Your connection isn't private on edge after hardening plus no home page

Occasional Contributor

Hi,

We are in the process of setting up a policy for organizational users using Edge and GPO.

We have had a few hickups, two of which I would be happy for assistance with fixing.

It's important that all the fixes are via the GPO settings (ADMX as of build 101 of Edge).

 

The first issue is that when the browser starts, we want it to open to our organizational portal, but it opens to "edge://newtab". We managed to set the home page (when you click the home icon) to our portal, but can't figure out how to get Edge to always open with our portal as the main page.

 

The second issue is even more problematic.

 

On some external web sites, even those you would not expect to get it, we get a "Your connection isn't private" message (when trying to browse to "www.google.com" for example. and the internal error is "NET::ERR_CERT_NO_REVOCATION_MECHANISM"

 

We don't have this issue with IE or chrome to the same websites on the same ws's. And we don't have this issue with internal websites.

 

Anyone have any idea why this is happening only on Edge and what the parameter that could be causing this ? Again, it does not happen on all web sites.

 

Some web sites that give this error allow us to move forwards, while others like google, won't even allow that.

 

Would appreciate any help.

 

Mike

7 Replies

Hello Michael,

Regarding the first issue: Did you configure "Action to take on startup" -> "Open a list of URLs" with the page you want to open on the list?

Regarding the second issue: probably, you don't have the same issue in IE and Chrome because they are not hardened. How many hardening configurations do you have? You can try to remove them step by step, for example, 10 in each step, and then check if Edge starts working properly. Thereby you will be able to find the root cause of the issue with the connection.

@mikhailf,
I have set the setting as you stated, but there is nowhere to write the name of the page I want to open, unless I need to write it in the "Sites to open when the browser starts" area ?

Regarding the second issue, Since it refers to a certificate issue (so it seems), I was hoping for a pointer to settings that might cause this to occur.

There are a lot of settings we have set, but I can't find any that have to do with this sort of issue or would explain why some sites work and others do not.

Hello Michael,

Yes, please, try to write it in the "Sites to open when the browser starts" area.

Here you can find some useful information Sites to open when the browser starts.

 

Regarding the second issue: probably, you restricted some cipher or encryption types in Edge that are not supported by some websites and that are supported by other. 

“ERR_CERT_NO_REVOCATION_MECHANISM” means the certificate has no revocation mechanism, I.e., no CRL or OCSP reference.
I can imagine some CAs issue short-lived certificates and thus provide no means to revoke them. Letsencrypt would be an obvious example, but they *do* provide revocation means via OCSP.
Google, too, issues short-lived (3 months long) certificates for www.google.com but they, too, provide OCSP and CRL in their certificates, at least, for me.

Could it be you are using some middle box (e.g., PaloAlto Networks or Cisco firewall) on your network or antivirus on your computer that does https interception and substitutes certificate with their own? To confirm that, can you view the certificate you get and check if it’s really Google’s? Google certificate is issued by GTS CA which is issued by GTS Root R1. You can inspect real certificates via https://www.ssllabs.com/ssltest/
@mikhaif,
That indeed worked. Thank you. So one issue is fixed :)
Mik

@kevin7461 

 

Hi Kevin,

So I did as you suggested and looked at the certificate, and indeed, it seems as though our systems are generating a new certificate for www.google.com (See attached picture).

What is odd to me is why I do not see this problem with the Chrome browser or Firefox, but only on the Edge, and I am pretty sure it has to do with one of the settings we have set, I just don't for the life of me know which one.

certificate-google-iaa.JPG

We are currently using a proxy from Broadcom (to be replaced in a few months) from Symantec.

Any pointers as to what setting may be causing this issue on Edge only ?

We have hardened the Chrome as well as a side note.

Thanks for the help so far,

Mike

@kevin7461 

 

Based on what you said, I looked over my parameters and found the following setting:

 

"Specify if online OCSP/CRL checks are required for local trust anchors" Which we had set to Enabled. As per the explanation "If Microsoft Edge can't get revocation status information, these certificates are treated as revoked ("hard-fail")." The moment I set this back to Not Configured, everything started working again.

 

So thank you for your excellent assistance.

 

Since I can't mark two posts as Best Response, and since I got the help I needed from you and from @mikhailf I hope you will both accept my thanks alone in this.

 

Mike Glassman

www.000webhost.com