This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
BMC Helix Remedyforce Service Desk
How Will Remedyforce SSO Users be Affected by the Microsoft Update Concerning the Trusted Root Certificate Program?
NOTE: This is information comes from Salesforce who controls what and how SSO is implemented and is provided for the convenience of BMC Helix Remedyforce Service Desk customers.
This is to inform you of an upcoming Microsoft Windows update, which will cause a disruption to select Salesforce features when https remote endpoints that use the Microsoft Trusted Root Certificate Program request or require a client certificate for these select Salesforce features. Action is required to ensure that such Salesforce features continue to work.
What is the change and impact?
Symantec has announced that they will retire the "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" root certificate from public use. Salesforce's proxy.salesforce.com client certificate is signed by this root certificate, which is used by https remote endpoints to authenticate requests made from Salesforce for select features.
Customers with remote https endpoints that use the Microsoft Trusted Root Certificate Program, which is updated by Windows Update, will be impacted if such https endpoints request or require a client certificate for select Salesforce features.
An upcoming Windows update, planned for April 19, 2016, will distrust this root certificate, which will cause a disruption to the following Salesforce features when the update is applied.
When the upcoming Microsoft Windows update is applied, the impact is as follows:
|Delegated authentication||Customers who use this feature to delegate user authentication via mutually authenticated ("2-way") TLS. Impacted users who have the "Is Single Sign-On Enabled" user permission enabled in either their profile or in a permission set will be unable to log into Salesforce if mutually authenticated TLS is enforced.|
|SAML with default certificate||Users will not be able to log in to Salesforce if the following customer conditions are ALL true: |
|Workflow outbound messages||Outbound messages will collect in a queue instead of being delivered. This queue can be viewed via Setup on the Monitor | Outbound Messages page. After performing corrective actions, the queued outbound messages are expected to get delivered.|
|AJAX proxy||Callouts from a web browser to an external endpoint via the AJAX proxy will fail.|
|PageReference.getContent() and PageReference.getContentAsPDF()||Calling these Apex methods will, depending on how the external endpoint handles this, fail, return an authorization error as the content, or return unexpected content.|
What action do I need to take?
To prepare for this change, you will need to transition over to a self-managed client certificate prior to installing the Windows update, planned for release on April 19, 2016, which will distrust the aforementioned root certificate.
See the Salesforce proxy.salesforce.com Client Certificate Impact article for more details.
Where can I get more information?
Review the articles and resources linked above for more information.
For additional questions, open a case with Support via the Help & Training portal.