Video Screencast Help

SEP 12.1 RU2 Error 25010 Could not locate "Microsoft Test Root Authority"

Created: 10 Dec 2012 | 17 comments

Gents,

I'm encountering an issue when trying to install SEP 12.1 RU2. Below is a screen shot of the error message and here is the actual text.

Error 25010, Could not locate "Microsoft Test Root Authority" certificate in "Trusted Root Certification Authorities" store. It is required for this build of Symantec Endpoint Protection. Please install it and retry Symantec Endpoint Protection installation.

Now, the error message is pretty straight forward, but that certificate isn't installed on any other machines in which SEP installed correctly.

Any thoughts???

Thanks!!!

Comments 17 CommentsJump to latest comment

Rafeeq's picture

Do you have any previous version of SEP / SAV installed, does this happen on a complete fresh install?

under the trusted root store do you see microsoft root authority certificated.

Ashish-Sharma's picture

HI,

Any third party antivirus install previous ?

Try to install fresh sep client on system and check this error occured again or not ?

Thanks In Advance

Ashish Sharma

 

 

Ajit Jha's picture

Try this steps:

1.      Open Control Panel.

2.      Double-click Add or Remove Programs.

3.      Click Add/Remove Windows Components.

4.      Double-click Application Server.

5.      Double-click Internet Information Services (IIS).

6.      Double-click World Wide Web Service.

7.      Select Active Server Pages.

8.      Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.

9.      Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next on the Windows Components page.

10.  On the CA Type page, choose one of the following, and then click Next:

  • Enterprise root CA. An enterprise root CA must be installed on a domain member. The enterprise root CA will automatically issue certificates when requested by authorized users (that are recognized by the domain controller).
  • Stand-alone root CA. A stand-alone root CA requires that the administrator issue each requested certificate.

11.  On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.

12.  On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next.

13.  On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

How to Install Certificate:

      1.      Open Internet Explorer.

2.      From the menu, select Tools, and then select Internet Options.

3.      Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down menu to Medium, click OK to close the Security Settings dialog box, and then click OK to close the Internet Options dialog box.

      4. Browse to: http://IP address of certification authority server/certsrv

5.      Click Download a CA Certificate, Certificate Chain, or CRL. On the next page, click Download CA Certificate. This is the root CA certificate that must be installed on the Forefront TMG computer. In the File Download dialog box, click Open.

6.      On the Certificate dialog box, click Install Certificate to start the Certificate Import Wizard.

7.      On the Welcome to the Certificate Import Wizard page, click Next. On the Certificate Store page, select Place all certificates in the following store and click Browse. In the Select Certificate Store dialog box, select Show Physical Stores. Expand Trusted Root Certification Authorities, select Local Computer, and then click OK. On the Certificate Store page, click Next

8.      On the Completing the Certificate Import Wizard page, review the details, and then click Finish.

      Verify that the root certificate was properly installed by performing the following steps.

a.       Open the Microsoft Management Console (MMC) Certificates (local computer) snap-in.

b.      Expand the Trusted Root Certification Authorities node, click Certificates, and verify that the root certificate is in place.

 

Regard's

Ajit Jha

Technical Consultant

ASC & STS

steven o's picture

Could you please explain the reasoning of why we must follow these steps?  I want to understand why this Test Root is needed and what is it's purpose.  I'm also confused as why a computer wouldn't have this installed if it's needed for SEP 12.1.2.  It seems like Symantec would have mentioned it if it was a common thing needed.

 

flack's picture

We had exact same situation, any help to this one is needed - installing root certicate ain't solution - there's 10000 clients which want's to be migraded from SEP11 to SEP12.1.2 - and some of them ain't on AD either so we cannot share this cert using it..

sandra.g's picture

You did not mention which operating system you were attempting to install SEP onto. Is it safe to assume that this is the SEP client, given that you installed it successfully onto other computers?

I can find no KB documents for SEP with "Error 25010" or "Microsoft Test Root Authority".

sandra (who is most certainly not a gent wink)

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

steven o's picture

I've tried installing it on both Windows 7 64-bit SP1 and Windows 8, both are using 12.1 R1 MP1.  I've received the same errors on both as well.

Tomba40's picture

We have same problem when uppgrading from 11.0.6300.803

Installation log says:

 

CheckTeeferCertificate begin

CheckTeeferCertificate Test Root Certificate is not installed, the installation will rollback.

MSI (s) (A4!C8) [16:14:34:661]: Product: Symantec Endpoint Protection -- Error 25010. Could not locate "Microsoft Test Root Authority" certificate in "Trusted Root Certification Authorities" store. It is required for this build of Symantec Endpoint Protection. Please install it and retry Symantec Endpoint Protection installation.

 

Error 25010. Could not locate "Microsoft Test Root Authority" certificate in "Trusted Root Certification Authorities" store. It is required for this build of Symantec Endpoint Protection. Please install it and retry Symantec Endpoint Protection installation.

CheckTeeferCertificate end, returning: 1603

Action ended 16:14:34: CheckTeeferCertificate. Return value 3.

sandra.g's picture

The only references I can find are either extremely outdated or not relevant to the 12.1.2015.2015 build. (You are all using the final build, I hope, and not e.g. a beta?) If anyone experiencing this issue with 12.1.2015.2015 hasn't yet opened a case, I would suggest doing so.

sandra

Symantec, Senior Information Developer
Enterprise Security, Mobility, and Management - Endpoint Protection

Don't forget to mark your thread as 'solved' with the answer that best helps you!

Tomba40's picture

Version is 12.1.2015.2015 

Operating system on client is Windows Vista ultimate Edition.

 

Case opened.

CJston15's picture

We are also starting to experience this issue in our environment. I initially came across this issue trying to run a fresh 12.1.2 install on a Windows 7 Professional x64 laptop. Microsoft Root Authority and Microsoft Root Certificate Authority are both installed and do not expire until the year 2020 at the earliest. However, I still get this error when trying to run the install. Checking with our field technicians they too have come across this error within the last week, but to date none have resolved as far as I know.

Chetan Savade's picture

Hi,

Recently we had also faced this issue with SEP 12.1 RU2 & It resolved after doing an upgrade to SEP 12.1 RU2 MP1.

Upgrade to SEP 12.1 RU2 MP1 can be the possible solution.

Chetan Savade
Sr Technical Support Engineer, Endpoint Security
Enterprise Technical Support
CCNA | CCNP | MCSE | SCTS |

Don't forget to mark your thread as 'SOLVED' with the answer that best helps you.<

Eyal's picture

Was this problem  resolved , Im experiencing this error when I try to install SEP 12 RU2 on my backup servers.

is this a common issue with SEP 12 RU2.

Thank you

Parth's picture

Hello,

I got this same error (Error 25010 Could not locate "Microsoft Test Root Authority") while install SEP Client 12.1.3507.3673 on Windows 2003 X64.

 

Any pointers to solve this?

 

 

Thanks,

Partha

Oleg_M's picture

Hello, 

 

we solved a problem by installing "Microsoft Test Root Authory" certificate (attached)

AttachmentSize
MS_Test_Root_Authority.zip 1.83 KB
Kenneth R's picture

We encountered the same error trying to install SEP 12.1 RU3 on Windows Server 2003. I won't re-attach a screen shot of the error message as it is the same as the original post:

Error 25010, Could not locate "Microsoft Test Root Authority" certificate in "Trusted Root Certification Authorities" store. It is required for this build of Symantec Endpoint Protection. Please install it and retry Symantec Endpoint Protection installation.

I think this is a somewhat bogus error message - at least we were able to solve without using any test certificates.  Our one server probably was missing a Microsoft patch. When comparing this server's Trusted Root Certificates to another 2003 server, I found two Microsoft certificates missing.  Even though they are expired, if the installation binaries were countersigned by a timestamp server, they would still be valid, so I imported the two certificates and the SEP 12.1 installation ran successfully.

On Windows 2003, I suggest you open certmgr.msc and verify the Trusted Root Certification Authorities contain all three Microsoft certificates (we were missing the first two on one server; probably missed a patch):

ms_code-siging_certificates_win2003.PNG

Certification path from the Microsoft Root Authority (Valid to: Thursday, December 31, 2020 2:00:00 AM, Thumbprint (sha1): a4 34 89 15 9a 52 0f 0d 93 d0 32 cc af 37 e7 fe 20 a8 b4 19). 

Missing:

  1. CN = Microsoft Code Signing PCA
    OU = Copyright (c) 2000 Microsoft Corp.
    O = Microsoft Corporation
    L = Redmond
    S = Washington
    C = US
    Valid from: Thursday, May 23, 2002 3:00:00 AM
    Valid to: Sunday, September 25, 2011 3:00:00 AM
    Issuer: CN = Microsoft Root Authority, OU = Microsoft Corporation,OU = Copyright (c) 1997 Microsoft Corp.
    Thumbprint (sha1): b0 4e dd 83 d6 79 f4 08 1b c1 d2 bd bc 5f 6b 3b e5 c6 4c 3e
     
  2. CN = Microsoft Corporation
    O = Microsoft Corporation
    L = Redmond
    S = Washington
    C = US
    Valid from: Wednesday, January 05, 2005 6:20:19 PM
    Valid to: Wednesday, April 05, 2006 6:30:19 PM
    Issuer: CN = Microsoft Code Signing PCA, OU = Copyright (c) 2000 Microsoft Corp., O = Microsoft Corporation, L = Redmond, S = Washington, C = US
    Thumbprint (sha1): a2 58 00 bb 75 77 f5 85 4b 38 23 b8 22 28 d9 41 40 d0 24 4e

I needed all three for the installation to run correctly (the root certificate was already there).

I have attached the certificates for reference only. I suppose you could verify the thumbprints, but I would highly recommend only importing certificates into the "Trusted Root Certification Authorities" from exceptionally high trust sources.

 

AttachmentSize
ms_code-siging_certificates_win2003.zip 7.58 KB
shafiq1's picture

I just experienced this exact same issue while deploying SEP 12.1.4013 with Altiris. I determined it was an issue with the execution path being used to install the software. the path was long and included spaces.  I reimported the software resource into the Altiris database, but using an execution path that didn't include any spaces. when i delivered the software via a policy the next time it installed without issue.