programPat Walters said:community that can best help them. We are honored and humbled by the
generous time and energy of the many volunteers who contribute to these
newsgroups, and pleased to have the Microsoft Valuable Professional
Shannon Jacobs said:Actually I read so many of Microsoft's articles that I cannot swear for
certain whether or not I read that particular one. However, I do remember
doing the steps that were recommended there, though they may have been from
another similar article. I did find a solution, though not from Microsoft.
Here it is:
http://www.beginningtoseethelight.org/patches/2kpro.php
As already noted, I can only congratulate Microsoft for their success in
destroying yet another free support resource (the MVP program of some years
ago) and I continue to wish I had the option the abandon Microsoft.
Pat Walters said:"Shannon Jacobs",
After reading the thread further, let me just reiterate what Karl
Levinson said at the end of his last posting. We are here to help.
I do not pretend to understand what good can come from ranting on a
newsgroup about how much you dislike our company or the amazing and
technically savvy group of volunteers that devote themselves to
people with problems using Windows Update --but at name calling,
here it ends.
Please refrain from name-calling or ad-hominem attacks in this, and
any other Microsoft newsgroup. We encourage all people with
questions or comments about our products to visit our many
newsgroups and find the community that can best help them. We are
honored and humbled by the generous time and energy of the many
volunteers who contribute to these newsgroups, and pleased to have
the Microsoft Valuable Professional program ( http://www.mvps.org.)
This is a *privately*-owned newsgroup for the assistance of
Microsoft customers.
To our MVPs and volunteers, thank you for your continued hard work
and efforts. We continually make a better product, and we learn
how to serve the customer better because of this forum and the
interaction you have with our customers.
Sincerely,
Pat Walters [MSFT]
Shannon Jacobs said:The lady doth protesteth too much. Or is it one of Arnold's
girly-men? Well, actually the "incident" most reminds me of a
certain very prominent judge who wrote a 20-page explanation of
why an apparent personal interest in a certain case was not really
an interest, so there was no reason to recuse himself. Sorry, but
the 20-page explanation goes way *beyond* the appearance of a
conflict. That explanation itself was the most concrete evidence
of why the judge should have recused himself, incredible hypocrisy
notwithstanding. Same with your verbose defenses of your technical
abilities in the absence of technical answers.
Of course, I'm not surprised you can't put up (something of
technical value). I am surprised you aren't smart enough to use
the other half of the old saying. Years ago, way back when the MVP
program was useful, I would ask similar technical questions, and
if there was an answer from an MVP, it was almost certain to be
very helpful. Even their questions were helpful in finding the
real source of the problems. Other times my questions went
unanswered, but sufficient research revealed that they really were
that difficult to answer or even define, and the MVPs were correct
to wait for more knowledge.
These days it seems like an MVP will usually respond quickly--but
for any non-trivial question, more often than not, the response is
just incorrect. That is why I asked about the current metrics
Microsoft is using to assess the MVP program. I really suspect you
get MVP brownie points for being the first MVP to answer, and
without regard to the utility, correctness, or even relevance of
the answer. I am quite sincerely interested in how Microsoft does
business, even in the ethically dubious tactics. As regards the
MVP program, I think it was probably easy for Microsoft to tip the
scales in this way, since most technically competent people are
too busy to donate lots of time to Microsoft's greater glory.
(Yes, I'm being slightly tongue in cheek, since I'm sure you do it
to help the suffering customers--but Microsoft is still willing to
make a bit more money by milking your efforts.)
Regarding your (Levinson's) list of candidates for MVP
incompetence, I'm sorry, but I don't track people for their
inability to be helpful. I remember people for their competence,
especially technical competence. I used to know the names of a
number of MVPs--but I recognize none of the names you mentioned.
Just piling the evidence up, aren't you? Now excuse me while I
forget your name, too.
As I am prone to do, I'll commit the folly of mentioning technical
matters in what is eminently not much of a technical thread. Now
that I can run SFC again, it issues the same unable-to-verify
complaints about a number of files. Still no hint about *which*
files are too new or *which* security certificates are still
missing. (However, I'm supposed to receive a new computer in a
month or two, so I think I'll just ignore it until then. Maybe
I'll convert this old one to Linux?)
Several of my earliest attempts along the
missing-security-certificate path were to try to reinstall some
of the recent security certificate updates that WindowsUpdate had
provided. I was not able to do so from the Microsoft site, and
none of the MVPs even thought to suggest that approach.
Well, if reinstalling the patches didn't fix the problem, isn't
it a good thing we didn't suggest it?
Windows Update absolutely lets you see and re-install whatever
patches are on your system, but it has no possible way of knowing
about patches that were pushed down by your IT staff using who
knows what method, nor would we. You would have to contact your
IT staff for that.
Your only statement in your OP regarding patches was this:
"Some possibility it may have been caused by a WindowsUpdate,
possibly even one that was pushed onto my machine by the
corporate IT people."
With that vague level of detail, of course your IT people knew
how to fix the problem and we didn't. Your IT people knew which
patch they had pushed out to cause the problem, and we still
don't.
Even now, you still haven't provided enough information about
which patch or file was the problem, but you expect us to
magically know the answer in a minute to a problem you've been
struggling with for months. I can only guess that the patch
you're talking about might be the May 2004 root certificates
update over 7 months ago, but I would be hesitant to waste your
time offering suggestions like reinstalling this or that patch
based on that guess [and since this didn't fix your problem, it's
a good thing I didn't sugest it]. You still haven't shared
enough detail about the fix to help anyone else learn from your
experience.
Using the link I provided (which actually came from someone in my
company), I was able to find a file which fixed the damage.
How do you know your IT people didn't get the answer to this
problem from Microsoft, or from an MVP?
I am not certain if that
file is the same one that exists somewhere on the Microsoft
site, or if it was a special version. However, I am absolutely
certain the Microsoft search engines failed to find it, and the
MVP program participants also failed to find it--or even to
suggest looking for it.
Most problems with Microsoft patches are due to pre-existing
problems with the configuration of the PC. If no one else on the
planet has ever had your problem, then why would you expect the
solution to be in the Microsoft knowledge base? Note that your
problems [getting answers from the MS search engine or from the
newsgroups, your computer breaking in the first place] always
seem to be because someone at Microsoft has failed you, never
because of you, say, entering the wrong description or deleting
root certificates.
The part that is apparently rubbing you the wrong way is my
general comments about what Microsoft has done to the MVP
program. If so, you should quit acting in a way that provides
additional evidence. So far you are only reinforcing my belief
that Microsoft has pretty much destroyed the MVP program by
getting rid of the most technically competent people.
Which of the Microsoft MVPs do you think are not technically
competent? Is it Ed Skoudis? Stuart McClure? Roberta Bragg?
Tom and Debra Littlejohn Shinder? Mark Russinovich? Mark
Minasi? I would like to know why you think the MVP program has
fewer or less competent MVPs. How and why exactly would
Microsoft want to spend money and time on the MVP program, but
intentionally choose the worst candidates? How and why would
they destroy the program by increasing their support for it?
If Microsoft is solely in it for the money, as you claim, then why
spend a single cent on the MVP program in the first place? You do
realize that Microsoft has given you access to pretty much the
same knowledge database that their paid support technicians use
when you call them, correct? And that Microsoft lists the phone
numbers of other companies that offer cheaper tech support on
their support web site? There are certainly some valid
criticisms that can be levied at Microsoft, but your criticisms
of Microsoft make little sense and border on paranoia.
Or perhaps
they have simply changed the incentive system so the MVPs are
encouraged to post meaningless answers even when they have no
idea of what the answer is?
The link I posted may not have fixed your problem, but it is the
answer to what you asked: "what are the dependencies and
troubleshooting steps for certificate problems related to SFC?"
I also tried in my post to clear up some of your misconceptions
about how PKI certificates work that were causing you to angrily
think Microsoft was trying to re-write PKI specifications. You
have yet to prove or suggest why the link I posted was
meaningless. What exactly was it in the link that did not apply
to the question you asked?
The award MVPs get from Microsoft is relatively small and hardly
compensates me for all the time I spend here. If you think I post
thousands of posts here every year because of this award or
because it gets me some kind of points, you are very mistaken.
Certainly I admit that some of my queries are liable to be
non-trivial. Whatever the reason, I also believe this negative
change to the MVP program is a deliberate policy on the part of
Microsoft to discourage customers from relying on
no-cash-involved support.
I see. Microsoft has increased the number of MVPs over the past
two or three years in order to discourage relying on free
support. That makes lots of sense.
In truth, the main technical value I get from the newsgroups in
recent years, and the only reason I will sometimes resort to them
(and usually only after some weeks of struggle), is that the
process of describing the problem more precisely and completely
for a public post is sometimes helpful in understanding the
solution.
I see. So, you don't really need anything from us. You solve the
problem entirely on your own, just by typing it down here to us.
Microsoft and the MVPs caused the problem, hide the solution to
the problem from you, solely for monetary greed on the part of
all of us, and you single-handedly solve the problem. Might I
recommend posting your next question to microsoft.public.test?
You'll get the same results.
I'm not sure how exactly coming back here to insult us and express
your disappointment in our not solving the answer fits in with
this, given that you didn't really expect us to solve the
problem, but then again, I'm just an MVP, so I have trouble tying
my shoes in the morning.
Not so in this particular case, however. This
time it was just a lucky cross-reference that caught my eye. (I
cannot provide a link to that source since it is internal to the
corporate intranet, not public.)
That's convenient. And that prevents you from posting details
about the fix too?
Today I do have a new technical problem from another friend, but
I'm not yet stumped or desperate enough to describe it here.
Thanks, but no thanks.
No problem. When you encounter problems too tough for you to
solve, we'll be here to help.
kind regards,
Karl Levnson, CISSP
replaced)?from there. Many years ago the newsgroups had a positive SNR, but nowadays
zero-signal-and-downhill is the safe prediction.
Just in case some technically competent person would be so kind as to
provide a useful answer, the technical question is:
How can missing security certificates be identified (and "safely"
experiences, I do believe I could escalate the issue, pay Microsoft some
"support" money, and someone at Microsoft would reveal the answer, perhaps
with a clause requiring me not to republish it in public places like the
newsgroups. After all, security almost entirely depends on obscurity, as all
good Microsoftians "know".
Shannon Jacobs said:Great. Taking you at your (poorly written) word, you are technically
competent and polite, and claim to have read and understood all of this
discussion. Therefore it was obviously an oversight that you forgot to
answer the technical question:
How can missing security certificates be identified (and replaced)?
Yet again by the way, I find your (Mr. Dilley's) projection on the "lack of
maturity" issue so funny that I'm reposting this reply in a few other forums
for wider amusement. Given the state of the newsgroups these days, I have
little hope of a technically accurate answer, but at least you're
entertaining.
You're advice to the project managers is especially hilarious
and amusingly timed, but I'm not actually interested in playing your pro/ad
hominem games.
[And how about using a spelling checker? I'm not making an issue of it, but
it's yet another matter of politeness to the readers.]
from there. Many years ago the newsgroups had a positive SNR, but
nowadays zero-signal-and-downhill is the safe prediction.
Just in case some technically competent person would be so kind as to
provide a useful answer, the technical question is:
How can missing security certificates be identified (and "safely"
replaced)?
As I said, the first link I posted, which you complained about, tells
you EXACTLY how to do that. If the instructions in that link didn't
work for you, please tell us what the results are, e.g. you tried
everything on that list, and X happened or didn't happen. If you had
tried everything on that list, you would now be able to tell us that
your computer has all the relevant certificates, and we would then
know that the problem has nothing to do with restoring deleted
certificates as you still seem to believe. We could also rule out a
number of other dependencies on file checking besides certificates,
and move towards the real cause and solution.
I thought you said in a previous post that you had fixed the problem,
and pointed to a page that suggested you might have re-installed some
MS patch or another.
experiences, I do believe I could escalate the issue, pay Microsoft
some "support" money, and someone at Microsoft would reveal the
answer, perhaps
Phone support for problems caused by MS patches [which you blamed at
times] is absolutely free. What more could you possibly want? Which
other vendors do this for you? You might be charged if the problem
was not due to a MS patch.
with a clause requiring me not to republish it in public places like
the newsgroups. After all, security almost entirely depends on
obscurity, as all good Microsoftians "know".
Paranoia and FUD. The MS KB is the same one the paid MS support
technicians use.
[I trimmed the rest of the huge post below as a courtesy to other
readers here.]
Shannon Jacobs said:Where? If you are referring to
http://support.microsoft.com/default.aspx/kb/822798 (the only link I can
find in a sampling of your posts in this thread), then you are incorrect
(again). I just reviewed it (again) and that Web page does NOT answer the
question, and is only tangentially related to the problem (via a special
case). Part of the final section would be relevant (though I already know
this is not the most convenient way to do it) *IF* there was some way to
explicitly identify the missing certificates using SFC or some other tool.
It makes me wonder if perhaps the real reason Microsoft has so far
avoided answering the question is because they no longer support Windows
2000 to that degree.
Imaginary (but sadly plausible) Microsoftian dialog:
found the problem on any WXP machine). That means it would be fundamentally
impossible to know whether or not a W2K machine has valid system files,
unless you use the CD to restore the original system files.
Of course that
cure would be worse than the disease, since you would almost surely be
*undoing* various security patches.
Note that if all W2K machines are
missing certain security certificates, then the frequently appearing
suggestion (in many of Microsoft's "support" Web pages) of copying them (via
export) from another W2K machine is not going to work, either.
Mr. Dilley's rudeness was rather amusing (or even hypocritical) in a post
that apparently accused someone else of rudeness. (Hard to be sure what his
intended points were, since they were so badly expressed.)]
Karl Levinson said:The article lists the certificates used to verify the crypto signatures on
files from updated Microsoft service packs and patches. So, this article
Karl Levinson said:Shannon Jacobs said:Where? If you are referring to
http://support.microsoft.com/default.aspx/kb/822798 (the only link
I can find in a sampling of your posts in this thread), then you
are incorrect (again). I just reviewed it (again) and that Web
page does NOT answer the question, and is only tangentially
related to the problem (via a special
The article lists the certificates used to verify the crypto
signatures on files from updated Microsoft service packs and
patches. So, this article certainly answers this question at least
to those files. I would be very surprised if files from the
original Windows install CD were not signed either with those same
certificates, or using other older certificates with the same name
from the same root authority. It appears to be the closest answer
you're going to find on the Internet [a google search turned up
nothing else as far as I could find] and is absolutely worth a try.
case). Part of the final section would be relevant (though I
already know this is not the most convenient way to do it) *IF*
there was some way to explicitly identify the missing certificates
using SFC or some other tool.
The article does identify the missing certificates, or at least the
three or so required certificates. It's just three certificates,
so why not open your GUI and compare what you've got to a working
or newly installed / imaged Windows 2000 computer? How long could
that possibly take, a few minutes? If you confirm that no
certificates are missing, the other sections of that article then
become relevant, by telling you the other possible dependencies. I
don't see any reason to delay checking all of the dependencies in
the article, to confirm these are not the problem. For example,
you haven't told us whether the crypto service is starting on your
computers [one of the troubleshooting steps mentioned in the
article], unregistering and re-registering the DLLs in question,
etc. I had a similar problem and ran through most of the steps in
an hour or less, much less time than we've spent arguing about
whether or not that article is the answer to your question. I
really can't figure out what your aversion is to you or someone
else on the IT staff there trying out all the steps in the article.
It makes me wonder if perhaps the real reason Microsoft has so far
avoided answering the question is because they no longer support
Windows 2000 to that degree.
As far as tech support goes, Windows 2000 is every bit as supported
as it was on the first day of its release, unless you're asking for
new functionality to be programmed.
Imaginary (but sadly plausible) Microsoftian dialog:
Very imaginary.
found the problem on any WXP machine). That means it would be
fundamentally impossible to know whether or not a W2K machine has
valid system files, unless you use the CD to restore the original
system files.
Or you use a computer that isn't having the problem, or a freshly
installed computer.
Of course that
cure would be worse than the disease, since you would almost
surely be *undoing* various security patches.
Not in Windows 2000 and newer, it tracks and replaces updated files
for you. I wouldn't be using the install CD here though, it's
unnecessary.
Note that if all W2K machines are
missing certain security certificates, then the frequently
appearing suggestion (in many of Microsoft's "support" Web pages)
of copying them (via export) from another W2K machine is not going
to work, either.
That's why you copy them from a known working Windows 2000
computer, or at least compare them with a known working computer,
in the default settings that havent been touched by your IT staff.
Because you refuse to look at the certificates and compare them, we
really have no idea whether the problem is really missing
certificates or not.
Mr. Dilley's rudeness was rather amusing (or even hypocritical) in
a post that apparently accused someone else of rudeness. (Hard to
be sure what his intended points were, since they were so badly
expressed.)]
I understood them. His point is that you are very rude and yet you
need and demand assistance from the people you are insulting.
Also, your IT staff should be the primary ones troubleshooting
this, not you.
Shannon Jacobs said:I really am curious why you (Karl Levinson, mvp) persist in blath^H^H^H^H^H
commenting about a technical topic you know so little about. The only
explanation I can come up with is that you get some kind of Microsoft
brownie points for doing it. Your claim of trying to be helpful does not
sound very convincing at this point. Irrespective of your mysterious goal or
motivation, what you actually do is cause my newsreader to show the thread
is active, causing me to hope that someone who actually understands the
situation has shown up. A few years ago, that someone probably would have
been an MVP who actually understood the technology involved, and the
question would have been satisfactorily resolved within two or three
exchanges. At least that was my most common experience in those
days--whereas this exchange is pretty typical of the new situation.
If you actually go and look "in the trenches", you will see that there are
LOTS of security certificates and LOTS of files. Before resorting to the
newsgroups, I had already spent quite a bit of time trying to do it the
"Microsoft way", and found out that I was apparently wasting my time. To
make progress by that path, there would need to be some way to establish a
relationship between a file and the security certificate it requires. I can
definitely say that the specific security certificates listed in that
article (and in several others) are already present and therefore do NOT
solve the problems on at least one machine. Perhaps you'd like to suggest
that I just try to collect all the security certificates in the world and
import all of them? (Actually, I suspect that approach would actually fail
unless they were imported in the proper order.)
I did manage to test a number of additional machines, and so far the only
interesting pattern seems unchanged. Every Windows 2000 box is broken, and
every Windows XP machine is okay. I even managed to stumble across a
researcher with an English W2K machine, and it seemed to be even more badly
afflicted than most of the Japanese machines. One of the Japanese W2K
machines actually took a while to come up with a missing certificate, but
some of the delay was probably due to another process that was running at
the same time. Still, I do have the impression that the problem is not
absolutely uniform, but that some machines are missing more certificates
than others. Some of this might be because Microsoft's security certificate
upgrades have typically not been included on the primary patch list, but in
the second group, and some people may have skipped those. However, I can
certainly say that for the machines I personally control all of those
security certificate upgrades have been installed--to no avail.
Karl Levinson said:Shannon Jacobs said:Where? If you are referring to
http://support.microsoft.com/default.aspx/kb/822798 (the only link
I can find in a sampling of your posts in this thread), then you
are incorrect (again). I just reviewed it (again) and that Web
page does NOT answer the question, and is only tangentially
related to the problem (via a special
The article lists the certificates used to verify the crypto
signatures on files from updated Microsoft service packs and
patches. So, this article certainly answers this question at least
to those files. I would be very surprised if files from the
original Windows install CD were not signed either with those same
certificates, or using other older certificates with the same name
from the same root authority. It appears to be the closest answer
you're going to find on the Internet [a google search turned up
nothing else as far as I could find] and is absolutely worth a try.
case). Part of the final section would be relevant (though I
already know this is not the most convenient way to do it) *IF*
there was some way to explicitly identify the missing certificates
using SFC or some other tool.
The article does identify the missing certificates, or at least the
three or so required certificates. It's just three certificates,
so why not open your GUI and compare what you've got to a working
or newly installed / imaged Windows 2000 computer? How long could
that possibly take, a few minutes? If you confirm that no
certificates are missing, the other sections of that article then
become relevant, by telling you the other possible dependencies. I
don't see any reason to delay checking all of the dependencies in
the article, to confirm these are not the problem. For example,
you haven't told us whether the crypto service is starting on your
computers [one of the troubleshooting steps mentioned in the
article], unregistering and re-registering the DLLs in question,
etc. I had a similar problem and ran through most of the steps in
an hour or less, much less time than we've spent arguing about
whether or not that article is the answer to your question. I
really can't figure out what your aversion is to you or someone
else on the IT staff there trying out all the steps in the article.
It makes me wonder if perhaps the real reason Microsoft has so far
avoided answering the question is because they no longer support
Windows 2000 to that degree.
As far as tech support goes, Windows 2000 is every bit as supported
as it was on the first day of its release, unless you're asking for
new functionality to be programmed.
Imaginary (but sadly plausible) Microsoftian dialog:
Very imaginary.
found the problem on any WXP machine). That means it would be
fundamentally impossible to know whether or not a W2K machine has
valid system files, unless you use the CD to restore the original
system files.
Or you use a computer that isn't having the problem, or a freshly
installed computer.
Of course that
cure would be worse than the disease, since you would almost
surely be *undoing* various security patches.
Not in Windows 2000 and newer, it tracks and replaces updated files
for you. I wouldn't be using the install CD here though, it's
unnecessary.
Note that if all W2K machines are
missing certain security certificates, then the frequently
appearing suggestion (in many of Microsoft's "support" Web pages)
of copying them (via export) from another W2K machine is not going
to work, either.
That's why you copy them from a known working Windows 2000
computer, or at least compare them with a known working computer,
in the default settings that havent been touched by your IT staff.
Because you refuse to look at the certificates and compare them, we
really have no idea whether the problem is really missing
certificates or not.
Mr. Dilley's rudeness was rather amusing (or even hypocritical) in
a post that apparently accused someone else of rudeness. (Hard to
be sure what his intended points were, since they were so badly
expressed.)]
I understood them. His point is that you are very rude and yet you
need and demand assistance from the people you are insulting.
Also, your IT staff should be the primary ones troubleshooting
this, not you.
Shannon Jacobs said:newsgroups, I had already spent quite a bit of time trying to do it the
"Microsoft way", and found out that I was apparently wasting my time.
make progress by that path, there would need to be some way to establish a
relationship between a file and the security certificate it requires.
I really am curious why you (Karl Levinson, mvp) persist in blath^H^H^H^H^H
commenting about a technical topic you know so little about.
import all of them? (Actually, I suspect that approach would actually fail
unless they were imported in the proper order.)
relationship between a file and the security certificate it requires. I can
definitely say that the specific security certificates listed in that
article (and in several others) are already present and therefore do NOT
solve the problems on at least one machine.
the same time. Still, I do have the impression that the problem is not
absolutely uniform, but that some machines are missing more certificates
than others.
Shannon Jacobs said:newsgroups, I had already spent quite a bit of time trying to do it
the "Microsoft way", and found out that I was apparently wasting my
time.
Naturally there's a chance all the various eight steps in the article
may not fix your problem. It's still necessary to try them [again]
and report back what happened.
I don't believe you really tried those steps, or didn't try them the
right way, or tried step 1 on one computer and step 8 on a different
computer, or you got some error message when trying these steps
several months ago that we need to know about. Just saying "tried
it, didn't fix my problem" is NOT enough information. But then you
knew that already, because you are an experienced tech support person.
make progress by that path, there would need to be some way to
establish a relationship between a file and the security certificate
it requires.
Not correct. There's no such thing as an association between a cert
and a signed file, the association is in the file itself. The
article I posted does tell you about many of the other dependencies
that have nothing to do with certificates or files.
I really am curious why you (Karl Levinson, mvp) persist in
blath^H^H^H^H^H commenting about a technical topic you know so
little about.import all of them? (Actually, I suspect that approach would
actually fail unless they were imported in the proper order.)
You are again incorrect about how PKI works. If you're going to
baselessly claim that I know nothing about PKI certificates in
Windows, you should avoid making multiple inaccurate statements
yourself in the same post.
relationship between a file and the security certificate it
requires. I can definitely say that the specific security
certificates listed in that article (and in several others) are
already present and therefore do NOT solve the problems on at least
one machine.
You should have said that before. So now we know you looked and made
sure all the certificates are there.
the same time. Still, I do have the impression that the problem is
not absolutely uniform, but that some machines are missing more
certificates than others.
Oops. I thought you said all the certificates were there? Which
ones are missing? How do you expect the machines missing
certificates to ever work? Besides, just two days ago you said the
problem was "How can missing security certificates be identified and
replaced?"
I still don't believe you've checked to see what certificates are
missing, and the other 7 steps, etc. Ignore all the certificates
there. Only look at the three or so mentioned in the article.
Counting total number of certs or looking at all the other certs is
irrelevant.
Shannon Jacobs said:And why do you want to disguise your identity now with the cute bracket trick? Have
you suddenly become ashamed of your name?])
Of course, Microsoft can, to a great degree, ignore
the real world
From an actual security expert (found elsewhere),
I qualified my statement about the certificate chains fairly carefully
because in the real world there are several public key algorithms, various
implementations, and a variety of possible steps involved in importing
security certificates.
apparently claiming expertise in the "Microsoft way" of security.
if you study Microsoft's "support" pages as carefully as you claim,
would notice a number of points that do suggest their security certificates
do use chaining and that there are sequence dependencies, and therefore I
could not word my statement in more absolute terms.
I have actually been
informed that the certificate problems with W2K are fairly well known--and
actually started as long ago as SP1.
We are still discussing the situation,
but he thinks the situation is broken beyond repair. However, if we do find
a solution, it would be amusing to circulate it and let it trickle back to
Microsoft.
Now that I've considered the technical aspects,
Shannon Jacobs said:And why do you want to disguise your identity now with the cute
bracket trick? Have you suddenly become ashamed of your name?])
You're right, you caught me. I added Karl Levinson [x y] to the end
of my name so you wouldn't figure out it was me. How did you ever
figure out it was me?
Thanks for finding my [] brackets cute. I'll explain how the trick
works later, it's complicated. It involves pressing certain keys,
and making a mountain out of a molehill.
Of course, Microsoft can, to a great degree, ignore
the real world
I'm not sure you're fully in "the real world."
From an actual security expert (found elsewhere),
If "elsewhere" is so much better, then I suggest you spend more time
there.
I qualified my statement about the certificate chains fairly
carefully because in the real world there are several public key
algorithms, various implementations, and a variety of possible steps
involved in importing security certificates.
Yes, there are a lot of PKI solutions out there. Why would you bother
bringing them up in trying to fix this problem? They are irrelevant
here and are only confusing you. The differences between, say, PGP
and Microsoft code signing are not proof that Microsoft is writing
its own RFCs.
apparently claiming expertise in the "Microsoft way" of security.
if you study Microsoft's "support" pages as carefully as you claim,
I said none of these things. I simply tried to point out that you
said some things that are inaccurate, but apparently you don't make
mistakes.
would notice a number of points that do suggest their security
certificates do use chaining and that there are sequence
dependencies, and therefore I could not word my statement in more
absolute terms.
Chaining is not the same thing as saying you have to install or
re-install certificates in a particular order. If you deleted them
out of order, just go ahead and use Microsoft's instructions to
restore them, regardless of order.
I have actually been
informed that the certificate problems with W2K are fairly well
known--and actually started as long ago as SP1.
You can't provide specifics, because you are spouting nonsense. You
also claim that Win2K certificates are irreparably broken, and yet
you seem to be the only one having these problems. Sounds like user
error, or an ID ten T problem.
We are still discussing the situation,
but he thinks the situation is broken beyond repair. However, if we
do find a solution, it would be amusing to circulate it and let it
trickle back to Microsoft.
I don't know why you hide behind this pretense of being forced to
support and use Microsoft products. There are no *nix support jobs
available in your country? Either make the switch, or stop posing
and whining about it. It gets rather boring.
Now that I've considered the technical aspects,
Funny how you've "considered the technical aspects," and yet you
haven't said a single thing to clarify what your problem is. In the
past two days you have said that certs are missing, certs are not
missing, you need to know how to restore certs, you know how to
restore the certs and your method is easier than Microsoft's, and
restoring the missing certs would not fix your problem.
You also have never addressed why exactly you mistakenly think the
link I posted doesn't answer your questions. It quite plainly gives
the certs and files you need to check, and you keep coming back with
non-existent Microsoft conversations in your head and vague
discussions about the existence of other irrelevant non-Microsoft PKI
solutions.
Shannon Jacobs said:Why did you (Karl Levinson, mvp) post all this stuff? Isn't that a question
you can actually handle? Since you have nothing interesting to say, why not
say nothing?
The security problem is Microsoft's,
but you (Karl Levinson, mvp) have not been any part of the solution.
Shannon Jacobs said:Why did you (Karl Levinson, mvp) post all this stuff? Isn't that a
question you can actually handle? Since you have nothing interesting
to say, why not say nothing?
I ask you all the same questions.
By the way, thanks for all the extra brownie points. Keep arguing
with me for a few more posts, and I'll have enough for a trip to
Bermuda.
Believe it or not, I truly just want you to follow the steps in the
article I posted, so we can help fix your problem. [Don't forget to
perform step 13 from the article, which states "Put $50 into an
envelope and mail it to..."]
The security problem is Microsoft's,
I believe the security problem is yours. No one else besides you is
having this problem. You blamed MS, and us, every step of the way,
even when you thought the problem was that you had taken it upon
yourself to delete old certificates.
but you (Karl Levinson, mvp) have not been any part of the solution.
The link I gave you is the solution, or part of the solution. You
are just too stubborn and arrogant to bother trying it and reporting
back what happens. I'm telling you that following those procedures
and reporting back what happened when you did them is part of the
solution. You asked how to identify and replace the certs MS uses
for signing Windows files; that link tells you that. You asked how
to establish an association between those certs and the signed files;
that link also tells you that.
http://support.microsoft.com/default.aspx/kb/822798
I don't believe you really followed all 8 of those steps in a
methodical order. But even if you did, you aren't able to tell us
the necessary information about what happened after you followed the
instructions. Example, "I followed the instructions and confirmed all
certs are there, but the X service still isn't starting and is giving
error message Y, or one of the DLLs couldn't be re-registered because
it was missing." You say some workstations are missing some certs,
but can't tell us which certs are missing, and haven't bothered to
replace the certs despite having the instructions on how to do that
via the link I gave you.
http://support.microsoft.com/default.aspx/kb/822798
We could tell you what to do next when the steps in that article
fail, but we would need to know how those steps failed exactly to
guess what to suggest to you next. Because you don't have this
information, you need to follow that article again to give us this
information.
http://support.microsoft.com/default.aspx/kb/822798
Your problem will probably never be solved until you follow the steps
in the article above and tell us, or someone, exactly what happened.