Troubleshooting certificate issues in Software Defined Networking (SDN)

As you may be aware, Network Controller in Windows Server 2016 uses certificate based authentication for communicating with Hyper-V hosts and Software Load Balancer MUX virtual machines (VMs).

Some SDN customers have complained about communication issues between Network Controller and hosts, although certificates were correctly configured on both the entities.

On debugging, we found that the customer had installed a non self-signed certificate into the computer’s Trusted Root Certification Authorities store. Although this certificate was not involved in communication between Network Controller and the hosts, the presence of such a certificate broke client authentication. Here is a view of some of the certificate properties:

 

dd

The following Knowledge Base article provides information about this issue: Internet Information Services (IIS) 8 may reject client certificate requests with HTTP 403.7 or 403.16 errors

To resolve this issue, you can uninstall the non self-signed certificate from the Trusted Root Certification Authorities certificate store for the Local Computer, or move the certificate to the Intermediate Certification Authorities store.

One more thing to note is that that the Personal (My – cert:\localmachine\my) certificate store on the Hyper-V host must have exactly one X.509 certificate with Subject Name (CN) as the host FQDN. This certificate is used for communication with the Network Controller.

This behavior is due to a bug in the system and will be fixed shortly. For now, please ensure that you have only one certificate with the Subject Name (CN) as the host FQDN.

For more information, see the following topics in the Windows Server 2016 Technical Library.

Anirban Paul, Senior Program Manager