000034913 - Unable to open RSA Archer Control Panel due to duplicate certificates in certificate store: Found multiple X.509 certificates using the following search criteria.

Document created by RSA Customer Support Employee on Mar 8, 2017Last modified by RSA Customer Support on Jul 1, 2019
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034913
Applies ToRSA Product Set: Archer
Platform: Windows
IssueThe RSA Archer Configuration Service starts; however, the following error is encountered when loading the RSA Archer Control Panel (ACP). The errors are observed through the Output panel within the RSA Archer Control Panel.
 
An error occurred reading the instance groups. Unexpected failure when broadcasting or receiving. 


An error occurred loading the instances. Unexpected failure when broadcasting or receiving.


Below is an example of what is seen in the ACP:



User-added image




The following error is observed in the Archer.ArcherTech.Services.ConfigurationService.YYYYMMDD.xml:



<E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
    <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
        <EventID>0</EventID>
        <Type>3</Type>
        <SubType Name="Error">0</SubType>
        <Level>2</Level>
        <TimeCreated SystemTime="2017-03-06T07:55:42.0522317Z" />
        <Source Name="Archer.NET" />
        <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
        <Execution ProcessName="ArcherTech.Services.ConfigurationService" ProcessID="1052" ThreadID="6" />
        <AssemblyVersion>5.5.10000.1088</AssemblyVersion>
        <Channel />
        <Computer>ArcherHost</Computer>
    </System>
    <ApplicationData>
        <TraceData>
            <DataItem>
                <TraceRecord Severity="Error" xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord">
                    <TraceIdentifier>Archer.NET</TraceIdentifier>
                    <Description>Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'mydomain.com'. Provide a more specific find value.</Description>
                    <AppDomain>ArcherTech.Services.ConfigurationService.exe</AppDomain>
                    <Exception>
                        <ExceptionType>System.InvalidOperationException, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
                        <Message>Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'mydomain.com'. Provide a more specific find value.</Message>
                        <Source>System.ServiceModel</Source>
                        <StackTrace>   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStoreCore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target, Boolean throwIfMultipleOrNoMatch)
   at System.ServiceModel.Security.SecurityUtils.GetCertificateFromStore(StoreName storeName, StoreLocation storeLocation, X509FindType findType, Object findValue, EndpointAddress target)
   at System.ServiceModel.Configuration.X509ClientCertificateCredentialsElement.ApplyConfiguration(X509CertificateInitiatorServiceCredential creds)
   at System.ServiceModel.Configuration.ServiceCredentialsElement.ApplyConfiguration(ServiceCredentials behavior)
   at System.ServiceModel.Configuration.ServiceCredentialsElement.CreateBehavior()
   at System.ServiceModel.Description.ConfigLoader.LoadBehaviors[T](ServiceModelExtensionCollectionElement`1 behaviorElement, KeyedByTypeCollection`1 behaviors, Boolean commonBehaviors)
   at System.ServiceModel.Description.ConfigLoader.LoadServiceDescription(ServiceHostBase host, ServiceDescription description, ServiceElement serviceElement, Action`1 addBaseAddress, Boolean skipHost)
   at System.ServiceModel.ServiceHostBase.LoadConfigurationSectionInternal(ConfigLoader configLoader, ServiceDescription description, ServiceElement serviceSection)
   at System.ServiceModel.ServiceHost.ApplyConfiguration()
   at System.ServiceModel.ServiceHostBase.InitializeDescription(UriSchemeKeyedCollection baseAddresses)
   at System.ServiceModel.ServiceHost..ctor(Type serviceType, Uri[] baseAddresses)
   at ArcherTech.Configuration.ServiceHostFactory.GetServiceHost(Type serviceHostType)
   at ArcherTech.Services.ConfigurationService.ConfigurationService.StartService()</StackTrace>
                    </Exception>
                </TraceRecord>
            </DataItem>
        </TraceData>
    </ApplicationData>
</E2ETraceEvent>

 



The following error is observed in the Windows Event Viewer:



Log Name:      Archer
Source:        Archer
Date:          3/6/2017 7:06:17 PM
Event ID:      0
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      ArcherHost.mydomain.com
Description:
Error initializing log center - ArcherTech.Configuration.ConfigurationServiceException: Unexpected failure when broadcasting or receiving. ---> System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.
   --- End of inner exception stack trace ---

Server stack trace: 


   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)


   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)


   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)


   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)



Exception rethrown at [0]: 


   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at ArcherTech.Configuration.IConfigurationServiceAPI.AssemblyVersion()
   at ArcherTech.Configuration.WCFPropertyServiceClient.<AssemblyVersion>b__12()
   at ArcherTech.Configuration.WCFPropertyServiceClient.ExecuteInOperationContextScope[TResult](Func`1 func)
   at ArcherTech.Configuration.WCFPropertyServiceClient.AssemblyVersion()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.IsValidClient(IConfigurationServiceAPI testClient, Exception& exception)
   --- End of inner exception stack trace ---
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetWCFPropertyServiceClient()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetPropertyServiceProxy()
   at ArcherTech.Configuration.PropertyServiceClient.GetListeners()
   at ArcherTech.Configuration.PropertyServiceClient.ArcherTech.Configuration.ICommunicationProvider.GetListeners()


   at Security2000.Global.Start()




    <System>
    <Provider Name="Archer" />
    <EventID Qualifiers="0">0</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2017-03-06T11:06:17.000000000Z" />
    <EventRecordID>57743</EventRecordID>
    <Channel>Archer</Channel>
    <Computer>ArcherHost.mydomain.com</Computer>
    <Security />
  </System>


  <EventData>


    <Data>Error initializing log center - ArcherTech.Configuration.ConfigurationServiceException: Unexpected failure when broadcasting or receiving. ---&gt; System.ServiceModel.Security.MessageSecurityException: An unsecured or incorrectly secured fault was received from the other party. See the inner FaultException for the fault code and detail. ---> System.ServiceModel.FaultException: An error occurred when verifying security for the message.


   --- End of inner exception stack trace ---

Server stack trace: 


   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.ProcessReply(Message reply, SecurityProtocolCorrelationState correlationState, TimeSpan timeout)
   at System.ServiceModel.Channels.SecurityChannelFactory`1.SecurityRequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.DoOperation(SecuritySessionOperation operation, EndpointAddress target, Uri via, SecurityToken currentToken, TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionSecurityTokenProvider.GetTokenCore(TimeSpan timeout)
   at System.IdentityModel.Selectors.SecurityTokenProvider.GetToken(TimeSpan timeout)
   at System.ServiceModel.Security.SecuritySessionClientSettings`1.ClientSecuritySessionChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
   at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)


 


Exception rethrown at [0]: 


   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&amp; msgData, Int32 type)
   at ArcherTech.Configuration.IConfigurationServiceAPI.AssemblyVersion()
   at ArcherTech.Configuration.WCFPropertyServiceClient.&lt;AssemblyVersion&gt;b__12()
   at ArcherTech.Configuration.WCFPropertyServiceClient.ExecuteInOperationContextScope[TResult](Func`1 func)
   at ArcherTech.Configuration.WCFPropertyServiceClient.AssemblyVersion()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.IsValidClient(IConfigurationServiceAPI testClient, Exception&amp; exception)
   --- End of inner exception stack trace ---
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetWCFPropertyServiceClient()
   at ArcherTech.Configuration.PropertyServiceProxyFactory.GetPropertyServiceProxy()
   at ArcherTech.Configuration.PropertyServiceClient.GetListeners()
   at ArcherTech.Configuration.PropertyServiceClient.ArcherTech.Configuration.ICommunicationProvider.GetListeners()
   at Security2000.Global.Start()</Data>


  </EventData>
</Event>



 

CauseThe issue is commonly found in environment where a CA issued certificate is used with the RSA Archer Installation, where a duplicate CA certificate was left in Certificate Store after certificate renewal.

The example above shows the duplicate CA certificate (for example mydomain.com) found in the Certificate Store.
Resolution
  1. Review the certificate store on the RSA Archer server.
  2. Open the Microsoft Management Console (MMC).
  3. Add the Certificate Snap-in for Computer Account then select Local Computer.
  4. Expand Certificates (Local Computer) and navigate to Personal > Certificates.
  5. Verify if there are duplicate certificates and remove only the old/expired certificate (for example, mydomain.com).
  6. Restart the RSA Archer Configuration Service
  7. Review the Archer.ArcherTech.Services.ConfigurationService.YYYYMMDD.xml and ensure the error is corrected.  You do not want to see the following text:

Found multiple X.509 certificates using the following search criteria: StoreName 'My', StoreLocation 'LocalMachine', FindType 'FindBySubjectName', FindValue 'mydomain.com'. Provide a more specific find value.


  1. The RSA Archer Control Panel will load correctly once the error is fixed.

Attachments

    Outcomes