Print Page | Close Window

Vista and certificate

Printed From: ForensiT
Category: ForensiT Support
Forum Name: Desktop Management
Forum Discription: User Profile Manager questions, suggestions, comments and bug reports
URL: http://forum.ForensiT.com/forum_posts.asp?TID=187
Printed Date: 13 Aug 2020 at 6:24am


Topic: Vista and certificate
Posted By: PetrB
Subject: Vista and certificate
Date Posted: 10 Jun 2009 at 4:50am
After migration Vista client PC from one domain (SBS 2003) to another, we have problems with certificates on client PC.
New correct (I'm really sure Smile) certificate cannot be imported to users profile after profile migration (Profile Wizard 3.0). I cannot add new Trusted Root Certification Authorities from my certificate.
Even - old cerfificate from previous domain cannot be removed (I cen se it, but remove button is gray).
It looks as the problem with some credentials, registry... (?)
 
Can anybody help us?
 
THX,
Petr



Replies:
Posted By: Support
Date Posted: 10 Jun 2009 at 8:21am
Hi Petr,
 
User Profile Wizard cannot migrate certificates. Certificate information is encrypted by Windows using the user's logon credentials: when the credentials change, because the user is logging on with their new domain account, Windows cannot decrypt the certificate information. If you need to migrate certificates we recommend that you export the certificates before the migration, and import them again afterwards.
 
We know of no problems importing certificates after a machine has been migrated.
 
If your old SBS 2003 domain is still available, you could temporarily migrate the profile back to the original user account, export (and delete) the old certificate, and then re-migrate the profile.
 
 
 


Posted By: PetrB
Date Posted: 10 Jun 2009 at 8:37am
Thank you for prompt response.
 
We exported 3rd party certificates and imported them manually. It's OK.
Problem is with "native" domain certificate created by SBS (selfsigned) - certificates from new domain.
 
Old one cannot be deleted (no problem in the end), but new certificate cannot by given to migrated clients. And this cause problems with new configured services in new domain (RPC mail...).
Normally this certificate is distributed by domain policy or you can import it manually. Both methods fails on migrated clients (on new instaled clients it's OK). We cannot manage Trusted Root Certificate Servers even from local mmc certificate console. Thsi feature looks to be "crippled" Ouch now.
 
THX for response,
Petr
 
 


Posted By: Support
Date Posted: 10 Jun 2009 at 9:57am
Petr,
 
We'll do some testing and get back to you, but we've not seen this before.
 
Is it possible to reverse the migration and remove the old certificate? Does this make a difference when the machine is then joined to the new domain?
 
Thanks.


Posted By: PetrB
Date Posted: 11 Jun 2009 at 2:24am
Unfortunatelly not.
But i checked Vista and xp clients. Migration proces was the same, on xp all works fine, on Vista is the problem described earlier.
 
Petr


Posted By: Support
Date Posted: 12 Jun 2009 at 9:17am

Hi Petr,

We've been looking at this, but so far we have been unable to reproduce the problem. Here's an update on what we've done so far...

Migrate a user's profile from DomainA to DomainB and join the workstation to the DomainB domain. Login with the new DomainB account - the user is now using the original profile. The user is not an Administrator.

1. Run the "Certificates" MMC snapin. A Certificate for DomainB is already listed under "Trusted Root Certification Authorities".
2. Request a new "Personal" certificate for the user. This installs with no problems.
3. Import a certificate directly from a .pfx file. Again no problems.

The workstation was running Vista SP1. DomainB is on Windows 2008 Server Standard SP1 and has Active Directory Certificate Services installed. We have not tried SBS yet.



Posted By: PetrB
Date Posted: 13 Jun 2009 at 8:17am

Problem was not probably from using Profile Wizard.

There were the problem with rights on some registry folder.
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
I found solution here http://support.microsoft.com/default.aspx/kb/932156 - http://support.microsoft.com/default.aspx/kb/932156
 
Thank you for help,
Petr
 



Print Page | Close Window