Endpoint Management & Virtualization ArticlesRSS

Symantec Workspace Corporate - Contact IT Help Desk

Scot Curry

November 5th, 2009

Filed under: Workspace Virtualization, Best Practice, Configuring, Installing, Tip/How to, Endpoint Management and Virtualization

Symantec Workspace Corporate Demo Environment.

Symantec Workspace Corporate is becoming more and more popular as people understand the value of fast user switching in a Virtual Desktop (VDI) environment. Because there is so much excitement around the product, many users are starting to install SWC in a lab environment. Symantec Workspace Corporate has always been designed and tested in production environments which leads to some interesting issues when setting up a system in a lab environment. This document addresses one of those issues.

Why Contact IT Help Desk Occurs

Symantec Workspace Corporate has been designed to enhance security at the endpoint. Systems that run as Internet applications like SWC are required to be trusted. In a production environment the user would have a valid certificate to assign to the Web site running SWC. Symantec Workspace Corporate ships with the ubiquitous selfssl certificate. This certificate is the primary reason for this error.

A part of using certificates is that the consumer of the certificate checks with the cert authority to make sure that the certificate is still valid. There are timeouts when attempting check for certificate revocation.

The actual error text is configurable. To change the message you will need to be in the Symantec Workspace Corporate Admin Console. Go to the System Manager tab and select System Manager, and modify the Invalid User Message field.

Make your Lab Environment Work Without the Error

To eliminate this error in a lab environment use the following steps.

SSL Certificate

By default when IIS uses SSL, there is a call made to www.download.microsoft.com. To disable this call, you need to turn off Automatic Root Certificates updating. To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

Certificate Revocation List Checking

To turn off Automatic Root Certificates Update:

1. Click Start, and then click Run.

2. Type gpedit.msc, and then click OK.

3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

4. In the Computer Configuration Section double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.

5. Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.

6. Close the Local Group Policy Editor.

Note: You can use Group Policy to set policy settings that apply across a given site, domain, or organizational unit in Active Directory Domain Services.

Production Systems

For production systems, the CRL’s from VeriSign will need to be downloaded from a machine with internet access and transferred to the machine with restricted internet access. The CRL’s are then installed into the certificate store.

Download from Verisign

csc3.2005.crl

pca3.crl

Install into the certificate store by using

certutil -addstore CA csc3.2005.crl

certutil -addstore CA pca3.crl

The certificate MMC snapin will show the expiration date of the CRL at which point new CRL’s will have to be downloaded.

Test / Demo Systems

For test or demo systems where Symantec Workspace Corporate is installed, the CRL checking can be disabled.

ASP.NET – turn off CRL checking

ASP.NET SP1 or Hot Fix KB936707 required

Add the following to %windir%\Microsoft.NET\Framework\v2.0.50727\Aspnet.config

In the <runtime> section:

COM+ - turn off CRL checking

Create or edit %windir%\system32\dllhost.exe.config file with the following entry

</runtime>

</configuration>

After any change, restart IIS to load values and the COM+ package(s)

+2 (2 votes)

Login or register to post comments
Comments RSS Feed