Software Defined Networking (SDN) Senior Program Manager Anirban Paul continues his contribution to his SDN Troubleshooting series on this blog with the following information about troubleshooting certificate issues in SDN. The rest of this post is provided by Anirban to assist you with your SDN deployment using Windows Server 2016 Datacenter edition.
As you may be aware, Network Controller in Windows Server 2016 uses certificate based authentication for communicating with Hyper-V hosts and Software Load Balancer Multiplexor (MUX) virtual machines (VMs).
Some SDN customers have complained about communication issues between Network Controller and hosts, although certificates were correctly configured on both the entities.
On debugging, we found that the customer had installed a non self-signed certificate into the computer's Trusted Root Certification Authorities store. Although this certificate was not involved in communication between Network Controller and the hosts, the presence of such a certificate breaks client authentication. Here is a view of some of the certificate properties:
The following Knowledge Base article provides information about this issue: Internet Information Services (IIS) 8 may reject client certificate requests with HTTP 403.7 or 403.16 errors
To resolve this issue, you can uninstall the non-self-signed certificate from the Trusted Root Certification Authorities certificate store for the Local Computer , or move the certificate to the Intermediate Certification Authorities store.
One more thing to note is that that the Personal (My – cert:\localmachine\my) certificate store on the Hyper-V host must have exactly one X.509 certificate with Subject Name (CN) as the host FQDN. This certificate is used for communication with Network Controller.
This behavior is due to a bug in the system and will be fixed shortly. For now, please ensure that you have only one certificate with the Subject Name (CN) as the host FQDN.
For more information, see the following topics in the Windows Server 2016 Technical Library.