Vista and Win7 use an automatic root-certificate update mechanism. http://support.microsoft.com/kb/931125 If the user's browsing hasn't cached the root we use for webauth, they will get a cert warning -- even if the webauth cert is valid and signed by a trusted root cert. Since roots are now downloaded -- as they are needed -- from windows update (see http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx), and windows update uses akamai: allowing this new auto root update mechanism via an ACL pinhole appears to be impossible. Our environment is BYOD. Any ideas for solving this?
... View more
