TROUBLESHOOTING WINDOWS 2003
In Windows Server 2003, there may be valid Microsoft files that have to be manually whitelisted even though it may have a valid publisher. If any publisher trust issues are encountered, follow the below steps to resolve them:
-
Right-click on the untrusted executable or the library and click Properties
-
Navigate to the tab Digital Signatures
-
Select the signature displayed in the list. Click Details. It may take a few minutes for the pop-up window to be displayed. The error information is displayed on the pop-up window
-
Scenario 1:
-
Error Message: The integrity of the certificate that signed this file cannot be guaranteed
-
Possible Cause: The host is missing the Knowledge Patch that adds SHA2 support
-
Recommended Action: This file must be allowlisted on CMS manually. Alternatively, the Knowledge Base Patch can be installed. Follow the steps in Section SHA2 Certificates
-
-
Scenario 2:
-
Error Message: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust publisher
-
Possible Cause: We need to add the root certificate of this executable
-
Recommended Action: Follow the steps in Section Root Certificate Addition
-
-
Scenario 3:
-
Error Message: This digital signature is OK (But, the publisher is not listed in VSP)
-
Possible Cause: The root certificate is installed in the wrong store
-
Recommended Action: Follow the steps in Section Certificate Installed in Wrong Store
-
-
Scenario 4:
-
Error Message: The certificate may be corrupted or may have been altered
-
Possible Cause: Windows Server 2003 does not natively support SHA2 certificates. Microsoft has deprecated the signing of SHA1 Root certificates a few years ago. So, for newer executables that are signed with SHA2, Windows Server 2003 cannot authenticate unless there is a Knowledge Base patch installed on the Server.
-
Recommended Action: Follow the steps in Section SHA2 Certificates
-