• Problem
• Resolution
  • Non-Self-Signed Certs in Trusted Root Certification Authorities
  • HTTP 403.16 Error
    • LANDESK certificates may be missing from Trusted Root Certification Authorities
    • Non-self-signed certs being found in the Trusted Root Certification Authorities

Problem

The problem can appear as a combination of the below symptoms:

• LDMS Core server installation pre-check fails with a "Root Certificate Configuration"
• Clients receive 403.16 error when connecting to the core server.

Resolution

Resolution will be one of two fixes, removing non-self-signed certificates from Trusted Root Certification or adding the LANDESK certificate to Trusted Root Certification:

Non-Self-Signed Certs in Trusted Root Certification Authorities

1. On the core server, click the start button and type in certmgr.msc. This will launch the Certificate Manager.
2. Expand Trusted Root Certification Authorities - Certificates.
3. In the right-hand window, the core certificates will be listed. The problem being caused is a certificate in here where the name in the "Issued To" column doesn't match the name found in the "Issued By" column. Screenshot below doesn't have an example of a error causing certificate, but is included to give user an idea of what the window should like.
4. Either move the mismatched certificate to the Personal folder or delete certificate.

***Special Note*** GPOs may add certificates to Trusted Root Certification Authorities after the install has completed. If this happens, you'll get the HTTP 403.16 error shown next in the document.

HTTP 403.16 Error

This is usually caused by one of two errors:

• In instances of upgrades from an older version of LANDESK to LDMS 2016; the LANDESK certificates may be missing from Trusted Root Certification Authorities
• Non-self-signed certs being found in the Trusted Root Certification Authorities

This error will appear in logs found on the client as they try to connect to the core. This error will also appear in IIS logs. This can happen during vulscan, getting credentials for preferred servers, etc.

LANDESK certificates may be missing from Trusted Root Certification Authorities

1. On the core server, review your agent configuration's Client Connectivity settings.
   1. Typically, on a fresh core it should look something like this:
      2. However, in most upgrades you may have multiples of these. Compare this to your list of certificates in the trusted root and ensure that all of the certs listed here are shown in your trusted root. If not continue with step 2.
2. On the core server, navigate to \Program Files\LANDESK\Shared Files\keys. In this folder, all LANDESK certificates will be shown.
3. On the core server, run certmgr.msc and expand Trusted Root Certification Authorities - Certificates.
4. Compare the certificates listed in the \keys folder against the certificates found in Trusted Root Certification Authorities.
5. Right-click the LANDesk_xxxxxxx.crt file found in the folder that is missing from Trusted Root Certification Authorities and select "Install Certificate" from the menu.

     5. In the Certificate Import Wizard, select "Local Machine" for the Store Location. Click Next.

     6. Select the "Place all certificates in the following store" and click Browse. Select Trusted Root Certification Authorities. Click Next.

     7. Click Finish. A popup window saying the import was successful should appear. Click OK. The certificate will now be listed in Certificate Manager. Repeat the process as needed to ensure all LANDESK Certificates are present.

Non-self-signed certs being found in the Trusted Root Certification Authorities

Due to possible GPOs or other settings, non-self-signed certs may be found in the Trusted Root Certification Authorities. This can still happen after LDMS 2016 has been installed. To fix this error, the non-self-signed certificate(s) will need to be removed:

1. On the core server, click the start button and type in certmgr.msc. This will launch the Certificate Manager.
2. Expand Trusted Root Certification Authorities - Certificates.
3. In the right-hand window, the core certificates will be listed. The problem being caused is a certificate in here where the name in the "Issued To" column doesn't match the name found in the "Issued By" column. Screenshot below doesn't have an example of a error causing certificate, but is included to give user an idea of what the window should like.
4. Either move the mismatched certificate to the Personal folder or delete certificate.