems importing certificates after a machine has been migrated.
 
If your old SBS 2003 domain is still available, you could temporarily migrate the profile back to the original user account, export (and delete) the old certificate, and then re-migrate the profile.
 
 
 
Back to Top
PetrB View Drop Down
Newbie
Newbie


Joined: 10 Jun 2009
Online Status: Offline
Posts: 4
  Quote PetrB Quote  Post ReplyReply Direct Link To This Post Posted: 10 Jun 2009 at 8:37am
Thank you for prompt response.
 
We exported 3rd party certificates and imported them manually. It's OK.
Problem is with "native" domain certificate created by SBS (selfsigned) - certificates from new domain.
 
Old one cannot be deleted (no problem in the end), but new certificate cannot by given to migrated clients. And this cause problems with new configured services in new domain (RPC mail...).
Normally this certificate is distributed by domain policy or you can import it manually. Both methods fails on migrated clients (on new instaled clients it's OK). We cannot manage Trusted Root Certificate Servers even from local mmc certificate console. Thsi feature looks to be "crippled" Ouch now.
 
THX for response,
Petr
 
 
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Online Status: Offline
Posts: 1311
  Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 10 Jun 2009 at 9:57am
Petr,
 
We'll do some testing and get back to you, but we've not seen this before.
 
Is it possible to reverse the migration and remove the old certificate? Does this make a difference when the machine is then joined to the new domain?
 
Thanks.
Back to Top
PetrB View Drop Down
Newbie
Newbie


Joined: 10 Jun 2009
Online Status: Offline
Posts: 4
  Quote PetrB Quote  Post ReplyReply Direct Link To This Post Posted: 11 Jun 2009 at 2:24am
Unfortunatelly not.
But i checked Vista and xp clients. Migration proces was the same, on xp all works fine, on Vista is the problem described earlier.
 
Petr
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Online Status: Offline
Posts: 1311
  Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 12 Jun 2009 at 9:17am

Hi Petr,

We've been looking at this, but so far we have been unable to reproduce the problem. Here's an update on what we've done so far...

Migrate a user's profile from DomainA to DomainB and join the workstation to the DomainB domain. Login with the new DomainB account - the user is now using the original profile. The user is not an Administrator.

1. Run the "Certificates" MMC snapin. A Certificate for DomainB is already listed under "Trusted Root Certification Authorities".
2. Request a new "Personal" certificate for the user. This installs with no problems.
3. Import a certificate directly from a .pfx file. Again no problems.

The workstation was running Vista SP1. DomainB is on Windows 2008 Server Standard SP1 and has Active Directory Certificate Services installed. We have not tried SBS yet.

Back to Top
PetrB View Drop Down
Newbie
Newbie


Joined: 10 Jun 2009
Online Status: Offline
Posts: 4
  Quote PetrB Quote  Post ReplyReply Direct Link To This Post Posted: 13 Jun 2009 at 8:17am

Problem was not probably from using Profile Wizard.

There were the problem with rights on some registry folder.
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
 
Thank you for help,
Petr
 
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.016 seconds.