I am trying to setup an intranet website (osTicket ticketing solution). I want my users to connect automatically to the website, so they don't have to fill their credentials. For this I have :
- Created a IIS server 10.0
- Setup a dns record in my domain's DNS
- Created a SSL certificate for that url using my domain's certificate authority
- Bind the certificate to IIS
- Add the site to Intranet Zone through a GPO (SSL and this GPO should ensure that user is not prompt for credentials in IE)
- Setup authentication in IIS : NTLM only, no anonymous authentication
Everything is working as expected on a fresh computer. No SSL warning on IE, passthrough working for Chrome and IE.
However, if the computer have Microsoft Skype for Enterprise installed (or Office I guess), an authentication certificate is created (I can see it in crtmgr.msc under Personal>Certificates). If I try to connect to my intranet site, this is this certificate that is automatically used. As my local domain is different than the Office365 domain, IIS doesn't accept the certificate and returns "403 Forbidden".
If I delete this certificate, everything will work until I launch Skype for Enterprise again and the certificate is created again.
In Chrome, it asks if I want to use the Skype certificate. If I accepts I get 403 error. If I refuse it works.
I'm out of ideas. How to tell IE not to use the Skype certificate ? Or any other ideas would be welcomed.
Thanks
Edit : By requesting a certificate from my CA in the certmg.msc, I can now choose a correct certificate in IE and Chrome. However, I only manage to create this certificate from the msc. I'm looking for a way to do it through a script so later I can apply it with a GPO. With certreq.exe my request parameters are not exactly the same, and I can't use it in IE and Chrome
