The ENC client fails to connect to the ENC Server during verification process with the error message "the client has rejected the server certificate"

Document ID : KB000050097
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The ENC client fails to connect to the ENC Server during the verification process. Even though the required ports are open bidirectional, when we execute the 'ENCCLIENT STATUS' command, the error message "the client has rejected the server certificate" is displayed.

Solution:

The TRC_CF_ENCCLIENT_x.log file, shows the following messages even though the required certificates are valid and in place:

INFO | Created security context for <notreal.madeup.com>
ERROR | CSRS::listen: no SRS connection
ERROR | CConnectMgr::initListen: failed to listen on port 4728
INFO | CClient::sendListenResp[id=604]: sending listen response(3003)
DETAIL | CConnectMgr::workerThread: exit
INFO | InitializeSecurityContext(1) returned <80090318>
INFO | Expected data from InitializeSecurityContext(1) but got none.
ERROR | EncInitializeSecurityContext: Catastrophic failure

Note: You can find the ENC logs in the %sdroot%\..\logs folder.

Solution:
This failure can happen when there are multiple certificates registered to the ENC Manager. In this situation, when the ENC Manager transmits the list of certificates to the ENC client, and when the list exceeds the maximum file size that Microsoft allows for this action (16384 bytes), the certificate verification may fail. To correct this situation, do the following:
> Delete the unwanted certificates from the ENC Manager computer and try again.
> Disable the default auto-update/auto-enroll certificates function on the operating system. Disabling the function will help prevent this situation from occurring in the future, provided the number of certificates does not exceed the allowable transmission buffer.

You can refer to the steps on how to configure Auto-enroll certificates on Windows using the following link:
http://technet.microsoft.com/en-us/library/cc737159%28WS.10%29.aspx
http://www.tech-faq.com/the-certificate-enrollment-process.html

Disclaimer Note: The content of the pages in the links above is for general information/use. CA Technologies does not take responsibility of any incorrect information, if any, published on these pages.