Windows Server 2003 will not validate the certificate used to communicate with the ESM

Windows Server 2003 will not validate the certificate used to communicate with the ESM

6372
Created On 09/25/18 18:19 PM - Last Modified 12/16/19 21:27 PM


Symptom
A Traps agent installed on a Windows Server 2003 endpoint is unable to communicate with the ESM over SSL, but other agents on other operating systems can connect. 

disconnect.png

The service logs on the affected endpoint show an SSL error when trying to reach the ESM: “The remote certificate is invalid according to the validation procedure.”

2015-12-30 11:29:01.6332 ERROR CyveraService(13) IServerStatus (Safe Proxy) Error calling server! System.ServiceModel.Security.SecurityNegotiationException: Could not establish trust relationship for the SSL/TLS secure channel with authority 'esmserver:2125'. ---> System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

When the certificate details are viewed from a browser on the affected endpoint, the following error is displayed: “This certificate has a invalid digital signature.”

The Certutil tool can be used to check if a certificate will pass validation on the server.  The -verify command should return a success message.  More information on Certutil can be found at https://technet.microsoft.com/en-us/library/cc732443.aspx



Environment
Affected versions: 3.1.x, 3.2.x

Cause
Windows Server 2003 does not support certain implementations of SHA2 and RC4 encryption, which are addressed in updates by Microsoft.

Resolution
Resolution

Install the following hotfixes to the Windows Server 2003 machine:

https://support.microsoft.com/en-us/kb/938397

https://support.microsoft.com/en-us/kb/948963

https://support.microsoft.com/en-us/kb/968730



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClPRCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language