Symantec Workspace Corporate - Contact IT Help Desk

Symantec Workspace Corporate Demo Environment.

Symantec Workspace Corporate is becoming more and more popular as people understand the value of fast user switching in a Virtual Desktop (VDI) environment. Because there is so much excitement around the product, many users are starting to install SWC in a lab environment. Symantec Workspace Corporate has always been designed and tested in production environments which leads to some interesting issues when setting up a system in a lab environment. This document addresses one of those issues.

Why Contact IT Help Desk Occurs

Symantec Workspace Corporate has been designed to enhance security at the endpoint. Systems that run as Internet applications like SWC are required to be trusted. In a production environment the user would have a valid certificate to assign to the Web site running SWC. Symantec Workspace Corporate ships with the ubiquitous selfssl certificate. This certificate is the primary reason for this error.

A part of using certificates is that the consumer of the certificate checks with the cert authority to make sure that the certificate is still valid. There are timeouts when attempting check for certificate revocation.

The actual error text is configurable. To change the message you will need to be in the Symantec Workspace Corporate Admin Console. Go to the System Manager tab and select System Manager, and modify the Invalid User Message field.

Make your Lab Environment Work Without the Error

To eliminate this error in a lab environment use the following steps.

SSL Certificate

By default when IIS uses SSL, there is a call made to www.download.microsoft.com. To disable this call, you need to turn off Automatic Root Certificates updating. To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

Certificate Revocation List Checking

Production Systems

For production systems, the CRL’s from VeriSign will need to be downloaded from a machine with internet access and transferred to the machine with restricted internet access. The CRL’s are then installed into the certificate store.

Download from Verisign

csc3.2005.crl

pca3.crl

Install into the certificate store by using

certutil -addstore CA csc3.2005.crl

certutil -addstore CA pca3.crl

The certificate MMC snapin will show the expiration date of the CRL at which point new CRL’s will have to be downloaded.

Test / Demo Systems

For test or demo systems where Symantec Workspace Corporate is installed, the CRL checking can be disabled.

1. ASP.NET – turn off CRL checking

2. COM+ - turn off CRL checking