Thanks, Ken. I have attempted to do so (verify chain back to root), but this is not really something I have any experience with (so I might not be correctly interpreting what I am seeing). As I mentioned in my last message, I am attempting to re-import again. I am still struggling to understand why it would work for one user on a machine, but not another, though. Is there any permission/privilege in XP that would auto-accept vs. auto-decline a certificate?
-----Original Message----- From: Ken Schaefer <[EMAIL PROTECTED]> Date: Thu, 3 Jan 2008 10:15:20 +1100 X-Message-Number: 137 Have you verified the certificate chain back to the root certificate? As for why some users see this on some machines, and not others: this is because certificates can be stored in multiple different stores. Each user has a certificate store, as does the machine itself. If a valid root certificate is only installed in the machine store on some machines, but not others, then you'll have problems on those latter machines, and not the former, regardless of the user account. You should also check the intermediate certificates in the chain - it maybe that the vendor's site is not providing the entire intermediate certificate chain, and you do not have the requisite intermediate CA certificates installed on some machines. That would also cause the problem. Look at the expiry issue tat someone else mentioned as well. Basically you are verifying all the basic facets of all the certificates in the chain (is the certificate that signed this cert trusted? Has it expired? Does the DNS name match the CN or SAN fields etc) Cheers Ken -----Original Message----- From: Mayo, Bill [mailto:[EMAIL PROTECTED] Sent: Thursday, 3 January 2008 8:55 AM To: NT System Admin Issues Subject: Certificate Problem with IE We have a vendor that changed their certificate over the weekend and now have mixed issues with our staff accessing the site. Connecting to the site with a Windows 2000 machine or a browser other than IE (in XP or other) will cause a message come up asking if you want to trust the certificate. On XP, there is no such prompting, but it works for some people and not for others. It looks like the certificate is automatically being trusted or declined for XP staff, but we can't figure out why it works for some, but not others. From what we can see, it is user-specific--it works for one user on a computer, but not another. The local permissions don't seem to be an issue (we made one of the users an administrator temporarily with no joy). If you connect to the site in Firefox, it explicitly states that it is unable to verify the certificate. I have attempted exporting the certificate from a working connection and importing it as a trusted site for a non-working user with no success (I will admit that I just barely know what I am doing in that regard). Googling hasn't turned up anything to this point that was helpful. Does anyone have any idea what might cause that behavior and what might be done to correct it? Bill Mayo Pitt County MIS ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
