Valid Trust Anchor?

On the off chance someone understands this error and can help, I’m posting the wifi errors my Windows 7 Ultimate laptops started to encounter at work on wifi. My laptop is not part of the corporate domain (as it’s a personal laptop). Until very recently, everything worked without any trouble, and IT is not aware of any changes that they made that would explain these errors.

I’ve got Personal certificates installed in my user profile, and my employer’s Trusted Root Certification Authorities certificate is installed. Neither have expired.

The first symptom is that I now get prompted for credentials when connecting to the wifi access point:

Network Authentication

We discovered that just hitting OK here without providing any credentials was OK. It should have been automatically using the certificate I have installed.

After a few moments, this confusing dialog is displayed:

 image

“The credentials provided by the server could not be validated. We recommend that you terminate the connection and contact your administrator with the information provided in the details. You may still connect but doing so exposes you to the security risk by a possible rogue server.

The server XYZ presented a valid certificate issued by Company Name Certificate Authority but Company Name Certificate Authority is not configured as a valid trust anchor for this profile.”

Clicking the Connect button then seems to work. So for now, we agreed that it was OK – but, we have no idea what’s going on. If I learn more, I’ll post more details here. But in the meantime – if anyone else has an idea about this – I’d appreciate hearing about it! 

4 Comments

  1. Posted this to your other posting as well:
    http://superuser.com/questions/116541/what-is-a-valid-trust-anchor-in-windows-7-relating-to-wifi/167360#167360

    I ran across the same issue. Found the answer.

    1. Go to Control Panel > Network and Internet > Manage Wireless Networks.

    2. Open the wireless network. Or, click the “Add” button to create a new network, then open it.

    3. The Wireless Network Properties window appears. Click the Security tab.

    4. Under “Choose a network authentication method”, select “Microsoft: Smart Card or other certificate”. I assume this is already selected.

    5. Click the “Settings” button.

    6. The “Smart Card or other Certificate Properties” window appears.

    7. Here is the answer. Under the “Trusted Root Certification Authorities” list, you have to manually select the Root CA of your company. By default, these are all blank. That is why the warning message appears the first time if you do not select your company’s Root CA. If you connect despite the warning, then your company’s Root CA is now selected, and you no longer get the warning on subsequent connections. So, to avoid the warning, just select this box when you set up the network, before you connect for the first time.

    8. If you do not see your company’s Root CA here, that is likely due to the fact that by default, double clicking your certificate to install it probably puts it under the “Intermediate Certification Authorities” tab. You need to select the “Trusted Root Certification Authorities” tab instead. You can see where certificates go under: Internet Explorer > Internet Options > Content > Certificates

Comments are closed.