Follow

ProfileUnity doesn't run at login - Error: The revocation process could not continue - the certificate(s) could not be checked.

Product: ProfileUnity

Product Version: 5.5 and above

Expires on: 365 days from publish date

Updated: August 20, 2015

 

Problem:

ProfileUnity doesn't run at login - Error: The revocation process could not continue - the certificate(s) could not be checked as seen in elevation log 

https://liquidwarelabs.zendesk.com/entries/29568963-Where-To-Find-ProfileUnity-Logs

 

Symptoms:

ProfileUnity does not run at login.

Your elevation log has this in it.

[lwl_elevation_service.1492, 8/20/2015 8:36:14.825 AM; Informational]: Trust verification failed on path: C:\Program Files\ProfileUnity\client.exe Error: The revocation process could not continue - the certificate(s) could not be checked.

[lwl_elevation_service.1492, 8/20/2015 8:36:14.825 AM; Informational]: The path: C:\Program Files\ProfileUnity\client.exe is not allowed to be elevated by policy.

 

This setting is set on IE

http://www.stigviewer.com/stig/internet_explorer_8/2015-06-30/finding/V-32808

 

 

Possible Resolution(s):

When ProfileUnity elevates itself we check that our code is signed by us for security reasons so no one can hijack our elevation process and gain administrator rights to the OS. When “Check for publishers certificate revocation must be enforced” is enforced, this forces the binary that is checking the cert to check a certificate CRL URL on if the cert is valid, since our elevation functions run under the system account this URL cannot be checked.

 

The resolution here is to move away from our code signing as the check to validate our binaries to the SH1 hash of client.exe. This is just as secure as certificate checking. Also, keep in mind this hash will need to be updated with each release or patch.

 

Create a SH1 hash of client.exe

 

  1. If ProfileUnity is in the base
    1. Edit this file “C:\Program Files\ProfileUnity\elevation\lwl_elevation_service.xml”
    2. Remove this line <path signed="Liquidware Labs, Inc."/>
    3. Add this line <path hash="djfjds89uds98fd90s"/>
    4. Recompose

 

  1. If ProfileUnity is not in the base
    1. In deployment path Open elevation.zip
    2. Edit this file “C:\Program Files\ProfileUnity\elevation\lwl_elevation_service.xml”
    3. Remove this line <path hash="Liquidware Labs, Inc."/>
    4. Add this line <Sha1="djfjds89uds98fd90s"/>
    5. Edit LwL.ProfileUnity.Client.Startup.exe.config
    6. Change this line <setting name="ElevationVersion" serializeAs="String">
    7.         <value>6.5.5696-d5e8616</value>
    8. To
    9. <setting name="ElevationVersion" serializeAs="String">
    10.         <value>6.5.5696-d5e8617</value>
    11. Refresh pool

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Article is closed for comments.