Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1555
Views
0
Helpful
2
Replies

User can't use certificate installed by another user in the Local Computer Certificate Store

mkozak
Level 1
Level 1

‎06-27-2013 08:09 AM

So my situation is this, User A installs the user certificate in the Local Computer Personal certificate store.  User A can connect without any problems.  User B logs in to the same computer and tries to connect and gets "Certificate Validation Failure".  Both users are admins locally and domain.  Essentially it seems to break down to if User A installs the user certificate only User A can use it to authenticate.  I've also tried User A and User B as local users on the domain PC, same result.

I've since tested this on a non-domain connected pc and User B was able to connect using the certificate that User A installed.  So I feel this has something to do with domain users access to the local computer certificate store.

I've set "Certificate Store Override" in the client profile, did not solve anything.  I've tried setting this up with both the asa as the CA and with a seperate Microsoft CA, same result with both setups. 

Please help how can I give User B access to the certificate that User A installed?

Labels:
0 Helpful
2 Replies 2

mkozak
Level 1
Level 1

‎06-27-2013 11:14 AM

Narrowed this problem down a bit more, this issue seems to only be with Windows 7 x64.  On x86 domain users are able to access the certificate as long as they have local admin rights.  I need to look into this more as we don't want our users having local admin rights, but at least it shows that a user can access a cert installed by another user.

With Windows 7 x64, which we will need to work, if the pc is not domain connected local admin users work fine.  Once joined to the domain, even local admins can't use the cert installed by another user.

0 Helpful

mkozak
Level 1
Level 1

‎06-27-2013 12:04 PM

I was able to use the x509 Certificate Tool to give all domain users access to the private key file for the user cert.  This solved the local admin issue I had with x86.  I talked to a friend who is using a similiar setup and they didn't have to modify the private key permissions at all which I found wierd, but it works.

Now back to the x64 clients.

0 Helpful
Customers Also Viewed These Support Documents