If a certificate that has the subject information access (SIA) extension is installed on a Windows Vista Service Pack 1 (SP1)-based computer or on a Windows Server 2008-based computer, applications that involve certificate validation become very slow. For example, you may experience a delay of 2 to 5 minutes when you visit a secure Web site or when you verify a file signature.

Consider the following scenario.

• On a Web Distributed Authoring and Versioning (WebDAV) site, you set the Secure Sockets Layer (SSL) setting for client certificates to Accept.
• On a computer that is running Windows Vista or Windows Server 2008, a user adds this WebDAV site by running the Add Network Location Wizard or the Map Network Drive Wizard.
• After the user finishes running the wizard, the Select Certificate dialog box is displayed. In the Select Certificate dialog box, the user clicks Cancel.

In this scenario, you expect the user to obtain an instant connection to the WebDAV site or to receive a dialog box that requests the user’s credentials. Instead, the operation exits unexpectedly.

Notes

• When the SSL setting for client certificates is set to Accept, you expect the user to be able to provide a certificate or credentials to access the WebDAV site.
• This issue does not occur on a computer that is running Windows XP or Windows Server 2003.

When you enroll a certificate on a computer that is running Windows Vista or that is running Windows Server 2008, you are prompted to insert a smart card even though a smart card is already inserted. After you unplug your smart card and then plug it in again, the certificate enrollment process continues successfully.

However, if the smart card and the reader are integrated into one unit, you cannot unplug the smart card. For example, if you use a USB token device as a smart card, the certificate enrollment process does not continue even after you unplug and then plug in the USB token device. Therefore, the certificate enrollment fails.

Consider the following scenario:

• On a Windows Vista-based computer, you create a connection security rule that uses a computer certificate.
• In this security rule, you enable the Accept health certificates only option.

In this scenario, the local-to-local connection is broken on the Windows Vista-based computer.

For example, assume that you start Internet Information Services (IIS) on the Windows Vista-based computer. When you try to connect to the local address by entering either “http://localhost” or the local IP address in Internet Explorer, you discover that the connection is broken.

Note: This problem does not occur if the Accept health certificates only option is not enabled or if Kerberos authentication is used.

The autoenrollment functionality fails when a Windows Vista-based computer uses version 2 (V2) certificates. Additionally, an event that resembles the following is logged in the Application log:

Log Name: Application
Source: Microsoft-Windows-CertificateServicesClient-CertEnroll
Date: Date
Event ID: 13
Task Category: None
Level: Error
Keywords: Classic
User: User SID
Computer: Computer Name
Description:
Certificate enrollment for Local system failed to enroll a template certificate from certification authority. (The RPC server is unavailable. 0x800706ba. (Win32:1722))

Consider the following scenario:

• You have an untrusted root certification authority (CA).
• In a certificate enrollment Web page, you issue an end entity certificate that is chained to the untrusted root CA.
• The certificate enrollment Web page uses the InstallResponse method of the IX509Enrollment interface of the CertEnroll COM object to install the end entity certificate to a client computer.

In this scenario, when a user uses Windows Internet Explorer 7 to open the certificate enrollment Web page and install the end entity certificate on a Windows Vista-based client computer, the installation may fail. Additionally, the user may receive one of the following error messages from the InstallResponse method of the IX509Enrollment interface:

Error Code: E_ACCESSDENIED 0×80070005L
Error Message: “General access denied error”
This error occurs if the certificate response is installed using a InstallResponseRestrictionFlags such as AllowUntrustedRoot other than AllowNone.
Error Code: CERT_E_CHAINING 0×800B010AL
Error Message: “A certificate chain could not be built to a trusted root authority”
This error occurs if the certificate chain response contains an end entity certificate but not the complete certificate chain to a root CA.
Error Code: CERT_E_UNTRUSTEDROOT 0×800B0109L
Error Message: “A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider”
This error occurs if the certificate chain response is containing the leaf end entity certificate chaining to an untrusted root CA.

After you successfully import a certificate on a Windows Vista-based computer, you cannot view the certificate information in Windows Internet Explorer 7 or in Certificate Manager.

On a Windows Vista-based computer, you use the Certificate Import Wizard to try to install a certificate. To do this, you double-click the certificate file, and then you click Install Certificate. During the installation, the Rundll32.exe process may crash.

This problem occurs if a third-party cryptographic service provider (CSP) is installed on the computer.

Consider the following scenario:

• On a Windows Vista-based computer, you log on to a domain.
• You use a smart card certificate to establish a remote access connection.
• You try to connect the Windows Vista-based computer to a shared resource in a foreign domain by using the remote access connection.

In this scenario, Kerberos authentication that uses the Public Key Initialization (PKINIT) protocol in the foreign domain fails. For example, when you use the net use \\ComputerName\ShareName command to connect the computer to a shared resource in the foreign domain, you cannot make the connection.

Note: PKINIT is an Internet Engineering Task Force (IETF) Internet Draft for “Public Key Cryptography for Initial Authentication in Kerberos.” Windows Vista uses the PKINIT protocol when you use a smart card to perform an interactive logon.

After you enable automatic enrollment for certificates in an Active Directory domain environment, automatic enrollment occasionally fails on a Windows Vista-based client computer. Therefore, the client computer cannot obtain certificates automatically.

When this problem occurs, an event that resembles the following is logged in the Application log on the client computer:

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: Date
Time: Time
User: N/A
Computer: Computer
Description:
Automatic certificate enrollment for Local system failed to enroll the CertType certificate from CA-name (The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

If you run the ipconfig /displaydns command on the client computer to display the content of the DNS resolver cache, the command output indicates that a negative DNS cache entry was created for the NetBIOS name of the certification authority (CA) server.

This problem occurs when the client computer is configured to use multiple DNS suffixes.