Question : Digital Certificate Error

I have a network with over 130 users on the domain.  About 3 weeks ago, one user started getting a diaglog box pop-up when internet explorer was launched stating the following:

"Security Alert!!

Information you exchange with this site cannot be viewed or changed by others.  However, there is a problem with the site's security certificate.

(green check mark)  The security certificate is from a trusted certificate authority
(green check mark)  The security certificate date is valid
(yellow warning sign) The name on the security certificate is invalid or does not match the name of the site.

It asks if I want to proceed.  I can click Yes, No, or view certificate.  If I click view certificate, it brings up a windows box with 3 tabs (general, details, certificate path).  It says issued to sites.xxxxxxx.com, issued by www.verisign.com and valid from xx to xx.

If I click on install certificate, it'll walk me through a wizard and appears to install so everything would be fine.  If I click yes that I want to proceed - or if I install the certificate - it then comes up with the following:

"Choose a digital certificate"
The website you want to view requests identification.  Please choose a certificate.

Now my only options are More Info... (which brings up IE Help),  OK, and Cancel.  If I hit ok or cancel, the pop-up goes away for 2 seconds and then comes back up.  I can't get rid of it.

I've cleared out all IE temp files, cookies, history, etc.
I've updated IE from 6 to 8.0.
Neither of these worked to fix the issue.

If I log onto the machine as administrator - rather than the particular user - this situation does not occur.  I made the user an admin on their machine - but it happens still.  This is our companies director - so I really need to find a resolution.

After the first occurance of the security alert above - I no longer have the ability to select view certificate, and the dialog box for choosing a digital certificate is blank.  I've tried doing a system restore back to a date before this was happening - but it still comes up - however when I do a restore - at least the first time I open IE - I get the 'View Certificate option" but I run through installing it or clicking yes (see above initial security alert) and I'm back to the empty choose a digital certificate dialog box.

This is the only user getting this error on the network.  the website which appears in the 'issued to box when you choose view certificate is used by other people in the organization as well.

Can ANYONE help me with this?  I don't want to have to reformat the machine or move all his files - I figure there's go to be a fairly simple fix somewhere.. Editting the registry or something????

Answer : Digital Certificate Error

Usually when you see a cert box it is either a problem with the web server being configured to require client authentication certificates - but other users don't need to select one.  If this doesn't happen to all users, such as in your case, then it is usually an issue with the browser - yet this is happening in IE and FF.  Since does not occur for same user elsewhere it isn't some weird user specific thing, and since other users don't experience it on the same box it isn't just the box.

It is possible that maybe the rest of the clients do actually have a similar Verisign cert and it works fine.  Assuming not, I'm thinking that a corrupt Windows profile is to blame.  Try creating a new profile and import the Verisign cert with private key.

Another possibility is that the way the user is logging in just doesn't match the subject name of the cert.  Try looking on the details tab of the cert for Subject and Subject Alternate Name and see what username formats are in place - maybe you need to log in as [email protected] instead of having the username on a different line and taking the domain from the dropdown, or using domain\username.  I'm assuming their AD information didn't change - like a name change due to marriage or anything like that where the cert may be trying to check something else that used to match but no longer does?

Right now my bet's on the profile, but dig into it a little bit.