IIS 7 and Above
Cant connect to website - Cant connect securely to this page
Last post Oct 15, 2020 08:45 AM by Brucz
Oct 12, 2020 10:06 PM|Geezer32|LINK
We have a new website running on a 2012r2 server, the site is configured with SSL with cert published from our internal CA. The server is for internal use only it is not exposed to the public
The issue I am having is that many users are getting message in Edge "Cant connect security to this page, might be because of unsafe TLS settings"
The server supports TLS1.2 as do the clients, I have ran a Qualsys test on one of the affected client and it says "good protocol support"
Most of the users are connecting to the core network over a VPN, but I have multiple users using the same VPN and some have this issue and others don't
All clients are Windows 10, they have the root CA certificate installed. network port 443 to the server are open from the client
Chrome also exhibits a similar error message
I've tried disabling the local AV (Symantec) made no difference
what else can I do so these clients can connect to the web page?
Oct 13, 2020 02:37 AM|Brucz|LINK
The issue may be caused by multiple trusted certifivcation paths on the web server. For example, the certificate has two path to the trusted root CAs on the web server.
When Certification path 1 and Certification path 2 have the same quality score, CryptoAPI selects the shorter path (Certification path 1) and sends the path to the client. However, the client computer can verify the certificate only by using the longer
certification path that links to Root CA certificate (2). Therefore, the certificate validation fails.
The solution is delete or disable the certificate from the certification path that you do not want to use.
Log on to the web server as a system administrator.
Add the Certificate snap-in to Microsoft Management Console. To do this, follow these steps:
Expand Certificates (Local Computer) in the management console, and then locate the certificate on the certificate path that you do not want to use.
Delete or disable the certificate by using one of the following methods:
Restart the server if the issue is still occurring.
More detail can refer to this document.
Oct 13, 2020 03:47 AM|Geezer32|LINK
I had a look at this, there is only one certificate on the web server which is its own cert published by the root CA
Its path looks normal, Host->IssuingCA->RootCA
On a client it looks the same and all the certs seem valid, no missing or unknown parts to the chain
I see that the Root CA cert appears on the client device both under 'Intermediate Trusted Authorities' as well as 'Trusted Root Authorities' - is this normal (it is on my laptop I am looking at and the site works no problem for me)
I tend to think that this issue is VPN related, as I have seen no instance of local devices on the LAN having any issue, or any one from the local AU region having any problems, it seems to be clients connecting from overseas (US mainly) over a VPN are having
problems, but it is not all of them, some work, some don't
Oct 14, 2020 01:29 AM|Brucz|LINK
If it is your vpn problem, I suggest you contact the vpn supplier or network engineer. What I can do is to troubleshoot the IIS side for you.
Oct 15, 2020 02:19 AM|Geezer32|LINK
Well, I don't know if it is a VPN issue or not, the network guys say it isn't. All I know for sure is that 1/2 the users of this system are getting TLS error connecting to the site
Oct 15, 2020 08:45 AM|Brucz|LINK
According to your description, I think this is a network problem, because the local devices on the LAN are fine, except for those who use VPN, and the clients from overseas have problems. The network conditions of the two are different.
I suggest you use some tools to capture network trace, and then analyze the process of network request handshake, and compare the difference between local and VPN.