Summary
The Security aspect reports on the status of the Application Virtualization Server's
certificate and secure communication.
Verifier
Before an Application Virtualization Server can be configured to accept secure connections,
it must first be provisioned with an X.509v3 certificate. A certificate
must have the proper attributes in order for the Application Virtualization server
to find and use the certificate during the installation process.
The following certificate attributes are required:
- Server receiving the certificate MUST trust the Root CA which issued the certificate
- Certificate must be valid
- Certificate must contain the correct Enhanced Key Usage (EKU)
- Server Authentication (OID 1.3.6.1.5.5.7.3.1)
- Certificate FQDN must match the server on which it's installed.
- Client needs to trust the same Root CA
To verify the security
certificate for Application Virtualization
Server:
- Launch the Microsoft Management
Console (mmc.exe). Click File->Add/Remove
Snapin
- Choose Certificates in the available
Snapins. Click Add.
- Choose Computer account on the dialog
and click Next.
- Choose Local Computer and click Finish.
Click OK in the Add/Remove Snapins dialog.
- Click
Certificates\Trusted Root Certification Authorities\Certificates
node.
- Double click the certificate to check its
validity.
- If the certificate is invalid/corrupt, you need
to import new certificate. You can import a new certificate using the
Action->All Tasks->Import file menu.
- If you import a
new certificate, you need to restart the Application Virtualization Server
service for the import to take effect.
To verify the secure protocol and port configuration for the Application Virtualization
Server.
- Open Application Virtualization Management Console. (Click Start, click Settings,
click Control Panel, double-click Administrative Tools, and then double-click Application
Virtualization).
- Connect to Application Virtualization Management Web Service.
- On the left tree in the console, expand Server Groups node and
click the server group name that contains the Application Virtualization Server
of interest.
- On the middle pane, right-click the server and click Properties.
- In the Properties dialog box, click Ports tab.
- Verify that only RTSPS and/or HTTPS are listed in the Protocols group box.
- Verify that the intended secure port is selected.
- Verify the information in the Security Certificate Settings group box.
Diagnoser
Check the Validity of the Security Certificate
- Run Microsoft Management Console on the Application Virtualization Server computer
(Click Start, click Run, type in mmc, then click OK)
- Open the Add/Remove Snap-in dialog box to add the Certificates snap-in
(Click File then click Add/Remove Snap-in)
- Add the Certificates snap-in (Click Add, select Certificates,
click Add, select Computer account, click Next, click Finish,
and then click Close)
- Click OK to close the Add/Remove Snap-in dialog box.
- On the left pane, expand Certificates node and select Personal node.
- On the right pane, locate the security certificate of interest and double-click
it. The Certificate dialog box opens.
- In the General tab, verify that the certificate is still valid and not expired
or revoked.
- In the Certification Path tab, verify that the Certification status
field says "This certificate is OK."
Check the Security Certificate Settings
The following certificate attributes are required:
- Server receiving the certificate MUST trust the Root CA which issued the certificate
- Certificate must be valid
- Certificate must contain the correct Enhanced Key Usage (EKU) -
Server Authentication (OID 1.3.6.1.5.5.7.3.1)
- Certificate FQDN must match the server on which it's installed.
The clients needs to trust the Root CA that issues the certificate for the
Application Virtualization Server.
An error can occur if the server certificate is corrupted, is not present, or
became invalid. To fix the issue, import a new certificate from the certificate
store.
- Launch the Microsoft Management Console (mmc.exe). Click File->Add/Remove Snapin
- Choose Certificates in the available Snapins. Click Add.
- Choose Computer account on the dialog and click Next.
- Choose Local Computer and click Finish. Click OK in the Add/Remove Snapins dialog.
- Click Certificates\Trusted Root Certification Authorities\Certificates node.
- Double click the certificate to check its validaity.
- If the certificate is invalid/corrupt, you need to import new certificate.
You can import a new certificate using the Action->All Tasks->Import file
menu.
- If you import a new certificate, you need to restart the Application Virtualization
Server service for the import to take effect.